php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54716 Internal Server Error when php compiled with oci driver
Submitted: 2011-05-12 10:53 UTC Modified: 2013-02-18 00:34 UTC
Votes:10
Avg. Score:4.6 ± 0.7
Reproduced:9 of 9 (100.0%)
Same Version:1 (11.1%)
Same OS:2 (22.2%)
From: dominik dot szybowski at bzwbk dot pl Assigned:
Status: No Feedback Package: OCI8 related
PHP Version: 5.2.17 OS: AIX
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: dominik dot szybowski at bzwbk dot pl
New email:
PHP Version: OS:

 

 [2011-05-12 10:53 UTC] dominik dot szybowski at bzwbk dot pl
Description:
------------
Apache server throws internal server error during sso kerberos authentication when php is compiled with parameter --with-oci8=instantclient,/usr/local/instantclient_11_1/lib

We have currently working apache 2.2.17 server with php 5.2.17 (other versions was also tested) configured with mit kerberos 5.1.6 and mod_auth_kerb5.4 kerberos module. Before we try to add oci connection to oracle everything works fine and users was authenticated by sso. After we recompiled php with oci our apache instance can't load kerberos configuration file and throws internal server error. It can be related to issue with subprocesses http://bugs.php.net/bug.php?id=9013 

I already tried oracle support but they didn't like to help with php.

Expected result:
----------------
Error log without oci (works fine):

[Wed May 11 16:39:54 2011] [debug] src/mod_auth_kerb.c(1628): [client host] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://host/altair/views/show_docclasses.php
[Wed May 11 16:39:54 2011] [debug] src/mod_auth_kerb.c(1240): [client host] Acquiring creds for HTTP/host@domain, referer: https://10.151.67.126/altair/views/show_docclasses.php
[Wed May 11 16:39:54 2011] [debug] src/mod_auth_kerb.c(1385): [client host] Verifying client data using KRB5 GSS-API with our SPNEGO lib, referer: https://host/altair/views/show_docclasses.php
[Wed May 11 16:39:54 2011] [debug] src/mod_auth_kerb.c(1401): [client host] Client didn't delegate us their credential, referer: https://10.151.67.126/altair/views/show_docclasses.php
[Wed May 11 16:39:54 2011] [debug] src/mod_auth_kerb.c(1420): [client host] GSS-API token of length 161 bytes will be sent back, referer:

Actual result:
--------------
Error log with oci:

[Fri May 06 17:25:38 2011] [debug] src/mod_auth_kerb.c(1628): [client 10.150.203.118] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri May 06 17:25:38 2011] [debug] src/mod_auth_kerb.c(1101): [client 10.150.203.118] GSS-API major_status:000d0000, minor_status:96c73a87
[Fri May 06 17:25:38 2011] [error] [client 10.150.203.118] gss_import_name() failed: Miscellaneous failure (, Can't open/find Kerberos configuration file)



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-07 22:24 UTC] sixd@php.net
Please provide more details, including the complete build steps and a script that 
causes the error
 [2011-11-07 22:24 UTC] sixd@php.net
-Status: Open +Status: Feedback
 [2012-01-09 14:01 UTC] rattlebrain at gmx dot net
I have a similar problem.

mod_auth_kerb works fine as long as I don't use the PHP OCI8 extension. As soon as I load the OCI8 extension, mod_auth_kerb starts to behave weird. After an Apache (re)start everything is fine, but when I reload Apache I'm getting in a browser "Internal Server Error" and in the error log (just like the topic starter):

[Mon Jan 09 14:33:00 2012] [error] [client 10.206.33.199] gss_import_name() failed: Miscellaneous failure (, Can't open/find Kerberos configuration file)

After stracing the Apache processes it appeared that /krb5/krb.conf is trying to be opened, but obviously fails on a Linux system. I could prove that Oracle OCI is doing this by setting the SQLNET.KERBEROS5_CONF parameter to a different value in sqlnet.ora.

So in some way OCI mixes up the Kerberos stuff that mod_auth_kerb is using, but only when Apache is reloaded. Without everything works perfect, including the PHP OCI8 stuff.

I'm using:

- Debian GNU/Linux 6 64-bit
- Oracle Instantclient Basic 11.2.0.2.0
- PHP 5.3.3 (Debian package rebuild to include OCI8)
- mod_auth_kerb 5.4
- Apache 2.2.16

To create the OCI8 stuff I added the following parameters to the standard Debian PHP build parameters:

--with-oci8=shared,/usr
--with-pdo-oci=shared,/usr

This is the complete configure command:

        CFLAGS="-g -O2 -O2 -Wall -fsigned-char -fno-strict-aliasing   -gstabs" PROG_SENDMAIL="/usr/sbin/sendmail" ../configure \
                --prefix=/usr --with-apxs2=/usr/bin/apxs2 \
                --with-config-file-path=/etc/php5/apache2 \
                --with-config-file-scan-dir=/etc/php5/apache2/conf.d \
                --build=x86_64-linux-gnu --host=x86_64-linux-gnu --sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man --disable-debug --with-regex=php --disable-rp
ath --disable-static --with-pic --with-layout=GNU --with-pear=/usr/share/php --enable-calendar --enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-bcmath --with-bz2 
--enable-ctype --with-db4 --with-qdbm=/usr --without-gdbm --with-iconv --enable-exif --enable-ftp --with-gettext --enable-mbstring --with-onig=/usr --with-pcre-regex=/usr --
enable-shmop --enable-sockets --enable-wddx --with-libxml-dir=/usr --with-zlib --with-kerberos=/usr --with-openssl=/usr --enable-soap --enable-zip --with-mhash=yes --with-ex
ec-dir=/usr/lib/php5/libexec --with-system-tzdata \
                --without-mm \
                --with-curl=shared,/usr \
                --with-enchant=shared,/usr \
                --with-zlib-dir=/usr \
                --with-gd=shared,/usr --enable-gd-native-ttf \
                --with-gmp=shared,/usr \
                --with-jpeg-dir=shared,/usr \
                --with-xpm-dir=shared,/usr/X11R6 \
                --with-png-dir=shared,/usr \
                --with-freetype-dir=shared,/usr \
                --with-imap=shared,/usr \
                --with-imap-ssl \
                --with-interbase=shared,/usr --with-pdo-firebird=shared,/usr \
                --enable-intl=shared \
                --with-ttf=shared,/usr \
                --with-t1lib=shared,/usr \
                --with-ldap=shared,/usr \
                --with-ldap-sasl=/usr \
                --with-mcrypt=shared,/usr \
                --with-mysql=shared,/usr \
                --with-mysqli=shared,/usr/bin/mysql_config \
                --with-pspell=shared,/usr \
                --with-unixODBC=shared,/usr \
                --with-recode=shared,/usr \
                --with-xsl=shared,/usr \
                --with-snmp=shared,/usr \
                --with-sqlite=shared,/usr \
                --with-sqlite3=shared,/usr \
                --with-mssql=shared,/usr \
                --with-tidy=shared,/usr \
                --with-xmlrpc=shared \
                --with-pgsql=shared,/usr PGSQL_INCLUDE=`pg_config --includedir` \
                --with-oci8=shared,/usr \
                --enable-pdo=shared \
                --without-pdo-dblib \
                --with-pdo-mysql=shared,/usr \
                --with-pdo-odbc=shared,unixODBC,/usr \
                --with-pdo-pgsql=shared,/usr/bin/pg_config \
                --with-pdo-oci=shared,/usr \
                --with-pdo-sqlite=shared,/usr \
                --with-pdo-dblib=shared,/usr

The relevant Apache config block:

  <Location />
    AuthName                     "Restricted Area"
    AuthType                     Kerberos
    AuthzUnixgroup               On
    AuthzUnixgroupAuthoritative  On
    Krb5Keytab                   /etc/apache2/krb5.keytab
    KrbAuthoritative             On
    KrbDelegateBasic             Off
    KrbLocalUserMapping          On
    KrbMethodNegotiate           On
    KrbMethodK5Passwd            On
    KrbSaveCredentials           Off
    KrbServiceName               HTTP/server1.net@REALM.NET
    KrbVerifyKDC                 On
    Require                      group admins
  </Location>

The content on the webserver doesn't matter, Apache breaks before the content can be read, so it doesn't help to provide a script.

I hope this helps. Do you need anything else?
 [2012-08-24 06:44 UTC] debian at linux dot org
My Configuration :
- Debian GNU/Linux 6 64-bit
- Oracle Instantclient 11.2
- PHP 5.3.14
- mod_auth_kerb 5.4 
- Apache 2.2.16
- Kerberos Heimdal

This can be reproduced using Apache graceful command.
Just after the mod_auth_kerb will fail to read the kerberos conf
gss_import_name() failed: Miscellaneous failure (, Can't open/find Kerberos configuration file. it will use the same default kerberos configuration as Oracle Database !!!
You can force the path using sqlnet.ora but it will fail after when using gss acquire credential (unknown error 2 or 21).

We did not find a fix.
 [2012-10-18 21:34 UTC] debian at linux dot org
In our case the PDO Oracle driver break kerberos config.
No need to use it, the bug appears when reloading Apache if the PDO Oracle driver is "ON". 
Just disabled it.
 [2013-02-18 00:34 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 [2014-01-10 14:06 UTC] dfwin at live dot de
I am facing the same problems like the others. 

# Environment:
- RHEL Server 6.5
- PHP 5.2.17 (old applications ...) (tested PHP 5.3.28 also, same problem) 
- Apache 2.2.25
- mod_auth_kerb 5.4
- Oracle 11.2.0.1.0

# PHP build with
./configure --prefix=/usr/local/php5 \
			--with-libdir=lib64 \
			--with-apxs2=/usr/local/apache2/bin/apxs \
			--with-libxml-dir \
			--enable-wddx \
			--with-oci8=/data/oracle \
			--with-gd \
			--with-png-dir \
			--with-zlib-dir \
			--with-jpeg-dir \
			--with-freetype-dir \
			--with-curl \
			--with-ldap \
			--enable-exif \
			--enable-mbstring \
			--with-pspell \
			--enable-soap


As soon as you compile PHP with the oci8 extensions, mod_auth_kerb & apache crash with:
[debug] src/mod_auth_kerb.c(1101): [client xx.xx.xx.xx] GSS-API major_status:000d0000, minor_status:96c73a87
[error] [client xx.xx.xx.xx] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information ()

PHP Applications that use oci8, are working fine, but you can't use SSO.
Without oci8 extensions kerb/sso is working.
 [2014-01-15 08:47 UTC] dfwin at live dot de
Here is what helped me:

I configured PHP with 
--with-oci8=shared,/data/oracle
and added the oci8.so in php.ini

For example:
extension_dir="/usr/local/src/php-5.2.17/modules"
extension=oci8.so

After this steps, my oci8 and mod_auth_kerb are working fine.
 [2014-01-15 09:01 UTC] rattlebrain at gmx dot net
dfwin: what is the difference compared to your earlier post?

My problem is not that I can't make mod_auth_kerb and the PHP OCI8 extension work at the same time, but that this combination breaks reloads of Apache. I added also an explanation what probably causes this behaviour. Restarts work fine, so as a work-around, I replaced all reloads by restarts...
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Nov 28 23:03:13 2021 UTC