Closed Bug 321514 Opened 19 years ago Closed 18 years ago

Fail to load gssapi library

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Version:
1.8 Branch
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: nottheoilrig, Assigned: simon)

References

Details

(Keywords: fixed1.8.0.4, fixed1.8.1)

Attachments

(1 file, 2 obsolete files)

Updated version of patch
2.69 KB, patch
cneberg
: review+
Bienvenu
: superreview+
dveditz
: approval1.8.0.2-
timr
: approval1.8.0.4+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8) Gecko/20051217 Debian/1.5.dfsg-2 Firefox/1.5
Build Identifier: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8) Gecko/20051217 Debian/1.5.dfsg-2 Firefox/1.5

I struggled to get negotiate authentication working again in Debian Linux, since the GSSAPI library became dynamicly loaded

NSPR_LOG_FILE contained -


1208153856[10d4aeb8]:   service = fis
1208153856[10d4aeb8]:   using negotiate-gss
1208153856[10d4aeb8]: entering nsAuthGSSAPI::nsAuthGSSAPI()
1208153856[10d4aeb8]: Fail to load gssapi library
1208153856[10d4aeb8]: entering nsAuthGSSAPI::Init()


- & an strace contained -


open("/usr/lib/libgssapi_krb5.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/libgssapi.so", O_RDONLY) = -1 ENOENT (No such file or directory)


- even though libkrb53 & libgssapi4-heimdal Debian pacakges are installed -


fis% dpkg -S libgssapi
libkrb53: /usr/lib/libgssapi_krb5.so.2
libkrb53: /usr/lib/libgssapi_krb5.so.2.2
libgssapi4-heimdal: /usr/lib/libgssapi.so.4.0.0
libgssapi4-heimdal: /usr/lib/libgssapi.so.4
fis% 


Problem is, /usr/lib/libgssapi_krb5.so & /usr/lib/libgssapi.so are in libkrb5-dev & heimdal-dev, respectively - & these development packages aren't usually installed at runtime

So I dunno whether Firefox should try loading /usr/lib/libgssapi_krb5.so.2 (with version numbers), etc. - or libkrb53 & libgssapi4-heimdal should include the versionless paths, or the Debian Firefox package Recommends: libkrb5-dev, etc.

Many thanks for continued improvement of HTTP authentication!

Jack

Reproducible: Always
Assignee: nobody → darin
Component: General → Networking
Product: Firefox → Core
QA Contact: general → benc
Version: unspecified → 1.8 Branch
so, the code uses PR_GetLibraryName + PR_LoadLibrary, is it expected that it doesn't find the lib?
We don't check for versioned libraries, but do allow you to specify which lib to use explictly by setting the pref network.negotiate-auth.gsslib to point at the correct gssapi implementation.  Please verify that that works for you.  
non-versioned libraries are only installed by -dev packages. I don't think we should require them for a working negotiate auth.
Firefox needs to pass either "libgssapi_krb5.so.2" and
"libgssapi.so.4" or "/usr/lib/libgssapi_krb5.so.2" and
"/usr/lib/libgssapi.so.4" to PR_LoadLibrary.  Such file
names with ".2" or ".4" after the shared library suffix
(".so") can't be constructed with PR_GetLibraryName, so
you need to hardcode the file names.
(In reply to comment #2)
Is there a way to pass multiple libraries in this parameter? 


well, the current code calls it several times. so, looks like this only requires adding the name with .so.5 to the list. probably without the path.
The same is actually true with Fedora - the unversioned .so link is owned by the -dev package. 

If it's OK, I'll knock together a patch for this ...
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
>>>If it's OK, I'll knock together a patch for this ...

Cool, I haven't had time to start anything yet.  So go ahead and take the bug.
Assignee: darin → simon
Status: ASSIGNED → NEW
I've attached a patch that should fix both this and bug #325433

The only danger is that when MIT and Heimdal increase their .so versions, we're going to have to add in additional libraries to the search list.
Attachment #210487 - Flags: review?(cneberg)
+                if (PR_FindFunctionSymbol(lib, 
+                                          "internal_krb5_gss_initialize") &&

don't you need to check that lib is nonnull at this point?

do we need to worry about systems which don't name their libraries .so? (macos? hp-ux?)
(In reply to comment #10)
> don't you need to check that lib is nonnull at this point?

Ah yes. Indeed.
 
> do we need to worry about systems which don't name their libraries .so? (macos?
> hp-ux?)

Kerberos ships as standard on Mac OS X - so I don't think we'll have this problem there. I can't speak to HPUX, but I don't think this patch will make things any worse.

Comment on attachment 210487 [details] [diff] [review]
Fix to add support for loading versioned libraries. Also fixes bug #325433

Please add the check for lib mentioned by cbiesinger.

A google search couldn't find any versioned gssapi libraries on HP-UX or Mac OS X.  So they should still be fine.

You need libgssapi.so.1 for SUSE 9.x.

Unfortuenly serveral BSD's have tons of different versions of this library for libgssapi.so from .3 through .8.
Attachment #210487 - Flags: review?(cneberg) → review+
I'm testing an updated version of this patch at the moment - I'll upload it later this week.

I'm currently checking for the following versioned libraries:
    * libgssapi_krb5.so.2 - for MIT Kerberos on Suse10 and Debian
    * libgssapi.so.4      - for Heimdal on Suse10 and Mandrake
    * libgssapi.so.1      - for Heimdal on Suse9

I believe that we only have a problem with Linux distributions using packaging systems which split installation trees into 'development' and 'lib' sections. The BSDs appear to always install the unversioned .so's - so we don't have to cater for them.

One problem with the above is that libgssapi.so.1 is what the CITI libgssapi
library is called on Fedora, Mandrake and Suse 10. We can't use this library for the reasons in bug #325433 - it crashes us if its not configured correctly. So
the checking code needs to be somewhat more complex.
Status: NEW → ASSIGNED
Attached patch Updated version of patch (obsolete) — Splinter Review 
This is an updated version of the patch, to cover the additional libraries in the previous comment. It also solves the problem with CITI's libgssapi calling exit()
on improperly configured systems. We should try and get this out there quickly, as it will solve a number of situations where Thunderbird just quits when try to send or receive email on machines running SuSe or Fedora.
Attachment #212209 - Flags: review?(cneberg)
This is an updated version of the patch, to cover the additional libraries in the previous comment. It also solves the problem with CITI's libgssapi calling exit()
on improperly configured systems. We should try and get this out there quickly, as it will solve a number of situations where Thunderbird just quits when try to send or receive email on machines running SuSe or Fedora.
Attachment #210487 - Attachment is obsolete: true
Attachment #212210 - Flags: review?(cneberg)
Attachment #212209 - Attachment is obsolete: true
Attachment #212209 - Flags: review?(cneberg)
Attachment #212210 - Flags: review?(cneberg) → review+
Comment on attachment 212209 [details] [diff] [review]
Updated version of patch

+        const char *const verLibNames[] = {

per http://people.redhat.com/drepper/dsohowto.pdf I believe:
  static const char verLibNames[][sizeof("libgssapi_krb5.so.2)]

would be more efficient.
Attachment #212210 - Flags: superreview?(bienvenu)
Attachment #212210 - Flags: approval1.8.0.2?
Comment on attachment 212210 [details] [diff] [review]
Updated version of patch

thx, Simon.
Attachment #212210 - Flags: superreview?(bienvenu) → superreview+
fixed on trunk and 1.8.1 branch - waiting for 1.8.0.2 branch approval.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Let's wait for trunk and branch verification before we approve this for 1.8.0.2.
Comment on attachment 212210 [details] [diff] [review]
Updated version of patch

Time is almost certainly too short to get verification of this in time for 1.8.0.2
Attachment #212210 - Flags: approval1.8.0.3?
Attachment #212210 - Flags: approval1.8.0.2?
Attachment #212210 - Flags: approval1.8.0.2-
This should probably get release noted, then, as one of the problems fixed by this patch can cause Thunderbird to exit prematurely when accessing web servers offering GSSAPI authentication. Thunderbird running on Suse 10 is know to have this problem, its likely that Thunderbird running on FC4 will also have trouble.
Blocks: 325433
Comment on attachment 212210 [details] [diff] [review]
Updated version of patch

Just missed 1.5.0.2.  Should get in for 1.5.0.3. a=timr for drivers.
Attachment #212210 - Flags: approval1.8.0.3? → approval1.8.0.3+
Keywords: fixed1.8.0.3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: