Bug 129680 - Upgrading to krb5-libs 1.2.2-27 can cause undefined symbol __dn_expand
Summary: Upgrading to krb5-libs 1.2.2-27 can cause undefined symbol __dn_expand
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: krb5
Version: 2.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2004-08-11 19:48 UTC by Phil D'Amore
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2004-08-11 20:40:17 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:448 normal SHIPPED_LIVE Critical: krb5 security update 2004-08-31 04:00:00 UTC

Description Phil D'Amore 2004-08-11 19:48:23 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030314

Description of problem:
After upgrading to krb5-libs 1.2.2-27 we found that a module we had
rebuilt from a later distro (mod_auth_kerb apache module) failed to
load and prevented apache from starting.  The error was:

[root@foo tmp]# service httpd start
Starting httpd: Syntax error on line 237 of /etc/httpd/conf/httpd.conf:
Cannot load /etc/httpd/modules/mod_auth_kerb.so into server:
/usr/kerberos/lib/libkrb5.so.3: undefined symbol: __dn_expand

We originally rebuilt our apache module thinking the problem was
there.  No dice.  Then I realized that dn_expand was a resolver
routine.  After digging I found that some of the krb5 libraries like
libkrb5.so.3 and one or two others, were not linking against
libresolv.so.  This was causing the symbol to not resolve.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Upgrade to krb5-libs-1.2.2-27
2.  Observe that some programs (possibly only ones that don't
themselves link against libresolv.so and therefore cause it to load)
no longer work.

Additional info:

I noticed that in release 25 of this rpm (not released AFAICT) a
change was made to address a problem where dns KDC discovery was not
working.  I think when this was fixed, it actually caused the krb5
libs to start using dn_expand, where it probably wasn't before.

In aclocal.m4 starting around line 557, it looks like this after all
the patches in the RPM are applied:

[  --with-netlib[=libs]    use user defined resolve library],
  if test "$withval" = yes -o "$withval" = no ; then
        AC_MSG_RESULT("netlib will link with C library resolver only")
        LIBS="$LIBS $withval"
        AC_MSG_RESULT("netlib will use \'$withval\'")

The problem here is that the processing of --with-netlib sets LIBS,
but does *not* set RESOLV_LIB, which some of the Makefiles rely on
when they do the final link to know that -lresolv must be used. 
Adding this line:



        LIBS="$LIBS $withval"

and rebuilding fixed the problem for me.

Changing the krb5-1.2.2-dns.patch in the RPM to the following seems to
clear up the issue:

--- krb5-1.2.2/src/aclocal.m4.orig      Wed Feb 28 17:06:31 2001
+++ krb5-1.2.2/src/aclocal.m4   Wed Aug 11 15:22:06 2004
@@ -560,8 +560,10 @@
        AC_MSG_RESULT("netlib will link with C library resolver only")
        LIBS="$LIBS $withval"
+       RESOLV_LIB="$withval"
        AC_MSG_RESULT("netlib will use \'$withval\'")

Comment 1 Nalin Dahyabhai 2004-08-11 20:40:17 UTC
Resolving in 1.2.2-29 and 1.2.7-26.

Comment 2 Mark J. Cox 2004-08-31 17:30:47 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.