Last Comment Bug 321514 - Fail to load gssapi library
: Fail to load gssapi library
Status: RESOLVED FIXED
: fixed1.8.0.4, fixed1.8.1
Product: Core
Classification: Components
Component: Networking (show other bugs)
: 1.8 Branch
: All Linux
: -- normal (vote)
: ---
Assigned To: Simon Wilkinson
: benc
Mentors:
Depends on:
Blocks: 325433
  Show dependency treegraph
 
Reported: 2005-12-25 16:01 PST by Jack Bates
Modified: 2006-04-21 07:43 PDT (History)
8 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix to add support for loading versioned libraries. Also fixes bug #325433 (2.18 KB, patch)
2006-02-02 09:19 PST, Simon Wilkinson
cneberg: review+
Details | Diff | Review
Updated version of patch (2.69 KB, patch)
2006-02-17 05:43 PST, Simon Wilkinson
no flags Details | Diff | Review
Updated version of patch (2.69 KB, patch)
2006-02-17 05:43 PST, Simon Wilkinson
cneberg: review+
mozilla: superreview+
dveditz: approval1.8.0.2-
timr: approval1.8.0.4+
Details | Diff | Review

Description Jack Bates 2005-12-25 16:01:44 PST
User-Agent:       Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8) Gecko/20051217 Debian/1.5.dfsg-2 Firefox/1.5
Build Identifier: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8) Gecko/20051217 Debian/1.5.dfsg-2 Firefox/1.5

I struggled to get negotiate authentication working again in Debian Linux, since the GSSAPI library became dynamicly loaded

NSPR_LOG_FILE contained -


1208153856[10d4aeb8]:   service = fis
1208153856[10d4aeb8]:   using negotiate-gss
1208153856[10d4aeb8]: entering nsAuthGSSAPI::nsAuthGSSAPI()
1208153856[10d4aeb8]: Fail to load gssapi library
1208153856[10d4aeb8]: entering nsAuthGSSAPI::Init()


- & an strace contained -


open("/usr/lib/libgssapi_krb5.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/libgssapi.so", O_RDONLY) = -1 ENOENT (No such file or directory)


- even though libkrb53 & libgssapi4-heimdal Debian pacakges are installed -


fis% dpkg -S libgssapi
libkrb53: /usr/lib/libgssapi_krb5.so.2
libkrb53: /usr/lib/libgssapi_krb5.so.2.2
libgssapi4-heimdal: /usr/lib/libgssapi.so.4.0.0
libgssapi4-heimdal: /usr/lib/libgssapi.so.4
fis% 


Problem is, /usr/lib/libgssapi_krb5.so & /usr/lib/libgssapi.so are in libkrb5-dev & heimdal-dev, respectively - & these development packages aren't usually installed at runtime

So I dunno whether Firefox should try loading /usr/lib/libgssapi_krb5.so.2 (with version numbers), etc. - or libkrb53 & libgssapi4-heimdal should include the versionless paths, or the Debian Firefox package Recommends: libkrb5-dev, etc.

Many thanks for continued improvement of HTTP authentication!

Jack

Reproducible: Always
Comment 1 Christian :Biesinger (don't email me, ping me on IRC) 2005-12-25 16:29:28 PST
so, the code uses PR_GetLibraryName + PR_LoadLibrary, is it expected that it doesn't find the lib?
Comment 2 Christopher Nebergall 2005-12-26 09:37:36 PST
We don't check for versioned libraries, but do allow you to specify which lib to use explictly by setting the pref network.negotiate-auth.gsslib to point at the correct gssapi implementation.  Please verify that that works for you.  
Comment 3 Christian :Biesinger (don't email me, ping me on IRC) 2005-12-26 09:51:13 PST
non-versioned libraries are only installed by -dev packages. I don't think we should require them for a working negotiate auth.
Comment 4 Wan-Teh Chang 2005-12-26 14:33:31 PST
Firefox needs to pass either "libgssapi_krb5.so.2" and
"libgssapi.so.4" or "/usr/lib/libgssapi_krb5.so.2" and
"/usr/lib/libgssapi.so.4" to PR_LoadLibrary.  Such file
names with ".2" or ".4" after the shared library suffix
(".so") can't be constructed with PR_GetLibraryName, so
you need to hardcode the file names.
Comment 5 Eric Dorland 2005-12-26 15:39:31 PST
(In reply to comment #2)
Is there a way to pass multiple libraries in this parameter? 

Comment 6 Christian :Biesinger (don't email me, ping me on IRC) 2005-12-26 15:58:10 PST
well, the current code calls it several times. so, looks like this only requires adding the name with .so.5 to the list. probably without the path.
Comment 7 Simon Wilkinson 2006-02-02 04:03:49 PST
The same is actually true with Fedora - the unversioned .so link is owned by the -dev package. 

If it's OK, I'll knock together a patch for this ...
Comment 8 Christopher Nebergall 2006-02-02 07:10:07 PST
>>>If it's OK, I'll knock together a patch for this ...

Cool, I haven't had time to start anything yet.  So go ahead and take the bug.
Comment 9 Simon Wilkinson 2006-02-02 09:19:59 PST
Created attachment 210487 [details] [diff] [review]
Fix to add support for loading versioned libraries. Also fixes bug #325433

I've attached a patch that should fix both this and bug #325433

The only danger is that when MIT and Heimdal increase their .so versions, we're going to have to add in additional libraries to the search list.
Comment 10 Christian :Biesinger (don't email me, ping me on IRC) 2006-02-02 10:53:18 PST
+                if (PR_FindFunctionSymbol(lib, 
+                                          "internal_krb5_gss_initialize") &&

don't you need to check that lib is nonnull at this point?

do we need to worry about systems which don't name their libraries .so? (macos? hp-ux?)
Comment 11 Simon Wilkinson 2006-02-02 11:01:11 PST
(In reply to comment #10)
> don't you need to check that lib is nonnull at this point?

Ah yes. Indeed.
 
> do we need to worry about systems which don't name their libraries .so? (macos?
> hp-ux?)

Kerberos ships as standard on Mac OS X - so I don't think we'll have this problem there. I can't speak to HPUX, but I don't think this patch will make things any worse.
Comment 12 Christopher Nebergall 2006-02-02 21:01:53 PST
Comment on attachment 210487 [details] [diff] [review]
Fix to add support for loading versioned libraries. Also fixes bug #325433

Please add the check for lib mentioned by cbiesinger.

A google search couldn't find any versioned gssapi libraries on HP-UX or Mac OS X.  So they should still be fine.

You need libgssapi.so.1 for SUSE 9.x.

Unfortuenly serveral BSD's have tons of different versions of this library for libgssapi.so from .3 through .8.
Comment 13 Simon Wilkinson 2006-02-06 09:41:23 PST
I'm testing an updated version of this patch at the moment - I'll upload it later this week.

I'm currently checking for the following versioned libraries:
    * libgssapi_krb5.so.2 - for MIT Kerberos on Suse10 and Debian
    * libgssapi.so.4      - for Heimdal on Suse10 and Mandrake
    * libgssapi.so.1      - for Heimdal on Suse9

I believe that we only have a problem with Linux distributions using packaging systems which split installation trees into 'development' and 'lib' sections. The BSDs appear to always install the unversioned .so's - so we don't have to cater for them.

One problem with the above is that libgssapi.so.1 is what the CITI libgssapi
library is called on Fedora, Mandrake and Suse 10. We can't use this library for the reasons in bug #325433 - it crashes us if its not configured correctly. So
the checking code needs to be somewhat more complex.
Comment 14 Simon Wilkinson 2006-02-17 05:43:01 PST
Created attachment 212209 [details] [diff] [review]
Updated version of patch

This is an updated version of the patch, to cover the additional libraries in the previous comment. It also solves the problem with CITI's libgssapi calling exit()
on improperly configured systems. We should try and get this out there quickly, as it will solve a number of situations where Thunderbird just quits when try to send or receive email on machines running SuSe or Fedora.
Comment 15 Simon Wilkinson 2006-02-17 05:43:09 PST
Created attachment 212210 [details] [diff] [review]
Updated version of patch

This is an updated version of the patch, to cover the additional libraries in the previous comment. It also solves the problem with CITI's libgssapi calling exit()
on improperly configured systems. We should try and get this out there quickly, as it will solve a number of situations where Thunderbird just quits when try to send or receive email on machines running SuSe or Fedora.
Comment 16 Christian :Biesinger (don't email me, ping me on IRC) 2006-02-17 06:54:54 PST
Comment on attachment 212209 [details] [diff] [review]
Updated version of patch

+        const char *const verLibNames[] = {

per http://people.redhat.com/drepper/dsohowto.pdf I believe:
  static const char verLibNames[][sizeof("libgssapi_krb5.so.2)]

would be more efficient.
Comment 17 David :Bienvenu 2006-02-17 08:38:37 PST
Comment on attachment 212210 [details] [diff] [review]
Updated version of patch

thx, Simon.
Comment 18 David :Bienvenu 2006-02-21 08:17:44 PST
fixed on trunk and 1.8.1 branch - waiting for 1.8.0.2 branch approval.
Comment 19 Scott MacGregor 2006-02-21 09:46:39 PST
Let's wait for trunk and branch verification before we approve this for 1.8.0.2.
Comment 20 Daniel Veditz [:dveditz] 2006-02-22 12:33:28 PST
Comment on attachment 212210 [details] [diff] [review]
Updated version of patch

Time is almost certainly too short to get verification of this in time for 1.8.0.2
Comment 21 Simon Wilkinson 2006-02-22 12:44:41 PST
This should probably get release noted, then, as one of the problems fixed by this patch can cause Thunderbird to exit prematurely when accessing web servers offering GSSAPI authentication. Thunderbird running on Suse 10 is know to have this problem, its likely that Thunderbird running on FC4 will also have trouble. 
Comment 22 Tim Riley [:timr] 2006-04-05 11:52:58 PDT
Comment on attachment 212210 [details] [diff] [review]
Updated version of patch

Just missed 1.5.0.2.  Should get in for 1.5.0.3. a=timr for drivers.

Note You need to log in before you can comment on or make changes to this bug.