Created attachment 26854 [details] Patch for Apache/mod_Fcgid.so startup issue in complex Active Directory Domain environment Problem: mod_fcgid.so tries to gather CGI process filestat during startup using apr_stat () call and fails to fetch all ACLs from Active Directory Domain environment (having complex groups spanning across multiple domains) Root Cause: apr_stat() using APR_FINFO_NORM ends up calling GetEffectiveRightsFromACL Win32API to proble ACLs for cgi process file object's owner and group trustee accounts, and per MS this GetEffectiveRightsFromACL API is likely to fail in complex AD environment. MS KB: http://support.microsoft.com/kb/2018746 Solution: mod_fcgid.so apr_stat() call is made to use APR_FINFO_IDENT and thereby avoiding the unnecessary ACL lookup during Apache startup, however if there is a real ACL issue, mod_fcgid.so will return error during runtime.
I've experience the same issue with mod_fcgid failing on startup. I'm also in an extremely large Active Directory implementation which explains why I'm suffering. Have tried the patch and it works perfectly.
Please attention to this issue, quite some reports on this.
A workaround is available, but it's not suitable for all implementations. Change permissions on the fastcgi wrapper (e.g. php-cgi.exe) to remove any Active Directory user or group. Also remove any local groups that contain Active Directory users or groups. I was left with just the local administrator account and system. The Apache service will then start correctly as it doesn't bother accessing Active Directory to check the ACL.
I've logged bug 51560 with Apache APR about the underlying issue caused by using GetEffectiveRightsFromACL. It'd be ideal if they could provide a fix at that level as it'd fix other modules that suffer from the same problem. Like mod_xsendfile https://github.com/nmaier/mod_xsendfile/issues/8
David, that's a very interesting workaround, and thanks for filing the APR bug. Thangaraj, looked at your proposed solution and went with that philosophy, vetting all of the cases where we were requesting far more apr_file_stat fields than were used. Fixed for mod_fcgid 2.3.7. Thank you for proposing that fix.
I'm currently experiencing the issue on some Windows 2008 R2 with AD and as I understand the error that's given me by the Apache Configuration check, it definitely relates to this issue. Therefore I'd say, the bug is still open. Does anybody still experience this issue with Apache 2.2.22 and mod_fcgid 2.3.7.
Created attachment 29777 [details] rebuild_for_mod_fcgid-2.3.7-crlf Just replace your mod_fcgid.so Build, what's updated: line :866 comented "/* return missing_file_msg(cmd->pool, "Wrapper", path, rv); */" AD+Apache + mod_fcgid + PHP = (70008)Partial results used links : http://support.microsoft.com/kb/2018746 https://www.apachelounge.com/viewtopic.php?p=18440 http://remotehelp.pp.ua/index.php?option=com_content&view=article&id=73:kompilyacziya-modfcgid-v-visual-studio-2005-visual-c-2005-pod-apache-2222-dlya-windows-xp
How does commenting out line 866 fix the issue? Is it just prohibiting the AD lookups all together?