[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

0.7rc2 with mod_auth_kerb 5 rc6

The spnego code in mod_auth_kerb seems to conflict with the related  
code in the new Heimdal.  As Love suggested, it turns out to be trivial  
to work around:  just eliminate the spnego code that came with  
mod_auth_kerb.  ;-)

First, forget all the configure machinery.  It just gets in the way  
here (IMNSHO).

Second, copy config.h.in to config.h and edit appropriately.  (It's  
obvious, I think.)

Third, apply the patch at the end of this email.

Forth, run apxs directly on the src/mod_auth_kerb.c file.  I used the  
something similar to the following on Solaris 9:

/apache/path/bin/apxs -c -I. -I/usr/kth/include -DHAVE_KRB5_CC_GEN_NEW  
-DHEIMDAL -Wc,-g -Wl,-R/usr/kth/lib:/apache/path/lib  
-L/usr/kth/lib:/apache/path/lib -lgssapi -lkrb5 -lasn1 -lcom_err  
-lcrypto -lroken -lresolv -lnsl -lsocket -lresolv src/mod_auth_kerb.c

I don't see any reason why you can't do -c -i -a instead of just -c  
above.  In theory you should do `/usr/kth/bin/krb5-config --libs` in  
place of all those options after the -c (except it doesn't include  

It appears to work fine.

--- mod_auth_kerb.c.orig	Wed Jun  1 13:33:49 2005
+++ mod_auth_kerb.c	Wed Jun  1 13:41:33 2005
@@ -73,7 +73,6 @@
  #  define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
  #  define krb5_get_err_text(context,code) error_message(code)
-#include "spnegokrb5.h"
  #endif /* KRB5 */

  #ifdef KRB4
@@ -1098,15 +1097,11 @@
    gss_name_t client_name = GSS_C_NO_NAME;
    gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
    OM_uint32 (*accept_sec_token)();
-  gss_OID_desc spnego_oid;
    gss_ctx_id_t context = GSS_C_NO_CONTEXT;
    gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;

    *negotiate_ret_value = "\0";

-  spnego_oid.length = 6;
-  spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
    if (conf->krb_5_keytab) {
       char *ktname;
       /* we don't use the ap_* calls here, since the string passed to  
@@ -1145,14 +1140,10 @@
    input_token.length = ap_base64decode(input_token.value, auth_param);

-  accept_sec_token = (cmp_gss_type(&input_token, &spnego_oid) == 0) ?
-     			gss_accept_sec_context_spnego : gss_accept_sec_context;
+  accept_sec_token = gss_accept_sec_context;

    /* pridat: Read client Negotiate data of length XXX, prefix YYY */
-  log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data  
using %s",
-	     (accept_sec_token == gss_accept_sec_context)
-	       ? "KRB5 GSS-API"
-	       : "SPNEGO GSS-API");
+  log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data  
using GSS-API");

    major_status = accept_sec_token(&minor_status,
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu