Re: Using Kerberos auth with Firefox on 5.4, 5.4-current

Sun, 17 Nov 2013 13:51:58 -0800 

On Fri, Nov 15, 2013 at 09:45:04PM +0100, Landry Breuil wrote:
> On Fri, Nov 15, 2013 at 01:57:23PM -0500, Eric Radman wrote:
> > Is there any special configuration for enabling Kerberos authentication
> > in Firefox? Normally one would simply set the Kerberos whitelist for
> > using "about:config":
> > 
> >     network.negotiate-auth.trusted-uris = "my.domain,"
> > 
> > My impression is that the implementation in Firefox is broken. Here is
> > what I tried:
> > 
> > 1. Enable firefox debug
> > 
> >     $ export NSPR_LOG_MODULES=negotiateauth:5
> >     $ export NSPR_LOG_FILE=/tmp/moz.log
> >     $ ktrace firefox
> > 
> > 2. Log shows that gssapi failed to load
> > 
> >     $ cat /tmp/moz.log
> >     750271712[89789780]:   service = inout.deshaw.com
> >     750271712[89789780]:   using negotiate-gss
> >     750271712[89789780]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> >     750271712[89789780]: Fail to load gssapi library
> >     750271712[89789780]: entering nsAuthGSSAPI::Init()
> 
> http://marc.info/?l=openbsd-ports&m=137189077332408&w=2
> https://bugzilla.mozilla.org/show_bug.cgi?id=648730
> https://bugzilla.mozilla.org/show_bug.cgi?id=853364
> 
> has all the details. At that time, i found noone needing that feature,
> and willing to help debug it, so it got broken to fix other issues.
> Trying to dlopen krb5 and crypto at runtime "might" fix it. Patch
> welcome.

I found this rotting in one of my mq queues, tentative patch. Manually
apply it to a firefox release, build it, and let me know how it goes.

Landry

# HG changeset patch
# Parent 2d71598ee2ea96902ccbaccbc96dac0ec4027ebf
# User Landry Breuil <lan...@openbsd.org>
Bug 648730 : add krb5 & crypto to the list of libs to open before gssapi on 
OpenBSD

diff --git a/extensions/auth/nsAuthGSSAPI.cpp b/extensions/auth/nsAuthGSSAPI.cpp
--- a/extensions/auth/nsAuthGSSAPI.cpp
+++ b/extensions/auth/nsAuthGSSAPI.cpp
@@ -118,23 +118,33 @@ gssInit()
             lib = PR_LoadLibrary("gssapi32");
             PR_FreeLibraryName(libName);
         }
 #else
         
         const char *const libNames[] = {
             "gss",
             "gssapi_krb5",
+#ifdef __OpenBSD__
+            /* On OpenBSD, libgssapi is not linked with krb5 but uses it */
+            "krb5",
+            "crypto",
+#endif
             "gssapi"
         };
         
         const char *const verLibNames[] = {
             "libgssapi_krb5.so.2", /* MIT - FC, Suse10, Debian */
             "libgssapi.so.4",      /* Heimdal - Suse10, MDK */
             "libgssapi.so.1",      /* Heimdal - Suse9, CITI - FC, MDK, Suse10*/
+#ifdef __OpenBSD__
+            /* On OpenBSD, libgssapi is not linked with krb5 but uses it */
+            "libkrb5.so",
+            "libcrypto.so",
+#endif
             "libgssapi.so"         /* OpenBSD */
         };
 
         for (size_t i = 0; i < ArrayLength(verLibNames) && !lib; ++i) {
             lib = PR_LoadLibrary(verLibNames[i]);
  
             /* The CITI libgssapi library calls exit() during
              * initialization if it's not correctly configured. Try to

Reply via email to