Fail to load gssapi library

RESOLVED FIXED

Status

()

Core
Networking
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: nottheoilrig, Assigned: Simon Wilkinson)

Tracking

({fixed1.8.0.4, fixed1.8.1})

1.8 Branch
All
Linux
fixed1.8.0.4, fixed1.8.1
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8) Gecko/20051217 Debian/1.5.dfsg-2 Firefox/1.5
Build Identifier: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.8) Gecko/20051217 Debian/1.5.dfsg-2 Firefox/1.5

I struggled to get negotiate authentication working again in Debian Linux, since the GSSAPI library became dynamicly loaded

NSPR_LOG_FILE contained -


1208153856[10d4aeb8]:   service = fis
1208153856[10d4aeb8]:   using negotiate-gss
1208153856[10d4aeb8]: entering nsAuthGSSAPI::nsAuthGSSAPI()
1208153856[10d4aeb8]: Fail to load gssapi library
1208153856[10d4aeb8]: entering nsAuthGSSAPI::Init()


- & an strace contained -


open("/usr/lib/libgssapi_krb5.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/libgssapi.so", O_RDONLY) = -1 ENOENT (No such file or directory)


- even though libkrb53 & libgssapi4-heimdal Debian pacakges are installed -


fis% dpkg -S libgssapi
libkrb53: /usr/lib/libgssapi_krb5.so.2
libkrb53: /usr/lib/libgssapi_krb5.so.2.2
libgssapi4-heimdal: /usr/lib/libgssapi.so.4.0.0
libgssapi4-heimdal: /usr/lib/libgssapi.so.4
fis% 


Problem is, /usr/lib/libgssapi_krb5.so & /usr/lib/libgssapi.so are in libkrb5-dev & heimdal-dev, respectively - & these development packages aren't usually installed at runtime

So I dunno whether Firefox should try loading /usr/lib/libgssapi_krb5.so.2 (with version numbers), etc. - or libkrb53 & libgssapi4-heimdal should include the versionless paths, or the Debian Firefox package Recommends: libkrb5-dev, etc.

Many thanks for continued improvement of HTTP authentication!

Jack

Reproducible: Always
Assignee: nobody → darin
Component: General → Networking
Product: Firefox → Core
QA Contact: general → benc
Version: unspecified → 1.8 Branch
so, the code uses PR_GetLibraryName + PR_LoadLibrary, is it expected that it doesn't find the lib?

Comment 2

12 years ago
We don't check for versioned libraries, but do allow you to specify which lib to use explictly by setting the pref network.negotiate-auth.gsslib to point at the correct gssapi implementation.  Please verify that that works for you.  
non-versioned libraries are only installed by -dev packages. I don't think we should require them for a working negotiate auth.

Comment 4

12 years ago
Firefox needs to pass either "libgssapi_krb5.so.2" and
"libgssapi.so.4" or "/usr/lib/libgssapi_krb5.so.2" and
"/usr/lib/libgssapi.so.4" to PR_LoadLibrary.  Such file
names with ".2" or ".4" after the shared library suffix
(".so") can't be constructed with PR_GetLibraryName, so
you need to hardcode the file names.

Comment 5

12 years ago
(In reply to comment #2)
Is there a way to pass multiple libraries in this parameter? 

well, the current code calls it several times. so, looks like this only requires adding the name with .so.5 to the list. probably without the path.
(Assignee)

Comment 7

12 years ago
The same is actually true with Fedora - the unversioned .so link is owned by the -dev package. 

If it's OK, I'll knock together a patch for this ...
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Comment 8

12 years ago
>>>If it's OK, I'll knock together a patch for this ...

Cool, I haven't had time to start anything yet.  So go ahead and take the bug.
(Assignee)

Updated

12 years ago
Assignee: darin → simon
Status: ASSIGNED → NEW
(Assignee)

Comment 9

12 years ago
Created attachment 210487 [details] [diff] [review]
Fix to add support for loading versioned libraries. Also fixes bug #325433

I've attached a patch that should fix both this and bug #325433

The only danger is that when MIT and Heimdal increase their .so versions, we're going to have to add in additional libraries to the search list.
Attachment #210487 - Flags: review?(cneberg)
+                if (PR_FindFunctionSymbol(lib, 
+                                          "internal_krb5_gss_initialize") &&

don't you need to check that lib is nonnull at this point?

do we need to worry about systems which don't name their libraries .so? (macos? hp-ux?)
(Assignee)

Comment 11

12 years ago
(In reply to comment #10)
> don't you need to check that lib is nonnull at this point?

Ah yes. Indeed.
 
> do we need to worry about systems which don't name their libraries .so? (macos?
> hp-ux?)

Kerberos ships as standard on Mac OS X - so I don't think we'll have this problem there. I can't speak to HPUX, but I don't think this patch will make things any worse.
Comment on attachment 210487 [details] [diff] [review]
Fix to add support for loading versioned libraries. Also fixes bug #325433

Please add the check for lib mentioned by cbiesinger.

A google search couldn't find any versioned gssapi libraries on HP-UX or Mac OS X.  So they should still be fine.

You need libgssapi.so.1 for SUSE 9.x.

Unfortuenly serveral BSD's have tons of different versions of this library for libgssapi.so from .3 through .8.
Attachment #210487 - Flags: review?(cneberg) → review+
(Assignee)

Comment 13

12 years ago
I'm testing an updated version of this patch at the moment - I'll upload it later this week.

I'm currently checking for the following versioned libraries:
    * libgssapi_krb5.so.2 - for MIT Kerberos on Suse10 and Debian
    * libgssapi.so.4      - for Heimdal on Suse10 and Mandrake
    * libgssapi.so.1      - for Heimdal on Suse9

I believe that we only have a problem with Linux distributions using packaging systems which split installation trees into 'development' and 'lib' sections. The BSDs appear to always install the unversioned .so's - so we don't have to cater for them.

One problem with the above is that libgssapi.so.1 is what the CITI libgssapi
library is called on Fedora, Mandrake and Suse 10. We can't use this library for the reasons in bug #325433 - it crashes us if its not configured correctly. So
the checking code needs to be somewhat more complex.
Status: NEW → ASSIGNED
(Assignee)

Comment 14

12 years ago
Created attachment 212209 [details] [diff] [review]
Updated version of patch

This is an updated version of the patch, to cover the additional libraries in the previous comment. It also solves the problem with CITI's libgssapi calling exit()
on improperly configured systems. We should try and get this out there quickly, as it will solve a number of situations where Thunderbird just quits when try to send or receive email on machines running SuSe or Fedora.
Attachment #212209 - Flags: review?(cneberg)
(Assignee)

Comment 15

12 years ago
Created attachment 212210 [details] [diff] [review]
Updated version of patch

This is an updated version of the patch, to cover the additional libraries in the previous comment. It also solves the problem with CITI's libgssapi calling exit()
on improperly configured systems. We should try and get this out there quickly, as it will solve a number of situations where Thunderbird just quits when try to send or receive email on machines running SuSe or Fedora.
Attachment #210487 - Attachment is obsolete: true
Attachment #212210 - Flags: review?(cneberg)
(Assignee)

Updated

12 years ago
Attachment #212209 - Attachment is obsolete: true
Attachment #212209 - Flags: review?(cneberg)

Updated

12 years ago
Attachment #212210 - Flags: review?(cneberg) → review+
Comment on attachment 212209 [details] [diff] [review]
Updated version of patch

+        const char *const verLibNames[] = {

per http://people.redhat.com/drepper/dsohowto.pdf I believe:
  static const char verLibNames[][sizeof("libgssapi_krb5.so.2)]

would be more efficient.
(Assignee)

Updated

12 years ago
Attachment #212210 - Flags: superreview?(bienvenu)
Attachment #212210 - Flags: approval1.8.0.2?

Comment 17

12 years ago
Comment on attachment 212210 [details] [diff] [review]
Updated version of patch

thx, Simon.
Attachment #212210 - Flags: superreview?(bienvenu) → superreview+

Comment 18

12 years ago
fixed on trunk and 1.8.1 branch - waiting for 1.8.0.2 branch approval.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED

Comment 19

12 years ago
Let's wait for trunk and branch verification before we approve this for 1.8.0.2.
Comment on attachment 212210 [details] [diff] [review]
Updated version of patch

Time is almost certainly too short to get verification of this in time for 1.8.0.2
Attachment #212210 - Flags: approval1.8.0.3?
Attachment #212210 - Flags: approval1.8.0.2?
Attachment #212210 - Flags: approval1.8.0.2-
(Assignee)

Comment 21

12 years ago
This should probably get release noted, then, as one of the problems fixed by this patch can cause Thunderbird to exit prematurely when accessing web servers offering GSSAPI authentication. Thunderbird running on Suse 10 is know to have this problem, its likely that Thunderbird running on FC4 will also have trouble. 
(Assignee)

Updated

12 years ago
Blocks: 325433

Comment 22

12 years ago
Comment on attachment 212210 [details] [diff] [review]
Updated version of patch

Just missed 1.5.0.2.  Should get in for 1.5.0.3. a=timr for drivers.
Attachment #212210 - Flags: approval1.8.0.3? → approval1.8.0.3+

Updated

11 years ago
Keywords: fixed1.8.0.3
You need to log in before you can comment on or make changes to this bug.