pam-krb5 3.9 released (patch for AIX NAS library)

Russ Allbery rra at stanford.edu
Tue Dec 25 14:29:24 EST 2007


"Markus Moeller" <huaraz at moeller.plus.com> writes:
> "Russ Allbery" <rra at stanford.edu> wrote:

>> Is there some specific function I should look for in ksvc to see whether
>> or not I need that library?  (What function wasn't found without it?)

> It is for the error_message replacement:

> const char *KRB5_CALLCONV error_message(long code) {
>  char *msg=NULL;
>  krb5_svc_get_msg(code,&msg);
>  return msg;
> }

Ah.  I think that part of your diff might not have been included.  It
doesn't have krb5_get_error_message, only that function?

> It also has com_err in it.

Well, with that function, we wouldn't be using com_err at all.

> If I didn't define snprintf  I got warnings and it is defined in stdio.h as 
> follows:
>
> #if (_XOPEN_SOURCE >= 500) || defined(_ISOC99_SOURCE)
> extern int      snprintf(char *__restrict__, size_t, const char 
> *__restrict__, ...);
> #endif /* _XOPEN_SOURCE >= 500 */
>
> So I guess _ALL_SOURCE will define it.

Yeah, that looks like the problem.

>> AIX provides the functions for verifying initial creds and the struct, but
>> doesn't provide the initialization function?

> Not that I know. Here is a list of calls which seem to be available.

Yeah, it looks like it only has krb5_verify_init_creds and nothing else.
That's really strange.  Is there a prototype for krb5_verify_init_creds in
the header files?  If so, what is the final argument?

Is there any chance those functions are implemented with macros instead?

>>> +        if (realmstr) {
>>> +                names[2] = realmstr;
>>> +                names[3] = option;
>>> +                names[4] = 0;
>>> +                retval = profile_get_values(profile, names, &nameval);
>>> +                if (retval == 0 && nameval && nameval[0]) {
>>> +                        *ret_value = strdup(nameval[0]);
>>> +                        goto goodbye;
>>> +                }
>>> +        }

>> Hm, the functions like profile_get_values are internal Kerberos library
>> functions.  They're exported on AIX?  I'm leery of calling them directly,
>> since they're supposed to be internal and could therefore disappear again.

> Yes the whole appdefault_get function is not exported, so I copied it
> from the MIT sources and since it is internal I didn't have access to
> the context structure why I had to exclude a check of context->magic.
> But the profile I could get with krb5_get_profile.

Right, but what about profile_get_values?  That's an internal function,
although it does look like MIT exports it.  The normal Kerberos API
exports krb5_get_profile, but it doesn't provide any functions in krb5.h
to use the resulting profile struct.

> It is mainly the same as MIT only some internal functions are not exported

It looks like it's similar to MIT but with standard functions removed and
other internal functions exported that MIT doesn't export.  Several of
those changes are rather baffling.  For example, I wonder why they'd keep
exporting all the profile_ functions but remove krb5_appdefaults_*.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list