1

My test program works fine. I can create a client and a server and run them against each other. I can set my KRB5_CONFIG environment variable and use a local configuration for testing.

For some reason when I place the code in our production software it fails. Even if I strip our main() function to just calling gss_import_name() with a hard coded name I end up with the message "Cannot open configuration file".

If I run truss then I see a lot of Oracle going on. It tries to open lots of different Oracle trace files. It also tries to open

/krb5/krb.conf

instead of the file I specify.

It's as if Oracle is giving us the wrong gss, or maybe some other option in our huge and complex build system. I note -L/usr/lib/sparcv9 though this is after my -lgss now if that matters (too long since I worked in C on a regular basis!). The libgss.so.1 in that directory is larger than the one in /usr/lib - though putting that option into my test program's link command does not break it.

Any help?

Thanks - Richard

Richard Corfield
  • 717
  • 6
  • 19
  • 1
    if you run the program as `dtrace -n "syscall::open*:entry /copyinstr(arg0) == \"/krb5/krb.conf\"/ { ustack(); }" -c ` it'll give you the codepath/stacktrace for who opens the incorrect config file. Unfortunately, your problem sounds complex and possibly build / setup related, so this is only one potential starting point; we need a stackoverflow chat ;-) – FrankH. Jul 29 '11 at 12:05
  • I'll have to work out how to chat. Our code is statically linked to gss. libc.so.1`__open+0x4 libc.so.1`_endopen+0xa8 libc.so.1`fopen+0x1c program`profile_update_file_data+0x1f8 program`profile_open_file+0x528 program`profile_init+0x60 program`os_init_paths+0x20 program`krb5_os_init_context+0x20 program`init_common+0x10c program`krb5_gss_import_name+0x18 program`main+0x34 program`_start+0x17c – Richard Corfield Jul 29 '11 at 13:57
  • Looks like Oracle includes its own gss_api implementation. Putting -lgss before the Oracle libraries is helping - but I wonder what it would do to Oracle. Oracle has implementations names starting zt as well. – Richard Corfield Aug 01 '11 at 16:24

3 Answers3

1

This fixed what appeared to be a similar problem for us:

export KRB5_CONFIG=/etc/krb5.conf

It does appear likely that Oracle sets this env var incorrectly if it's not already set.

$ grep -r KRB5_CONFIG $ORACLE_HOME 
Binary file /usr/lib/oracle/11.1.0.1/client64/lib/libclntsh.so matches 
Binary file /usr/lib/oracle/11.1.0.1/client64/lib/libclntsh.so.11.1 matches 
$ grep -r '/krb5/krb.conf' $ORACLE_HOME 
Binary file /usr/lib/oracle/11.1.0.1/client64/lib/libclntsh.so matches 
Binary file /usr/lib/oracle/11.1.0.1/client64/lib/libclntsh.so.11.1 matches
Steve
  • 1,084
  • 11
  • 17
0

I ran in to the very same issue with Oracle 11.2.0.4.0 on HP-UX 11.31 and wasted almost an entire day for that. Indeed, the crappy Oracle lib peforms a putenv with /opt/krb5/krb.conf and the tip from Richard Corfield makes the app even crash. The only workaround is to create a symbolic link. I have created a service request with Oracle for that issue.

Update (2014-06-02): I have received an update from Oracle. They confirmed the bug. It seems like there is a private GSS-API which is redefining symbols.

Bug 10184681 - ORACLE NEEDS TO USE VERSIONED SYMBOLS TO AVOID EXTERNAL SYMBOL CONFLICTS

This issue has been open since 2010-10. Terrible.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
0

I found that the Oracle libraries contained an implementation of GSS. To make my code work I ensured I linked "-lgss" before linking any of the Oracle libraries.

I've not tested to see if this upsets Oracle in single sign-on, because we use Oracle with user name and password. That works fine.

Richard Corfield
  • 717
  • 6
  • 19