Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
Hi Francesco, The SASL gssapi library is /usr/lib/sasl2/libgssapiv2.2.0.18.so ~ markus$ otool -L /usr/lib/sasl2/libgssapiv2.2.0.18.so /usr/lib/sasl2/libgssapiv2.2.0.18.so: /usr/lib/sasl2/libgssapiv2.2.0.18.so (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos (compatibility version 5.0.0, current version 6.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1213.0.0) Markus "Kinkie" wrote in message news:ca+y8hcox8ae5szxb1f+qnrqsx9qyjz7-vlj9o_uzffa9k6x...@mail.gmail.com... On Mon, Jan 4, 2016 at 2:29 PM, Markus Moeller wrote: Hi Kinkie, I wonder against which Kerberos library SASL is linked against. You may get strange errors if SASL which is used by ldap is linked against the native Kerberos libraries. So the kerberos_ldap_group helper may not work correctly for SASL/GSSAPI based authentication to the ldap server. Hi, $ otool -L /usr/lib/libsasl2.2.dylib /usr/lib/libsasl2.2.dylib: /usr/lib/libsasl2.2.dylib (compatibility version 3.0.0, current version 3.15.0) /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1) System kerberos seems to be in /usr/lib and /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos . I can't find the SASL libraries; they must be embedded somewhere else :\ -- Francesco ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
> Could it be that the MIT header is used during configure instead of the MAC > Kerberos header files ? Doh! You are right - I had a stale config.cache Thanks for pointing it out! Francesco ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
Hi Francesco, Which squid version do you use ? If I use the trunk I see that krb5_kt_free_entry does not exist and configure says so checking for krb5_pac... no checking for krb5_kt_free_entry in -lkrb5... no checking for krb5_get_init_creds_keytab in -lkrb5... yes support_krb5.cc then uses krb5_free_keytab_entry_contents #if USE_HEIMDAL_KRB5 || ( HAVE_KRB5_KT_FREE_ENTRY && HAVE_DECL_KRB5_KT_FREE_ENTRY ) code = krb5_kt_free_entry(kparam.context, &entry); #else code = krb5_free_keytab_entry_contents(kparam.context, &entry); #endif Could it be that the MIT header is used during configure instead of the MAC Kerberos header files ? Markus "Kinkie" wrote in message news:CA+Y8hcMYz9uQ9AgvMZco37f3hdVqBeOSN_R6T=b50l7kv2d...@mail.gmail.com... Hi Markus, Uninstalling MIT kerberos, the build system correctly detects Apple kerberos, but fails at ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include -I/opt/local/include -I../../../libltdl -I. -I/usr/include/libxml2 -I/opt/local/include -I/usr/include/libxml2 -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -I/opt/local/include -I/opt/local/include -I/opt/local/include/p11-kit-1 -I/opt/local/include -g -O2 -std=c++11 -MT support_log.o -MD -MP -MF $depbase.Tpo -c -o support_log.o support_log.cc &&\ mv -f $depbase.Tpo $depbase.Po support_krb5.cc:296:20: error: use of undeclared identifier 'krb5_kt_free_entry' code = krb5_kt_free_entry(kparam.context, &entry); On Mon, Jan 4, 2016 at 4:09 PM, Kinkie wrote: On Mon, Jan 4, 2016 at 2:29 PM, Markus Moeller wrote: Hi Kinkie, I wonder against which Kerberos library SASL is linked against. You may get strange errors if SASL which is used by ldap is linked against the native Kerberos libraries. So the kerberos_ldap_group helper may not work correctly for SASL/GSSAPI based authentication to the ldap server. Hi, $ otool -L /usr/lib/libsasl2.2.dylib /usr/lib/libsasl2.2.dylib: /usr/lib/libsasl2.2.dylib (compatibility version 3.0.0, current version 3.15.0) /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1) System kerberos seems to be in /usr/lib and /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos . I can't find the SASL libraries; they must be embedded somewhere else :\ -- Francesco -- Francesco ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
Hi Markus, Uninstalling MIT kerberos, the build system correctly detects Apple kerberos, but fails at ccache g++ -DHAVE_CONFIG_H -I../../.. -I../../../include -I../../../lib -I../../../src -I../../../include -I/opt/local/include -I../../../libltdl -I. -I/usr/include/libxml2 -I/opt/local/include -I/usr/include/libxml2 -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -I/opt/local/include -I/opt/local/include -I/opt/local/include/p11-kit-1 -I/opt/local/include -g -O2 -std=c++11 -MT support_log.o -MD -MP -MF $depbase.Tpo -c -o support_log.o support_log.cc &&\ mv -f $depbase.Tpo $depbase.Po support_krb5.cc:296:20: error: use of undeclared identifier 'krb5_kt_free_entry' code = krb5_kt_free_entry(kparam.context, &entry); On Mon, Jan 4, 2016 at 4:09 PM, Kinkie wrote: > On Mon, Jan 4, 2016 at 2:29 PM, Markus Moeller > wrote: >> Hi Kinkie, >> >> I wonder against which Kerberos library SASL is linked against. You may >> get strange errors if SASL which is used by ldap is linked against the >> native Kerberos libraries. So the kerberos_ldap_group helper may not work >> correctly for SASL/GSSAPI based authentication to the ldap server. > > Hi, > > $ otool -L /usr/lib/libsasl2.2.dylib > /usr/lib/libsasl2.2.dylib: > /usr/lib/libsasl2.2.dylib (compatibility version 3.0.0, current > version 3.15.0) > /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, > current version 50.0.0) > /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current > version 1197.1.1) > > System kerberos seems to be in /usr/lib and > /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos . I > can't find the SASL libraries; they must be embedded somewhere else :\ > > > -- > Francesco -- Francesco ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
On Mon, Jan 4, 2016 at 2:29 PM, Markus Moeller wrote: > Hi Kinkie, > > I wonder against which Kerberos library SASL is linked against. You may > get strange errors if SASL which is used by ldap is linked against the > native Kerberos libraries. So the kerberos_ldap_group helper may not work > correctly for SASL/GSSAPI based authentication to the ldap server. Hi, $ otool -L /usr/lib/libsasl2.2.dylib /usr/lib/libsasl2.2.dylib: /usr/lib/libsasl2.2.dylib (compatibility version 3.0.0, current version 3.15.0) /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1) System kerberos seems to be in /usr/lib and /System/Library/Frameworks/Kerberos.framework/Versions/A/Kerberos . I can't find the SASL libraries; they must be embedded somewhere else :\ -- Francesco ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
Hi Kinkie, I wonder against which Kerberos library SASL is linked against. You may get strange errors if SASL which is used by ldap is linked against the native Kerberos libraries. So the kerberos_ldap_group helper may not work correctly for SASL/GSSAPI based authentication to the ldap server. Markus "Amos Jeffries" wrote in message news:568a3df0.9040...@treenet.co.nz... On 4/01/2016 8:59 p.m., Kinkie wrote: Just for clarity: Squid isn't failing. The issue is in the kerberos_ldap_group helper. Aha. So the check should be in that helpers requires.m4 file and only run if the helper is to be built. It can also set an AC_SUBST variable LIBRESOLV="-lresolv". Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
On 4/01/2016 8:59 p.m., Kinkie wrote: > Just for clarity: Squid isn't failing. The issue is in the > kerberos_ldap_group helper. > Aha. So the check should be in that helpers requires.m4 file and only run if the helper is to be built. It can also set an AC_SUBST variable LIBRESOLV="-lresolv". Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
Just for clarity: Squid isn't failing. The issue is in the kerberos_ldap_group helper. On Mon, Jan 4, 2016 at 8:58 AM, Kinkie wrote: > It is, however: > > $ pkg-config --libs mit-krb5 > -L/opt/local/lib -lkrb5 -lk5crypto -lcom_err > > :( > > On Mon, Jan 4, 2016 at 6:10 AM, Amos Jeffries wrote: >> On 4/01/2016 1:01 a.m., Kinkie wrote: >>> Hi, >>> the attached patch improves the build on MacOS, where MIT krb5 >>> libraries require explicit linking of libresolv. >>> >> >> Is pkg-config available and working for krb5 libraries on the MacOS >> system(s) where this library needs to be checked explicitly? >> >> If pkg-config is not available there, the library check should be moved >> up to the list of library checks between lines 1446 and 1465. >> >> Amos >> >> ___ >> squid-dev mailing list >> squid-dev@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-dev > > > > -- > Francesco -- Francesco ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
It is, however: $ pkg-config --libs mit-krb5 -L/opt/local/lib -lkrb5 -lk5crypto -lcom_err :( On Mon, Jan 4, 2016 at 6:10 AM, Amos Jeffries wrote: > On 4/01/2016 1:01 a.m., Kinkie wrote: >> Hi, >> the attached patch improves the build on MacOS, where MIT krb5 >> libraries require explicit linking of libresolv. >> > > Is pkg-config available and working for krb5 libraries on the MacOS > system(s) where this library needs to be checked explicitly? > > If pkg-config is not available there, the library check should be moved > up to the list of library checks between lines 1446 and 1465. > > Amos > > ___ > squid-dev mailing list > squid-dev@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-dev -- Francesco ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
On 4/01/2016 1:01 a.m., Kinkie wrote: > Hi, > the attached patch improves the build on MacOS, where MIT krb5 > libraries require explicit linking of libresolv. > Is pkg-config available and working for krb5 libraries on the MacOS system(s) where this library needs to be checked explicitly? If pkg-config is not available there, the library check should be moved up to the list of library checks between lines 1446 and 1465. Amos ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
[squid-dev] [PATCH] MacOS MIT Kerberos requires libresolv
Hi, the attached patch improves the build on MacOS, where MIT krb5 libraries require explicit linking of libresolv. -- Francesco === modified file 'configure.ac' --- configure.ac 2016-01-03 10:45:27 + +++ configure.ac 2016-01-03 11:59:49 + @@ -1478,6 +1478,7 @@ AC_DEFINE(USE_MIT_KRB5,1,[MIT Kerberos support is available]) KRB5_FLAVOUR="MIT" fi +AC_CHECK_LIB(resolv, [res_9_search], [LIB_KRB5_LIBS="-lresolv $LIB_KRB5_LIBS"],[]) KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" KRB5INCS="$LIB_KRB5_CFLAGS" ___ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev