Monday, July 2, 2007

Apache 2.2 / mod_auth_kerb on FC6

There is a bug in krb5-libs-1.5-21.1.i386.rpm, the latest available for FC6 from http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/i386/, which affects mod_auth_kerb.

The bug manifests in the error log as:

[Sun Jul 01 06:37:54 2007] [error] [client 1.2.3.4] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Cannot allocate memory)

MIT has already fixed the bug (about the same time krb5-libs-1.5-21.1.i386.rpm was released), but I don't see a more recent rpm available for FC6.

The bug is in lib/gssapi/krb5/indicate_mechs.c. The if() has the condition negated, which is wrong. The function should be as follows:



OM_uint32
krb5_gss_indicate_mechs(minor_status, mech_set)
OM_uint32 *minor_status;
gss_OID_set *mech_set;
{
*minor_status = 0;

if (gssint_copy_oid_set(minor_status, gss_mech_set_krb5_both, mech_set)) {
*mech_set = GSS_C_NO_OID_SET;
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
}

return(GSS_S_COMPLETE);
}
"./gssapi/krb5/indicate_mechs.c" line 44 of 44 --100%-- col 1




More here
I fixed it by installing the source RPM krb5-1.5-21.1.src.rpm, editing indicate_mechs.c, rebuilding the RPMs and installing them.

For those no more familiar with doing such things than I was, the following suggestions may help:

rpm -i krb5-1.5-21.1.src.rpm
cd /usr/src/redhat/SPECS
rpmbuild -bb krb5.spec
Check and confirm that the RPMS were built successfully
cd /usr/src/redhat/BUILD/krb5-1.5/src/lib/gssapi/krb5
vi indicate_mechs.c
Change the if() to read as above (i.e. remove the '!')
cd /usr/src/redhat/SPECS
rpmbuild -bc --short-circuit krb5.spec
cd /usr/src/redhat/RPMS
rpm -U --force krb5*

It would be better to make a patch and change the version number of the RPM, but I don't know enough to do that.

After this change, mod_auth_kerb worked fine!!

No comments:

Labels