Kerberos Module For Apache

fixed in 1.142, thanks for comments

I am using the kerberos supplied by redhat for RHEL 4/5. These are the
respective versions:

RHEL 4: krb5-devel-1.3.4-60.el4
RHEL 5: krb5-devel-1.6.1-25.el5

On the solaris machines we were using mit kerberos 1.5.1, which was
installed by us (not the vendor). I have upgraded that to 1.6.3, so now it
appears to work fine on the solaris build as well.

In my current build I just have a conditional to exclude applying the
patch on RHEL 4, which is find in my environment. Any new systems I really
care about are on RHEL 5 or Solaris 10, which now work fine with the patch.
I can deal with using prefork on the older RHEL 4 boxes until they get
upgraded.

Assuming you are correct about the threading issues in the earlier
kerberos versions, then I would probably just go for having configure
detect if it can use the call, otherwise do it the non-threadsafe way and
have configure print out a warning so that whoever is compiling it knows
it.

What Kerberos implementations do you use on the RHEL 4 and Solaris
installation, which don't contain the call? Please note, that AFAIK older
MIT/Heimdal implementations weren't thread-safe so you'd be probably run
into problems anyway.

Unfortunately this fix did not work on RHEL 4 or my particular Solaris
install due to krb5_cc_new_unique not being available. I can probably do
some OS upgrades to fix the issue for me, however it may not be a good idea
to push this out globally as-is for compatibility. I would recommend that
either a more compatible way be found, or at least have a test in the
configure script to see if the function is available and then use it only
in that case.

As far as I can tell that change fixes the problem. I have only tested on
RHEL5 so far (RHEL4 & Solaris testing still to come), but everything seems
to work very well. I will start putting this up on production servers and
see if there are any issues with normal usage. Below is the patch I am
using.


$ cat mod_auth_kerb-5.3-threading.patch
diff -U3 -r mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c
mod_auth_kerb-5.3/src/mod_auth_kerb.c
--- mod_auth_kerb-5.3.orig/src/mod_auth_kerb.c 2008-09-04
10:41:49.000000000 -0700
+++ mod_auth_kerb-5.3/src/mod_auth_kerb.c 2008-09-05
08:19:50.000000000 -0700
@@ -564,7 +564,7 @@
} else
keytab = ap_req_keytab;

- ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
+ ret = krb5_cc_new_unique(context, "MEMORY", NULL, &local_ccache);
if (ret) {
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"krb5_cc_resolve() failed when verifying KDC");
@@ -711,7 +711,7 @@
goto end;
}

- ret = krb5_cc_resolve(context, "MEMORY:", &ret_ccache);
+ ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ret_ccache);
if (ret) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"generating new memory ccache failed: %s",

The very same issues seems to have been discussed at the krbdev
mailinglist. Could you please have a look at
http://mailman.mit.edu/pipermail/krbdev/2008-August/006832.html and try the
remedy described there and report back the result? If that worked we would
change the module code accordingly.

We're experiencing the exact same issue.

It should be noted that this problem also occurs when using the latest MIT
(1.6.3) and heimdal (1.2). After a while I was wondering if there might
be threading issues with MIT kerberos, but sadly it appears to be the
apache module itself. If it helps, here's output from tests ran when
compiled against heimdal 1.2:

[Tue Aug 26 17:56:23 2008] [notice] child pid 20794 exit signal
Segmentation fault (11)
[Tue Aug 26 17:56:25 2008] [error] [client 10.4.5.13] failed to verify
krb5 credentials: No such file or directory
[Tue Aug 26 17:56:26 2008] [notice] child pid 20790 exit signal
Segmentation fault (11)
[Tue Aug 26 17:56:36 2008] [notice] child pid 20792 exit signal
Segmentation fault (11)
*** glibc detected *** /bin/httpd: double free or corruption (out):
0x94303588 ***
======= Backtrace: =========
/lib/libc.so.6[0xa97b16]
/lib/libc.so.6(cfree+0x90)[0xa9b030]
/lib/libasn1.so.8(der_free_general_string+0x1f)[0x19db7b]
/lib/libasn1.so.8(free_PrincipalName+0x3c)[0x1eb426]
/lib/libasn1.so.8(free_Principal+0x1d)[0x1eab85]
/lib/libkrb5.so.25(krb5_free_principal+0x23)[0x6798fb]
/lib/libkrb5.so.25[0x670848]
/lib/libkrb5.so.25(krb5_cc_destroy+0x29)[0x648951]
/modules/mod_auth_kerb.so[0xc70fdc]
/modules/mod_auth_kerb.so[0xc7116e]
/modules/mod_auth_kerb.so[0xc71d19]
/modules/mod_auth_kerb.so[0xc734de]
/bin/httpd(ap_run_check_user_id+0x46)[0x807a9d3]
/bin/httpd(ap_process_request_internal+0x313)[0x807b453]
/bin/httpd(ap_process_request+0x4f)[0x80acb74]
/bin/httpd[0x80a964f]
/bin/httpd(ap_run_process_connection+0x46)[0x8088c23]
/bin/httpd(ap_process_connection+0x58)[0x8089036]
/bin/httpd[0x80c8f24]
/bin/httpd[0x80c9801]
/lib/libapr-1.so.0[0x4f8bf8]
/lib/libpthread.so.0[0xba845b]
/lib/libc.so.6(clone+0x5e)[0xaffc4e]
======= Memory map: ========
[Tue Aug 26 17:56:38 2008] [notice] child pid 21005 exit signal Aborted
(6)