Saturday, April 5. 2014
Kerberos, Apache 2.4 and Solaris 10 (Part I)
Comments
Display comments as
(Linear | Threaded)
Thanks for the post it was quite helpful.
I'm trying to accomplish the same thing but with apache 2.2. Managed to compile successfully using your suggestions but the httpd process aborts as soon as I attempt to access a secured directory and does not log any messages other than segmentation fault.
I was thinking it was because it couldn't find a library but ldd -r on mod_auth_kerb.so reveals the following and I think these are all defined in httpd.
usvvolnd1:/opt/apache/httpd-2.2.22/conf> ldd -r /opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so
libgssapi_krb5.so.2 => /opt/apache/httpd-2.2.22/lib/libgssapi_krb5.so.2
libkrb5.so.3 => /opt/apache/httpd-2.2.22/lib/libkrb5.so.3
libk5crypto.so.3 => /opt/apache/httpd-2.2.22/lib/libk5crypto.so.3
libcom_err.so.3 => /opt/apache/httpd-2.2.22/lib/libcom_err.so.3
libaprutil-1.so.0 => /opt/apache/httpd-2.2.22/lib/libaprutil-1.so.0
libapr-1.so.0 => /opt/apache/httpd-2.2.22/lib/libapr-1.so.0
libresolv.so.2 => /lib/libresolv.so.2
libc.so.1 => /lib/libc.so.1
libkrb5support.so.0 => /opt/apache/httpd-2.2.22/lib/libkrb5support.so.0
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
libexpat.so.0 => /opt/apache/httpd-2.2.22/lib/libexpat.so.0
libuuid.so.1 => /lib/libuuid.so.1
libsendfile.so.1 => /lib/libsendfile.so.1
librt.so.1 => /lib/librt.so.1
libpthread.so.1 => /lib/libpthread.so.1
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libscf.so.1 => /lib/libscf.so.1
libaio.so.1 => /lib/libaio.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
symbol not found: ap_set_file_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_string_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
/platform/SUNW,SPARC-Enterprise/lib/libc_psr.so.1
symbol not found: ap_log_rerror (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_pbase64decode (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_getword_nulls_nc (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_get_server_name (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_find_token (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_getword_white (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_auth_name (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_auth_type (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_add_version_component (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_hook_post_config (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_hook_check_user_id (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
libm.so.2 => /lib/libm.so.2
Does you compiled mod_auth_kerb.so exhibit the same behaviour?
Do you have any suggestions as to what might be wrong?
I'm trying to accomplish the same thing but with apache 2.2. Managed to compile successfully using your suggestions but the httpd process aborts as soon as I attempt to access a secured directory and does not log any messages other than segmentation fault.
I was thinking it was because it couldn't find a library but ldd -r on mod_auth_kerb.so reveals the following and I think these are all defined in httpd.
usvvolnd1:/opt/apache/httpd-2.2.22/conf> ldd -r /opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so
libgssapi_krb5.so.2 => /opt/apache/httpd-2.2.22/lib/libgssapi_krb5.so.2
libkrb5.so.3 => /opt/apache/httpd-2.2.22/lib/libkrb5.so.3
libk5crypto.so.3 => /opt/apache/httpd-2.2.22/lib/libk5crypto.so.3
libcom_err.so.3 => /opt/apache/httpd-2.2.22/lib/libcom_err.so.3
libaprutil-1.so.0 => /opt/apache/httpd-2.2.22/lib/libaprutil-1.so.0
libapr-1.so.0 => /opt/apache/httpd-2.2.22/lib/libapr-1.so.0
libresolv.so.2 => /lib/libresolv.so.2
libc.so.1 => /lib/libc.so.1
libkrb5support.so.0 => /opt/apache/httpd-2.2.22/lib/libkrb5support.so.0
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
libexpat.so.0 => /opt/apache/httpd-2.2.22/lib/libexpat.so.0
libuuid.so.1 => /lib/libuuid.so.1
libsendfile.so.1 => /lib/libsendfile.so.1
librt.so.1 => /lib/librt.so.1
libpthread.so.1 => /lib/libpthread.so.1
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libscf.so.1 => /lib/libscf.so.1
libaio.so.1 => /lib/libaio.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
symbol not found: ap_set_file_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_string_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_set_flag_slot (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
/platform/SUNW,SPARC-Enterprise/lib/libc_psr.so.1
symbol not found: ap_log_rerror (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_pbase64decode (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_getword_nulls_nc (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_get_server_name (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_find_token (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_getword_white (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_auth_name (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_auth_type (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_add_version_component (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_hook_post_config (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
symbol not found: ap_hook_check_user_id (/opt/apache/httpd-2.2.22/modules/mod_auth_kerb.so)
libm.so.2 => /lib/libm.so.2
Does you compiled mod_auth_kerb.so exhibit the same behaviour?
Do you have any suggestions as to what might be wrong?
Hi Ricky
I'm trying to repeat the steps you describe in your guide but I'm stuck in step 6. I've patched the module many times using each time a patch from a different source but no luck I'm not able to compile the module. I have to mention that I'm running Solaris 11.2 and I picked up the most current releases of all the needed software packages.
Here's the output produced by make:
$ make
./apxs.sh "-I. -Ispnegokrb5 -I/u00/oracle/orabase/product/apache2.4.10/include " "-L/u00/oracle/orabase/product/apache2.4.10/lib -R/u00/oracle/orabase/product/apache2.4.10/lib -m64 -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" "" "/u00/oracle/orabase/product/apache2.4.10/bin/apxs" "-c" "src/mod_auth_kerb.c"
/u00/oracle/orabase/product/apache2.4.10/build/libtool --silent --mode=compile cc -prefer-pic -DSOLARIS2=11 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -D_LARGEFILE64_SOURCE -g -I/u00/oracle/orabase/product/apache2.4.10/include -I/u00/oracle/orabase/product/apache2.4.10/include -I/u00/oracle/orabase/product/apache2.4.10/include -I. -Ispnegokrb5 -I/u00/oracle/orabase/product/apache2.4.10/include -c -o src/mod_auth_kerb.lo src/mod_auth_kerb.c && touch src/mod_auth_kerb.slo
"src/mod_auth_kerb.c", line 211: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 214: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 217: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 220: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 223: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 226: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 229: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 238: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 241: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 244: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 247: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 1045: warning: argument #8 is incompatible with prototype:
prototype: pointer to char : "src/mod_auth_kerb.c", line 693
argument : pointer to const char
"src/mod_auth_kerb.c", line 1752: warning: implicit function declaration: krb5_rc_resolve_full
"src/mod_auth_kerb.c", line 1756: warning: implicit function declaration: krb5_rc_destroy
/u00/oracle/orabase/product/apache2.4.10/build/libtool --silent --mode=link cc -o src/mod_auth_kerb.la -L/u00/oracle/orabase/product/apache2.4.10/lib -R/u00/oracle/orabase/product/apache2.4.10/lib -m64 -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -rpath /u00/oracle/orabase/product/apache2.4.10/modules -module -avoid-version src/mod_auth_kerb.lo
ld: fatal: file src/.libs/mod_auth_kerb.o: wrong ELF class: ELFCLASS32
apxs:Error: Command failed with rc=131072
.
*** Error code 1
make: Fatal error: Command failed for target `src/mod_auth_kerb.so'
Any help would be greatly appreciated.
Regards
Daniel
I'm trying to repeat the steps you describe in your guide but I'm stuck in step 6. I've patched the module many times using each time a patch from a different source but no luck I'm not able to compile the module. I have to mention that I'm running Solaris 11.2 and I picked up the most current releases of all the needed software packages.
Here's the output produced by make:
$ make
./apxs.sh "-I. -Ispnegokrb5 -I/u00/oracle/orabase/product/apache2.4.10/include " "-L/u00/oracle/orabase/product/apache2.4.10/lib -R/u00/oracle/orabase/product/apache2.4.10/lib -m64 -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" "" "/u00/oracle/orabase/product/apache2.4.10/bin/apxs" "-c" "src/mod_auth_kerb.c"
/u00/oracle/orabase/product/apache2.4.10/build/libtool --silent --mode=compile cc -prefer-pic -DSOLARIS2=11 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -D_LARGEFILE64_SOURCE -g -I/u00/oracle/orabase/product/apache2.4.10/include -I/u00/oracle/orabase/product/apache2.4.10/include -I/u00/oracle/orabase/product/apache2.4.10/include -I. -Ispnegokrb5 -I/u00/oracle/orabase/product/apache2.4.10/include -c -o src/mod_auth_kerb.lo src/mod_auth_kerb.c && touch src/mod_auth_kerb.slo
"src/mod_auth_kerb.c", line 211: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 214: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 217: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 220: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 223: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 226: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 229: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 238: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 241: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 244: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 247: warning: initialization type mismatch
"src/mod_auth_kerb.c", line 1045: warning: argument #8 is incompatible with prototype:
prototype: pointer to char : "src/mod_auth_kerb.c", line 693
argument : pointer to const char
"src/mod_auth_kerb.c", line 1752: warning: implicit function declaration: krb5_rc_resolve_full
"src/mod_auth_kerb.c", line 1756: warning: implicit function declaration: krb5_rc_destroy
/u00/oracle/orabase/product/apache2.4.10/build/libtool --silent --mode=link cc -o src/mod_auth_kerb.la -L/u00/oracle/orabase/product/apache2.4.10/lib -R/u00/oracle/orabase/product/apache2.4.10/lib -m64 -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv -rpath /u00/oracle/orabase/product/apache2.4.10/modules -module -avoid-version src/mod_auth_kerb.lo
ld: fatal: file src/.libs/mod_auth_kerb.o: wrong ELF class: ELFCLASS32
apxs:Error: Command failed with rc=131072
.
*** Error code 1
make: Fatal error: Command failed for target `src/mod_auth_kerb.so'
Any help would be greatly appreciated.
Regards
Daniel
Hi Daniel,
In this entry everything is compiled in 32 bits, but it seems apache in your environment is 64 bits. That seems the reason for the complaint about ELFCLASS32 when linking against kerberos library (krb5 libs are 32b, apache 64b).
Take care and compile everything using the same architecture (-m64 option makes gcc to use 64b in Solaris).
Good luck!
In this entry everything is compiled in 32 bits, but it seems apache in your environment is 64 bits. That seems the reason for the complaint about ELFCLASS32 when linking against kerberos library (krb5 libs are 32b, apache 64b).
Take care and compile everything using the same architecture (-m64 option makes gcc to use 64b in Solaris).
Good luck!
Hola Ricky
I just realized that you're from Spain too
I managed to compile successfully all the sources adding the proper compiler flags. Many thanks for your reply.
Now my problem has to do with SSL encryption. Trying to access the page using HTTPS gives me the following error in apache's log:
[Mon Nov 03 17:06:42.020529 2014] [core:info] [pid 17150:tid 25] [client XXX] AH00561: Request header exceeds LimitRequestFieldSize: Authorization
[Mon Nov 03 17:06:42.020574 2014] [core:info] [pid 17150:tid 25] [client XXX] AH00567: request failed: error reading the headers
I put the corresponding settings in httpd.conf but had no luck:
LimitRequestLine 65536
LimitRequestFieldSize 65536
If I access the page without SSL everything runs just fine. Have you had a similar experience?
Maybe I have to add that my setup looks a bit more complicated. To put it simple: browser -> apache(kerberos,ssl) -> tomcat -> database
Saludos
Dani
I just realized that you're from Spain too
I managed to compile successfully all the sources adding the proper compiler flags. Many thanks for your reply.
Now my problem has to do with SSL encryption. Trying to access the page using HTTPS gives me the following error in apache's log:
[Mon Nov 03 17:06:42.020529 2014] [core:info] [pid 17150:tid 25] [client XXX] AH00561: Request header exceeds LimitRequestFieldSize: Authorization
[Mon Nov 03 17:06:42.020574 2014] [core:info] [pid 17150:tid 25] [client XXX] AH00567: request failed: error reading the headers
I put the corresponding settings in httpd.conf but had no luck:
LimitRequestLine 65536
LimitRequestFieldSize 65536
If I access the page without SSL everything runs just fine. Have you had a similar experience?
Maybe I have to add that my setup looks a bit more complicated. To put it simple: browser -> apache(kerberos,ssl) -> tomcat -> database
Saludos
Dani
I was able to solve the problem by adding this two lines in httpd-ssl.conf
LimitRequestLine 65536
LimitRequestFieldSize 65536
Perdona las molestias.
Dani
LimitRequestLine 65536
LimitRequestFieldSize 65536
Perdona las molestias.
Dani
Comments