pam-krb5 3.9 released (patch for AIX NAS library)
Markus Moeller
huaraz at moeller.plus.com
Tue Dec 25 15:15:45 EST 2007
"Russ Allbery" <rra at stanford.edu> wrote in message
news:87fxxqzi7f.fsf at windlord.stanford.edu...
> "Markus Moeller" <huaraz at moeller.plus.com> writes:
>> "Russ Allbery" <rra at stanford.edu> wrote:
>
>>> Is there some specific function I should look for in ksvc to see whether
>>> or not I need that library? (What function wasn't found without it?)
>
>> It is for the error_message replacement:
>
>> const char *KRB5_CALLCONV error_message(long code) {
>> char *msg=NULL;
>> krb5_svc_get_msg(code,&msg);
>> return msg;
>> }
>
> Ah. I think that part of your diff might not have been included. It
Line 240 in the patch should have it.
> doesn't have krb5_get_error_message, only that function?
>
Yes as far as I could determine.
>> It also has com_err in it.
>
> Well, with that function, we wouldn't be using com_err at all.
>
>> If I didn't define snprintf I got warnings and it is defined in stdio.h
>> as
>> follows:
>>
>> #if (_XOPEN_SOURCE >= 500) || defined(_ISOC99_SOURCE)
>> extern int snprintf(char *__restrict__, size_t, const char
>> *__restrict__, ...);
>> #endif /* _XOPEN_SOURCE >= 500 */
>>
>> So I guess _ALL_SOURCE will define it.
>
> Yeah, that looks like the problem.
>
>>> AIX provides the functions for verifying initial creds and the struct,
>>> but
>>> doesn't provide the initialization function?
>
>> Not that I know. Here is a list of calls which seem to be available.
>
> Yeah, it looks like it only has krb5_verify_init_creds and nothing else.
> That's really strange. Is there a prototype for krb5_verify_init_creds in
> the header files? If so, what is the final argument?
>
>From krb5.h:
krb5_error_code KRB5_CALLCONV
krb5_verify_init_creds
(krb5_context context,
krb5_creds *creds,
krb5_principal ap_req_server,
krb5_keytab ap_req_keytab,
krb5_ccache *ccache,
krb5_verify_init_creds_opt *k5_vic_options);
> Is there any chance those functions are implemented with macros instead?
>
Not that I could find. ( -- IBM didn't spent much time in cleaning up the
header files since krb5.h includes
void KRB5_CALLCONV
krb5_verify_init_creds_opt_init
(krb5_verify_init_creds_opt *k5_vic_options); --)
>>>> + if (realmstr) {
>>>> + names[2] = realmstr;
>>>> + names[3] = option;
>>>> + names[4] = 0;
>>>> + retval = profile_get_values(profile, names, &nameval);
>>>> + if (retval == 0 && nameval && nameval[0]) {
>>>> + *ret_value = strdup(nameval[0]);
>>>> + goto goodbye;
>>>> + }
>>>> + }
>
>>> Hm, the functions like profile_get_values are internal Kerberos library
>>> functions. They're exported on AIX? I'm leery of calling them
>>> directly,
>>> since they're supposed to be internal and could therefore disappear
>>> again.
>
>> Yes the whole appdefault_get function is not exported, so I copied it
>> from the MIT sources and since it is internal I didn't have access to
>> the context structure why I had to exclude a check of context->magic.
>> But the profile I could get with krb5_get_profile.
>
> Right, but what about profile_get_values? That's an internal function,
> although it does look like MIT exports it. The normal Kerberos API
> exports krb5_get_profile, but it doesn't provide any functions in krb5.h
> to use the resulting profile struct.
I think the old releases have krb5_get_profile in profile.h. The new have
it in krb5.h.
>
>> It is mainly the same as MIT only some internal functions are not
>> exported
>
> It looks like it's similar to MIT but with standard functions removed and
> other internal functions exported that MIT doesn't export. Several of
> those changes are rather baffling. For example, I wonder why they'd keep
> exporting all the profile_ functions but remove krb5_appdefaults_*.
>
Markus
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list