From hy93 at cornell.edu Fri May 1 08:07:09 2009 From: hy93 at cornell.edu (Hong Ye) Date: Fri, 01 May 2009 08:07:09 -0400 Subject: Race condition in /ccache/cc_memory.c In-Reply-To: <49FA0326.8040108@secure-endpoints.com> References: <49F9BF5B.3070608@cornell.edu> <49F9FD40.3030601@secure-endpoints.com> <49FA001C.4070408@cornell.edu> <49FA0326.8040108@secure-endpoints.com> Message-ID: <49FAE5ED.9010504@cornell.edu> When our application crashed, Call stack of one thread krb5_32.dll!krb5_mcc_free(_krb5_context * context=0x023d87e0, _krb5_ccache * id=0x023d73e8) Line 170 + 0x3 bytes C krb5_32.dll!krb5_mcc_destroy(_krb5_context * context=0x023d87e0, _krb5_ccache * id=0x023d73e8) Line 208 + 0xb bytes C krb5_32.dll!krb5_cc_destroy(_krb5_context * context=0x023d87e0, _krb5_ccache * cache=0x023d73e8) Line 56 C Call stack of another thread krb5_32.dll!k5_os_mutex_lock(k5_os_mutex * m=0x01db3d7c) Line 653 + 0xd bytes C krb5_32.dll!k5_mutex_lock_1(k5_mutex_t * m=0x01db3d6c, k5_debug_loc l={...}) Line 733 + 0xc bytes C krb5_32.dll!profile_node_iterator(void * * iter_p=0x0124f4fc, profile_node * * ret_node=0x00000000, char * * ret_name=0x00000000, char * * ret_value=0x0124f4f8) Line 470 + 0x29 bytes C krb5_32.dll!profile_get_value(_profile_t * profile=0x0243baa8, const char * * names=0x0124f56c, const char * * ret_value=0x0124f580) Line 184 + 0x11 bytes C krb5_32.dll!profile_get_integer(_profile_t * profile=0x0243baa8, const char * name=0x1c08599c, const char * subname=0x1c085928, const char * subsubname=0x00000000, int def_val=4, int * ret_int=0x0124f5f8) Line 247 + 0x10 bytes C krb5_32.dll!init_common(_krb5_context * * context=0x0124f738, unsigned int secure=0, unsigned int kdc=0) Line 236 C krb5_32.dll!krb5_init_context(_krb5_context * * context=0x0124f738) Line 88 + 0xc bytes C gssapi32.dll!krb5_gss_init_context(_krb5_context * * ctxp=0x0124f738) Line 1002 C gssapi32.dll!krb5_gss_display_name(unsigned int * minor_status=0x0124f914, gss_name_struct * input_name=0x0243a900, gss_buffer_desc_struct * output_name_buffer=0x0124f8f4, gss_OID_desc_struct * * output_name_type=0x0124f904) Line 37 + 0x9 bytes C gssapi32.dll!k5glue_display_name(void * ctx=0x00000000, unsigned int * minor_status=0x0124f914, gss_name_struct * input_name=0x0243a900, gss_buffer_desc_struct * output_name_buffer=0x0124f8f4, gss_OID_desc_struct * * output_name_type=0x0124f904) Line 564 + 0x11 bytes C gssapi32.dll!gssint_display_internal_name(unsigned int * minor_status=0x0124f914, gss_OID_desc_struct * mech_type=0x0243c0b0, gss_name_struct * internal_name=0x0243a900, gss_buffer_desc_struct * external_name=0x0124f8f4, gss_OID_desc_struct * * name_type=0x0124f904) Line 418 + 0x18 bytes C gssapi32.dll!gss_display_name(unsigned int * minor_status=0x0124f914, gss_name_struct * input_name=0x0243a820, gss_buffer_desc_struct * output_name_buffer=0x0124f8f4, gss_OID_desc_struct * * output_name_type=0x0124f904) Line 103 + 0x1a bytes C Jeffrey Altman wrote: > How have you confirmed that the issue you are experiencing is the one > described in the Nov 2005? > > do you have a stack trace or a crash dump from the application? > > Hong Ye wrote: > >> latest release KFW 3.2.2. >> >> Jeffrey Altman wrote: >> >>> Hong Ye wrote: >>> >>> >>>> Hi, >>>> >>>> Our authentication application developed using MIT kerberos crashed >>>> in multi-thread environment on Windows. I found this post which >>>> describes the same problem as we were seeing. The post was dated >>>> Nov,2005. Has this problem been resolved in latest Kerberos library. >>>> If not, is there work around? >>>> >>>> "Using the MEMORY credentials cache from multiple threads is not >>>> thread-safe and crashes." >>>> http://mailman.mit.edu/pipermail/krb5-bugs/2005-November/004061.html >>>> >>>> Any suggestions are appreciated, >>>> >>>> Hong >>>> >>>> >>>> >>> What version of KFW are you using? >>> >>> >>> >>> >> From David.Bear at asu.edu Fri May 1 12:22:51 2009 From: David.Bear at asu.edu (David Bear) Date: Fri, 1 May 2009 09:22:51 -0700 Subject: KfW and NiM getting mutliple TGT's In-Reply-To: <49FA3736.7070108@secure-endpoints.com> References: <1d1a54bf0904301436n353873b9v6911b2f37641dfb9@mail.gmail.com> <49FA3736.7070108@secure-endpoints.com> Message-ID: <1d1a54bf0905010922p34a79cb2m8a5912b4e10c5f5b@mail.gmail.com> On Thu, Apr 30, 2009 at 4:41 PM, Jeffrey Altman < jaltman at secure-endpoints.com> wrote: > David Bear wrote: > > Normally, when we install KfW (currently using 3.2.2) on windows, we > include > > a krb5.ini file that is mostly the same as the krb5.conf we use on linux. > > Our krb5.ini only has asu.edu realm information in it. We also have an > AD > > domain to which our windows clients are joined. When a user does a domain > > logon, they normally get 2 credentials automatically, one for the AD > domain, > > and one for our ASU.EDU realm. This is the behavior we like. > > > > However, today, using the same configuration file, NiM is only reporting > > credentials for the AD domain -- it is not automatically getting > credentials > > from the ASU.EDU realm. We have selected (obtain new creds at startup) > and > > (destroy all creds on exit) but this makes no difference. For some > reason, > > KfW is not getting all the creds we are used to at startup. Any advice on > > how to get the behavior back that we want? > > > NIM does not obtain the credentials. The KFW network provider > (kfwlogon.dll) does this if and only if: > > 1. the password for the AD and MIT realms are the same > 2. kfwlogon.dll is installed > 3. the default realm in the krb5.ini file is the MIT realm > > The NIM obtain new creds at startup does not affect the kfwlogon.dll. > What it does is prompt the user for credentials if there are none > available at startup. > We have set the asu.edu realm to be the default realm in the krb5.ini file. The passwords between AD domains and MIT Krb realms are identical. Still, KfW doesn't auto-get asu.edu realm credentials. We can obtain credentials using NiM AFTER standard windows logon. But it is just not getting them automatically. Is there some other configuration option we have missed or munged? > Jeffrey Altman > > -- David Bear College of Public Programs at ASU 602-464-0424 From mullet.for.life at gmail.com Fri May 1 19:14:05 2009 From: mullet.for.life at gmail.com (Troy) Date: Fri, 1 May 2009 16:14:05 -0700 Subject: krb5-1.6.3 strange compile output on solaris 10 (x86) Message-ID: I'm attempting, for the first time, to compile krb5-1.6.3 on an x86 solaris 10 host. This is what I see as the output: $ sh configure Killed Killed Killed Killed That doesn't look good me. From raeburn at MIT.EDU Sat May 2 00:18:41 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Sat, 2 May 2009 00:18:41 -0400 Subject: krb5-1.6.3 strange compile output on solaris 10 (x86) In-Reply-To: References: Message-ID: <3C609AD3-5D3A-433C-BBD3-DABF650B490C@mit.edu> On May 1, 2009, at 19:14, Troy wrote: > I'm attempting, for the first time, to compile krb5-1.6.3 on an x86 > solaris > 10 host. This is what I see as the output: > > $ sh configure > Killed > Killed > Killed > Killed > > That doesn't look good me. No... usually I've only seen "Killed" if the OS is hurting in some way -- insufficient memory, or disk errors in swap space, stuff like that. Or there's some sort of "gunner" process running hunting down processes to kill for some reason. I don't think there's anything particularly odd in the tests run by the configure script. You might check the system log(s) to see if anything interesting is being reported. If that doesn't tell you anything, you could try "sh -x configure" to see what programs are running that are being killed off. We've done builds around MIT on Solaris 9 and 10 (on SPARC) for a long time now, and AFAIK haven't encountered this. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From mullet.for.life at gmail.com Sat May 2 16:22:30 2009 From: mullet.for.life at gmail.com (Troy) Date: Sat, 2 May 2009 13:22:30 -0700 Subject: krb5-1.6.3 strange compile output on solaris 10 (x86) In-Reply-To: <3C609AD3-5D3A-433C-BBD3-DABF650B490C@mit.edu> References: <3C609AD3-5D3A-433C-BBD3-DABF650B490C@mit.edu> Message-ID: Thanks for the response. Running it with -x, I see this around each Killed, I'm not sure what it's all about. It's not killing any system processes, and the host isn't starved for resources. Also, nothing strange in the system log. + expr a : \(a\) Killed as_expr=false On Fri, May 1, 2009 at 9:18 PM, Ken Raeburn wrote: > On May 1, 2009, at 19:14, Troy wrote: > >> I'm attempting, for the first time, to compile krb5-1.6.3 on an x86 >> solaris >> 10 host. This is what I see as the output: >> >> $ sh configure >> Killed >> Killed >> Killed >> Killed >> >> That doesn't look good me. >> > > No... usually I've only seen "Killed" if the OS is hurting in some way -- > insufficient memory, or disk errors in swap space, stuff like that. Or > there's some sort of "gunner" process running hunting down processes to kill > for some reason. I don't think there's anything particularly odd in the > tests run by the configure script. You might check the system log(s) to see > if anything interesting is being reported. If that doesn't tell you > anything, you could try "sh -x configure" to see what programs are running > that are being killed off. > > We've done builds around MIT on Solaris 9 and 10 (on SPARC) for a long time > now, and AFAIK haven't encountered this. > > -- > Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium > > From raeburn at MIT.EDU Sat May 2 18:17:41 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Sat, 2 May 2009 18:17:41 -0400 Subject: krb5-1.6.3 strange compile output on solaris 10 (x86) In-Reply-To: References: <3C609AD3-5D3A-433C-BBD3-DABF650B490C@mit.edu> Message-ID: <09D83989-8A1D-48D1-8390-E604470C1B23@mit.edu> On May 2, 2009, at 16:22, Troy wrote: > Thanks for the response. Running it with -x, I see this around each > Killed, I'm not sure what it's all about. It's not killing any > system processes, and the host isn't starved for resources. Also, > nothing strange in the system log. > > + expr a : \(a\) > Killed > as_expr=false Sounds like whatever version of 'expr' you're using has problems. Can you run expr a : \(a\) from the command line or does it die? You might also check what version of expr you're using (Solaris? some GNU package?) and see if it's broken in some way. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From mullet.for.life at gmail.com Sat May 2 22:23:36 2009 From: mullet.for.life at gmail.com (Troy) Date: Sat, 2 May 2009 19:23:36 -0700 Subject: krb5-1.6.3 strange compile output on solaris 10 (x86) In-Reply-To: <09D83989-8A1D-48D1-8390-E604470C1B23@mit.edu> References: <3C609AD3-5D3A-433C-BBD3-DABF650B490C@mit.edu> <09D83989-8A1D-48D1-8390-E604470C1B23@mit.edu> Message-ID: Haha, my path had /usr/local/bin before /usr/bin, so I was using whatever version someone installed there which was missing a library. The stock solaris version works just fine. Thank you for the help. On Sat, May 2, 2009 at 3:17 PM, Ken Raeburn wrote: > On May 2, 2009, at 16:22, Troy wrote: > >> Thanks for the response. Running it with -x, I see this around each >> Killed, I'm not sure what it's all about. It's not killing any system >> processes, and the host isn't starved for resources. Also, nothing strange >> in the system log. >> >> + expr a : \(a\) >> Killed >> as_expr=false >> > > Sounds like whatever version of 'expr' you're using has problems. Can you > run > expr a : \(a\) > from the command line or does it die? You might also check what version of > expr you're using (Solaris? some GNU package?) and see if it's broken in > some way. > > > -- > Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium > > From jaltman at secure-endpoints.com Mon May 4 09:59:59 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Mon, 04 May 2009 09:59:59 -0400 Subject: Race condition in /ccache/cc_memory.c In-Reply-To: <49FAE5ED.9010504@cornell.edu> References: <49F9BF5B.3070608@cornell.edu> <49F9FD40.3030601@secure-endpoints.com> <49FA001C.4070408@cornell.edu> <49FA0326.8040108@secure-endpoints.com> <49FAE5ED.9010504@cornell.edu> Message-ID: <49FEF4DF.5080205@secure-endpoints.com> The fix for this problem is not in KFW 3.2.2. It was not pulled up to the 1.6 branch until 21 July 2008. MIT has not issued a new version of the KFW libraries containing this fix. Jeffrey Altman Hong Ye wrote: > When our application crashed, Call stack of one thread > krb5_32.dll!krb5_mcc_free(_krb5_context * context=0x023d87e0, > _krb5_ccache * id=0x023d73e8) Line 170 + 0x3 bytes C > krb5_32.dll!krb5_mcc_destroy(_krb5_context * context=0x023d87e0, > _krb5_ccache * id=0x023d73e8) Line 208 + 0xb bytes C > krb5_32.dll!krb5_cc_destroy(_krb5_context * context=0x023d87e0, > _krb5_ccache * cache=0x023d73e8) Line 56 C > > Call stack of another thread > krb5_32.dll!k5_os_mutex_lock(k5_os_mutex * m=0x01db3d7c) Line 653 > + 0xd bytes C > krb5_32.dll!k5_mutex_lock_1(k5_mutex_t * m=0x01db3d6c, > k5_debug_loc l={...}) Line 733 + 0xc bytes C > krb5_32.dll!profile_node_iterator(void * * iter_p=0x0124f4fc, > profile_node * * ret_node=0x00000000, char * * ret_name=0x00000000, > char * * ret_value=0x0124f4f8) Line 470 + 0x29 bytes C > krb5_32.dll!profile_get_value(_profile_t * profile=0x0243baa8, > const char * * names=0x0124f56c, const char * * ret_value=0x0124f580) > Line 184 + 0x11 bytes C > krb5_32.dll!profile_get_integer(_profile_t * profile=0x0243baa8, > const char * name=0x1c08599c, const char * subname=0x1c085928, const > char * subsubname=0x00000000, int def_val=4, int * > ret_int=0x0124f5f8) Line 247 + 0x10 bytes C > krb5_32.dll!init_common(_krb5_context * * context=0x0124f738, > unsigned int secure=0, unsigned int kdc=0) Line 236 C > krb5_32.dll!krb5_init_context(_krb5_context * * > context=0x0124f738) Line 88 + 0xc bytes C > gssapi32.dll!krb5_gss_init_context(_krb5_context * * > ctxp=0x0124f738) Line 1002 C > gssapi32.dll!krb5_gss_display_name(unsigned int * > minor_status=0x0124f914, gss_name_struct * input_name=0x0243a900, > gss_buffer_desc_struct * output_name_buffer=0x0124f8f4, > gss_OID_desc_struct * * output_name_type=0x0124f904) Line 37 + 0x9 > bytes C > gssapi32.dll!k5glue_display_name(void * ctx=0x00000000, unsigned > int * minor_status=0x0124f914, gss_name_struct * > input_name=0x0243a900, gss_buffer_desc_struct * > output_name_buffer=0x0124f8f4, gss_OID_desc_struct * * > output_name_type=0x0124f904) Line 564 + 0x11 bytes C > gssapi32.dll!gssint_display_internal_name(unsigned int * > minor_status=0x0124f914, gss_OID_desc_struct * mech_type=0x0243c0b0, > gss_name_struct * internal_name=0x0243a900, gss_buffer_desc_struct * > external_name=0x0124f8f4, gss_OID_desc_struct * * > name_type=0x0124f904) Line 418 + 0x18 bytes C > gssapi32.dll!gss_display_name(unsigned int * > minor_status=0x0124f914, gss_name_struct * input_name=0x0243a820, > gss_buffer_desc_struct * output_name_buffer=0x0124f8f4, > gss_OID_desc_struct * * output_name_type=0x0124f904) Line 103 + 0x1a > bytes C > > Jeffrey Altman wrote: >> How have you confirmed that the issue you are experiencing is the one >> described in the Nov 2005? >> >> do you have a stack trace or a crash dump from the application? >> >> Hong Ye wrote: >> >>> latest release KFW 3.2.2. >>> >>> Jeffrey Altman wrote: >>> >>>> Hong Ye wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> Our authentication application developed using MIT kerberos crashed >>>>> in multi-thread environment on Windows. I found this post which >>>>> describes the same problem as we were seeing. The post was dated >>>>> Nov,2005. Has this problem been resolved in latest Kerberos library. >>>>> If not, is there work around? >>>>> >>>>> "Using the MEMORY credentials cache from multiple threads is not >>>>> thread-safe and crashes." >>>>> http://mailman.mit.edu/pipermail/krb5-bugs/2005-November/004061.html >>>>> >>>>> Any suggestions are appreciated, >>>>> >>>>> Hong >>>>> >>>>> >>>> What version of KFW are you using? >>>> >>>> >>>> >>> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090504/9e6954c2/smime.bin From jaltman at secure-endpoints.com Mon May 4 10:05:48 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Mon, 04 May 2009 10:05:48 -0400 Subject: KfW and NiM getting mutliple TGT's In-Reply-To: <1d1a54bf0905010922p34a79cb2m8a5912b4e10c5f5b@mail.gmail.com> References: <1d1a54bf0904301436n353873b9v6911b2f37641dfb9@mail.gmail.com> <49FA3736.7070108@secure-endpoints.com> <1d1a54bf0905010922p34a79cb2m8a5912b4e10c5f5b@mail.gmail.com> Message-ID: <49FEF63C.30706@secure-endpoints.com> David Bear wrote: > On Thu, Apr 30, 2009 at 4:41 PM, Jeffrey Altman > > > wrote: > > David Bear wrote: > > Normally, when we install KfW (currently using 3.2.2) on > windows, we include > > a krb5.ini file that is mostly the same as the krb5.conf we use > on linux. > > Our krb5.ini only has asu.edu realm information > in it. We also have an AD > > domain to which our windows clients are joined. When a user does > a domain > > logon, they normally get 2 credentials automatically, one for > the AD domain, > > and one for our ASU.EDU realm. This is the > behavior we like. > > > > However, today, using the same configuration file, NiM is only > reporting > > credentials for the AD domain -- it is not automatically getting > credentials > > from the ASU.EDU realm. We have selected > (obtain new creds at startup) and > > (destroy all creds on exit) but this makes no difference. For > some reason, > > KfW is not getting all the creds we are used to at startup. Any > advice on > > how to get the behavior back that we want? > > > NIM does not obtain the credentials. The KFW network provider > (kfwlogon.dll) does this if and only if: > > 1. the password for the AD and MIT realms are the same > 2. kfwlogon.dll is installed > 3. the default realm in the krb5.ini file is the MIT realm > > The NIM obtain new creds at startup does not affect the kfwlogon.dll. > What it does is prompt the user for credentials if there are none > available at startup. > > > We have set the asu.edu realm to be the default realm > in the krb5.ini file. The passwords between AD domains and MIT Krb > realms are identical. Still, KfW doesn't auto-get asu.edu > realm credentials. We can obtain credentials using > NiM AFTER standard windows logon. But it is just not getting them > automatically. Is there some other configuration option we have missed > or munged? You should verify that the Network Provider kfwlogon.dll is installed and assuming that is true then you can turn on Windows Application Event Logging HKLM\System\\CurrentControlSet\\Services\\MIT Kerberos\\NetworkProvider "Debug" DWORD 0x01 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090504/0123db82/smime.bin From hy93 at cornell.edu Mon May 4 10:08:02 2009 From: hy93 at cornell.edu (Hong Ye) Date: Mon, 04 May 2009 10:08:02 -0400 Subject: Race condition in /ccache/cc_memory.c In-Reply-To: <49FEF4DF.5080205@secure-endpoints.com> References: <49F9BF5B.3070608@cornell.edu> <49F9FD40.3030601@secure-endpoints.com> <49FA001C.4070408@cornell.edu> <49FA0326.8040108@secure-endpoints.com> <49FAE5ED.9010504@cornell.edu> <49FEF4DF.5080205@secure-endpoints.com> Message-ID: <49FEF6C2.3010503@cornell.edu> Thanks Jeff. When will MIT issue a new version of KFW? We are having trouble building 1.6 branch. Hong Jeffrey Altman wrote: > The fix for this problem is not in KFW 3.2.2. > It was not pulled up to the 1.6 branch until 21 July 2008. > MIT has not issued a new version of the KFW libraries containing this fix. > > Jeffrey Altman > > > Hong Ye wrote: > >> When our application crashed, Call stack of one thread >> krb5_32.dll!krb5_mcc_free(_krb5_context * context=0x023d87e0, >> _krb5_ccache * id=0x023d73e8) Line 170 + 0x3 bytes C >> krb5_32.dll!krb5_mcc_destroy(_krb5_context * context=0x023d87e0, >> _krb5_ccache * id=0x023d73e8) Line 208 + 0xb bytes C >> krb5_32.dll!krb5_cc_destroy(_krb5_context * context=0x023d87e0, >> _krb5_ccache * cache=0x023d73e8) Line 56 C >> >> Call stack of another thread >> krb5_32.dll!k5_os_mutex_lock(k5_os_mutex * m=0x01db3d7c) Line 653 >> + 0xd bytes C >> krb5_32.dll!k5_mutex_lock_1(k5_mutex_t * m=0x01db3d6c, >> k5_debug_loc l={...}) Line 733 + 0xc bytes C >> krb5_32.dll!profile_node_iterator(void * * iter_p=0x0124f4fc, >> profile_node * * ret_node=0x00000000, char * * ret_name=0x00000000, >> char * * ret_value=0x0124f4f8) Line 470 + 0x29 bytes C >> krb5_32.dll!profile_get_value(_profile_t * profile=0x0243baa8, >> const char * * names=0x0124f56c, const char * * ret_value=0x0124f580) >> Line 184 + 0x11 bytes C >> krb5_32.dll!profile_get_integer(_profile_t * profile=0x0243baa8, >> const char * name=0x1c08599c, const char * subname=0x1c085928, const >> char * subsubname=0x00000000, int def_val=4, int * >> ret_int=0x0124f5f8) Line 247 + 0x10 bytes C >> krb5_32.dll!init_common(_krb5_context * * context=0x0124f738, >> unsigned int secure=0, unsigned int kdc=0) Line 236 C >> krb5_32.dll!krb5_init_context(_krb5_context * * >> context=0x0124f738) Line 88 + 0xc bytes C >> gssapi32.dll!krb5_gss_init_context(_krb5_context * * >> ctxp=0x0124f738) Line 1002 C >> gssapi32.dll!krb5_gss_display_name(unsigned int * >> minor_status=0x0124f914, gss_name_struct * input_name=0x0243a900, >> gss_buffer_desc_struct * output_name_buffer=0x0124f8f4, >> gss_OID_desc_struct * * output_name_type=0x0124f904) Line 37 + 0x9 >> bytes C >> gssapi32.dll!k5glue_display_name(void * ctx=0x00000000, unsigned >> int * minor_status=0x0124f914, gss_name_struct * >> input_name=0x0243a900, gss_buffer_desc_struct * >> output_name_buffer=0x0124f8f4, gss_OID_desc_struct * * >> output_name_type=0x0124f904) Line 564 + 0x11 bytes C >> gssapi32.dll!gssint_display_internal_name(unsigned int * >> minor_status=0x0124f914, gss_OID_desc_struct * mech_type=0x0243c0b0, >> gss_name_struct * internal_name=0x0243a900, gss_buffer_desc_struct * >> external_name=0x0124f8f4, gss_OID_desc_struct * * >> name_type=0x0124f904) Line 418 + 0x18 bytes C >> gssapi32.dll!gss_display_name(unsigned int * >> minor_status=0x0124f914, gss_name_struct * input_name=0x0243a820, >> gss_buffer_desc_struct * output_name_buffer=0x0124f8f4, >> gss_OID_desc_struct * * output_name_type=0x0124f904) Line 103 + 0x1a >> bytes C >> >> Jeffrey Altman wrote: >> >>> How have you confirmed that the issue you are experiencing is the one >>> described in the Nov 2005? >>> >>> do you have a stack trace or a crash dump from the application? >>> >>> Hong Ye wrote: >>> >>> >>>> latest release KFW 3.2.2. >>>> >>>> Jeffrey Altman wrote: >>>> >>>> >>>>> Hong Ye wrote: >>>>> >>>>> >>>>> >>>>>> Hi, >>>>>> >>>>>> Our authentication application developed using MIT kerberos crashed >>>>>> in multi-thread environment on Windows. I found this post which >>>>>> describes the same problem as we were seeing. The post was dated >>>>>> Nov,2005. Has this problem been resolved in latest Kerberos library. >>>>>> If not, is there work around? >>>>>> >>>>>> "Using the MEMORY credentials cache from multiple threads is not >>>>>> thread-safe and crashes." >>>>>> http://mailman.mit.edu/pipermail/krb5-bugs/2005-November/004061.html >>>>>> >>>>>> Any suggestions are appreciated, >>>>>> >>>>>> Hong >>>>>> >>>>>> >>>>>> >>>>> What version of KFW are you using? >>>>> >>>>> >>>>> >>>>> >>>> >>>> >> From jr.aquino at citrixonline.com Mon May 4 15:17:51 2009 From: jr.aquino at citrixonline.com (Jr Aquino) Date: Mon, 4 May 2009 12:17:51 -0700 Subject: Migrating from 1 Kerberos Realm to another, within the same DNS Domain. Message-ID: <069268BF-7FB7-400A-8BED-A7AA25BA6426@citrixonline.com> I am attempting to execute a migration from an older Krb5 system to a new Krb5 - eDirectory system. (2 different KDC's) I am having trouble determining the best option for the clients to respect the new realm. Is it possible to have multiple krb5 Realms within the same DNS Domain and have the clients respect the difference? So far, it appears that I have the following options: 0. Change the DNS Domain name suffix for newly migrated hosts. 1. Create/Designate hierarchical DNS Sub-domains, migrate each system in each sub-domain in bulk. <- Add lines to every client krb5.conf to recognize the split. 2. Add thousands of lines to every client's krb5.conf file to map every single migrated host to the new realm. 3. Use dns_lookup_realm in the clients krb5.conf file Can anyone confirm this list is complete, or suggest an alternative solution to migrate the hosts while allowing the clients to respect both Realms simultaneously? Jr Aquino | Information Security Engineer Citrix Online Division Citrix Systems, Inc. 6500 Hollister Avenue Goleta, CA 93117 USA www.citrixonline.com Desk: 805-690-3478 Email: jr.aquino at citrixonline.com www.gotomypc.com | Access Your PC from Anywhere www.gotomeeting.com | Online Meetings Made Easy www.gotoassist.com | Remote Support Made Easy From mr.zeus1 at gmail.com Mon May 4 18:51:29 2009 From: mr.zeus1 at gmail.com (bjacobson@us.ibm.com) Date: Mon, 4 May 2009 15:51:29 -0700 (PDT) Subject: Storing MIT-Kerberos authentication data in an LDAP backend Message-ID: <042e58a9-672d-4ff2-af44-e3508ce2be92@r13g2000vbr.googlegroups.com> Klaus Kiwi has written about storing MIT-Kerberos authenticaion data in an LDAP backend (one LDAP implementation is IBM Tivoli Directory Server). The Kerberos LDAP backend (commonly referred to as KDB LDAP plugin) is a relatively new feature, introduced in MIT-Kerberos 1.6, available in RedHat Enterprise Linux 5.2 and Novell Suse Linux Enterprise Server 11. You can read about it at: http://www.ratliff.net/blog/2009/04/29/kerberos_and_itds From janfrode at tanso.net Tue May 5 08:52:20 2009 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Tue, 5 May 2009 14:52:20 +0200 Subject: Storing MIT-Kerberos authentication data in an LDAP backend References: <042e58a9-672d-4ff2-af44-e3508ce2be92@r13g2000vbr.googlegroups.com> Message-ID: On 2009-05-04, bjacobson at us.ibm.com wrote: > The Kerberos LDAP backend (commonly referred to as KDB LDAP plugin) is > a relatively new feature, introduced in MIT-Kerberos 1.6, available in > RedHat Enterprise Linux 5.2 and Novell Suse Linux Enterprise Server > 11. It's not really available in RHEL5.2 (or 5.3-latest either).. The v1.6 MIT-Kerberos is there, but the ldap plugin isn't provided, so one will have to rebuild the packages to get it (and probably every time Red Hat decides to upgrade the krb5 packages). But, Klaus's BluePrint looks great! I hope to use it to set up the same against Red Hat's own directory server instead of ITDS. -jf From ravi.channavajhala at dciera.com Wed May 6 14:39:40 2009 From: ravi.channavajhala at dciera.com (ravi channavajhala) Date: Thu, 7 May 2009 00:09:40 +0530 Subject: kerberos tickets and the SPNs Message-ID: <4a01d971.08b38c0a.776a.7f76@mx.google.com> I'm setting up a Solaris 10 server as a test samba server with AD authentication. I'm running into a little bit of issue with Kerberos tickets. The setup is as follows Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, LDAP (shipped with the distro) and IMU on windows. My LDAP client is working good and validates getent passwd and can run ldaplist -l passwd and ldapsearch, no issues. My ldap autnetication is set to simple, with proxyDnuser. On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf, nsswitch.conf, ntp.conf perfectly. The nsswitch is set to use 'files ldap' for both passwd and group and dns files for hosts. On windows the IMU, UNIX attributes are set to the correct NIS domain. I ran net ads join to successfully join the Solaris server into the AD, however net ads keytab create simply returns a new line without any errors. When I checked on windows, after net ADS join command, I see two service principals (SPN), the capitalization is intentional as this is how they appear when I run spnset hostname HOST/HOSTNAME HOST/hostname.domain.com (FQDN) I also setup a service account name (user object) on Windows whose name is same as the hostname (computer object). I generated the keytab file with ktpass -princ host/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab I then ftped this file over to Solaris host and try to authenticate a user login via AD, I get PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos database So, just for the heck of it I generated another krb5.keytab with the following ktpass -princ HOST/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass password -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab Please note the HOST in capitals. Now, I get this error testing with this keytab PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found Running PAM in debug mode didn't reveal anything specific other than the obvious. I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP servers return properly. I can add the SPNs forcibly with host/hostname.domain.com and host/hostname and try different combinations. But..first I need to understand this behavior, anyone??? From deengert at anl.gov Wed May 6 15:33:17 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 06 May 2009 14:33:17 -0500 Subject: kerberos tickets and the SPNs In-Reply-To: <4a01d971.08b38c0a.776a.7f76@mx.google.com> References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> Message-ID: <4A01E5FD.5030107@anl.gov> Windows treats principal names as case insensitive. Kerberos treats them as case sensitive. Normally Kerberos host/hostname at REALM has "host" in lower case. So why is Samba net ADS join is using upper case is not clear. If the net ads join adds the SPN in uppercase, then the ktpass with lower case, it will work, as windows is case insensitive and the SPN already exists. You could try changing the SPN to lower case. ravi channavajhala wrote: > I'm setting up a Solaris 10 server as a test samba server with AD > authentication. I'm running into a little bit of issue with Kerberos > tickets. The setup is as follows > > Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, LDAP > (shipped with the distro) and IMU on windows. My LDAP client is working > good and validates getent passwd and can run ldaplist -l passwd > and ldapsearch, no issues. My ldap autnetication is set to simple, > with proxyDnuser. > > > > On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf, > nsswitch.conf, ntp.conf perfectly. The nsswitch is set to use 'files ldap' > for both passwd and group and dns files for hosts. On windows the IMU, UNIX > attributes are set to the correct NIS domain. > > > > I ran net ads join to successfully join the Solaris server into the AD, > however net ads keytab create simply returns a new line without any errors. > When I checked on windows, after net ADS join command, I see two service > principals (SPN), the capitalization is intentional as this is how they > appear when I run spnset hostname > > > > HOST/HOSTNAME > > HOST/hostname.domain.com (FQDN) > > > > I also setup a service account name (user object) on Windows whose name is > same as the hostname (computer object). I generated the keytab file with > > > > ktpass -princ host/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass password > -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab > > So you have two accounts with the same SPN? (differing by case only?) Or did you remove the net ads join created entry first? > > I then ftped this file over to Solaris host and try to authenticate a user > login via AD, I get > > > > PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos > database > Could be the case issue. krb5 is looking for "host" > > > So, just for the heck of it I generated another krb5.keytab with the > following > > > > ktpass -princ HOST/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass password > -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab > > > > Please note the HOST in capitals. Now, I get this error testing with this > keytab > > > > PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found > > > > Running PAM in debug mode didn't reveal anything specific other than the > obvious. > Wireshark could be used to see the network traffic between server and KDC. This sounds like a case issue... > > > I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP servers > return properly. I can add the SPNs forcibly with host/hostname.domain.com > and host/hostname and try different combinations. But..first I need to > understand this behavior, anyone??? > > > > > > > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From ravi.channavajhala at dciera.com Wed May 6 15:57:22 2009 From: ravi.channavajhala at dciera.com (Ravi Channavajhala) Date: Thu, 7 May 2009 01:27:22 +0530 Subject: kerberos tickets and the SPNs In-Reply-To: <4A01E5FD.5030107@anl.gov> References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> <4A01E5FD.5030107@anl.gov> Message-ID: <73739dc10905061257y2d872683xcebe0a54e7b0ed89@mail.gmail.com> On Thu, May 7, 2009 at 1:03 AM, Douglas E. Engert wrote: > > Windows treats principal names as case insensitive. > Kerberos treats them as case sensitive. > > Normally Kerberos host/hostname at REALM has "host" in lower case. > So why is Samba net ADS join is using upper case is not clear. Just to be sure, I did delete the computer object from AD and re-creatd it from net ads, the SPNs appear again in the same way. > If the net ads join adds the SPN in uppercase, then the ktpass > with lower case, it will work, as windows is case insensitive > and the SPN already exists. > > You could try changing the SPN to lower case. I might as well add new SPNs with spnset -A option >> HOST/HOSTNAME >> >> HOST/hostname.domain.com (FQDN) >> > > So you have two accounts with the same SPN? (differing by case only?) > Or did you remove the net ads join created entry first? yeah but they are two different objects, one is a computer and the other is a user. In the above case the two SPNs are for the computer object only as indicated by the host. The SPN for user object appears typically DOMAIN\USERNAME >> I then ftped this file over to Solaris host and try to authenticate a user >> login via AD, I get >> >> PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos >> database >> > > Could be the case issue. krb5 is looking for "host" Looks like it, as I get different error messages depending on how I specify the ktpass -princ with either host or HOST. >> Running PAM in debug mode didn't reveal anything specific other than the >> obvious. > > Wireshark could be used to see the network traffic between server and KDC. > This sounds like a case issue... It sure is, but my problem is how to avoid manual work in case if future server base is being built and I have to do a monkey boy's job of checking SPNs and adding/removing... there must be a way out of this. I got oodles of ldap traffic captured with snoop, which I will look further. From huaraz at moeller.plus.com Wed May 6 15:49:51 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Wed, 6 May 2009 20:49:51 +0100 Subject: kerberos tickets and the SPNs In-Reply-To: References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> Message-ID: "Douglas E. Engert" wrote in message news:mailman.17.1241638415.9729.kerberos at mit.edu... > Windows treats principal names as case insensitive. > Kerberos treats them as case sensitive. > > Normally Kerberos host/hostname at REALM has "host" in lower case. > So why is Samba net ADS join is using upper case is not clear. > > If the net ads join adds the SPN in uppercase, then the ktpass > with lower case, it will work, as windows is case insensitive > and the SPN already exists. > > You could try changing the SPN to lower case. > You could add a copy to the keytab with ktutil which has an uppercase HOST e.g. # ktutil ktutil: rkt /tmp/test.keytab ktutil: l -k slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 host/opensuse11.suse.home at SUSE.HOME (0xd962b1ecc18a809eb57c4a031193623a) ktutil: addent -key -p HOST/opensuse11.suse.home at SUSE.HOME -k 3 -e rc4-hmac Key for HOST/opensuse11.suse.home at SUSE.HOME (hex): d962b1ecc18a809eb57c4a031193623a ktutil: l -k slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 host/opensuse11.suse.home at SUSE.HOME (0xd962b1ecc18a809eb57c4a031193623a) 2 3 HOST/opensuse11.suse.home at SUSE.HOME (0xd962b1ecc18a809eb57c4a031193623a) ktutil: wkt /tmp/new.keytab ktutil: quit > > ravi channavajhala wrote: >> I'm setting up a Solaris 10 server as a test samba server with AD >> authentication. I'm running into a little bit of issue with Kerberos >> tickets. The setup is as follows >> >> Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, >> LDAP >> (shipped with the distro) and IMU on windows. My LDAP client is working >> good and validates getent passwd and can run ldaplist -l passwd >> and ldapsearch, no issues. My ldap autnetication is set to >> simple, >> with proxyDnuser. >> >> On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf, >> nsswitch.conf, ntp.conf perfectly. The nsswitch is set to use 'files >> ldap' >> for both passwd and group and dns files for hosts. On windows the IMU, >> UNIX >> attributes are set to the correct NIS domain. >> >> I ran net ads join to successfully join the Solaris server into the AD, >> however net ads keytab create simply returns a new line without any >> errors. >> When I checked on windows, after net ADS join command, I see two service >> principals (SPN), the capitalization is intentional as this is how they >> appear when I run spnset hostname >> >> HOST/HOSTNAME >> >> HOST/hostname.domain.com (FQDN) >> >> I also setup a service account name (user object) on Windows whose name >> is >> same as the hostname (computer object). I generated the keytab file with >> >> ktpass -princ host/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass >> password >> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab >> >> > > So you have two accounts with the same SPN? (differing by case only?) > Or did you remove the net ads join created entry first? > >> >> I then ftped this file over to Solaris host and try to authenticate a >> user >> login via AD, I get PAM-KRB5 (auth): krb5_verify_init_creds failed: >> Server not found in Kerberos >> database >> > > Could be the case issue. krb5 is looking for "host" >> So, just for the heck of it I generated another krb5.keytab with the >> following >> >> ktpass -princ HOST/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass >> password >> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab >> >> Please note the HOST in capitals. Now, I get this error testing with >> this >> keytab >> >> PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not >> found >> >> Running PAM in debug mode didn't reveal anything specific other than the >> obvious. >> > > Wireshark could be used to see the network traffic between server and KDC. > This sounds like a case issue... > >> I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP >> servers >> return properly. I can add the SPNs forcibly with >> host/hostname.domain.com >> and host/hostname and try different combinations. But..first I need to >> understand this behavior, anyone??? >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 From lukeh at padl.com Wed May 6 20:49:37 2009 From: lukeh at padl.com (Luke Howard) Date: Thu, 7 May 2009 10:49:37 +1000 Subject: kerberos tickets and the SPNs In-Reply-To: References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> Message-ID: FWIW MIT Kerberos 1.7 will address this. -- Luke On 07/05/2009, at 5:49 AM, Markus Moeller wrote: > > "Douglas E. Engert" wrote in message > news:mailman.17.1241638415.9729.kerberos at mit.edu... >> Windows treats principal names as case insensitive. >> Kerberos treats them as case sensitive. >> >> Normally Kerberos host/hostname at REALM has "host" in lower case. >> So why is Samba net ADS join is using upper case is not clear. >> >> If the net ads join adds the SPN in uppercase, then the ktpass >> with lower case, it will work, as windows is case insensitive >> and the SPN already exists. >> >> You could try changing the SPN to lower case. >> > > You could add a copy to the keytab with ktutil which has an > uppercase HOST > e.g. > > # ktutil > ktutil: rkt /tmp/test.keytab > ktutil: l -k > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 3 host/opensuse11.suse.home at SUSE.HOME > (0xd962b1ecc18a809eb57c4a031193623a) > ktutil: addent -key -p HOST/opensuse11.suse.home at SUSE.HOME -k 3 -e > rc4-hmac > Key for HOST/opensuse11.suse.home at SUSE.HOME (hex): > d962b1ecc18a809eb57c4a031193623a > ktutil: l -k > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 3 host/opensuse11.suse.home at SUSE.HOME > (0xd962b1ecc18a809eb57c4a031193623a) > 2 3 HOST/opensuse11.suse.home at SUSE.HOME > (0xd962b1ecc18a809eb57c4a031193623a) > ktutil: wkt /tmp/new.keytab > ktutil: quit > > >> >> ravi channavajhala wrote: >>> I'm setting up a Solaris 10 server as a test samba server with AD >>> authentication. I'm running into a little bit of issue with >>> Kerberos >>> tickets. The setup is as follows >>> >>> Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, >>> Kerberos, >>> LDAP >>> (shipped with the distro) and IMU on windows. My LDAP client is >>> working >>> good and validates getent passwd and can run ldaplist -l >>> passwd >>> and ldapsearch, no issues. My ldap autnetication is set to >>> simple, >>> with proxyDnuser. >>> >>> On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf, >>> nsswitch.conf, ntp.conf perfectly. The nsswitch is set to use >>> 'files >>> ldap' >>> for both passwd and group and dns files for hosts. On windows the >>> IMU, >>> UNIX >>> attributes are set to the correct NIS domain. >>> >>> I ran net ads join to successfully join the Solaris server into >>> the AD, >>> however net ads keytab create simply returns a new line without any >>> errors. >>> When I checked on windows, after net ADS join command, I see two >>> service >>> principals (SPN), the capitalization is intentional as this is how >>> they >>> appear when I run spnset hostname >>> >>> HOST/HOSTNAME >>> >>> HOST/hostname.domain.com (FQDN) >>> >>> I also setup a service account name (user object) on Windows whose >>> name >>> is >>> same as the hostname (computer object). I generated the keytab >>> file with >>> >>> ktpass -princ host/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass >>> password >>> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp >>> \krb5.keytab >>> >>> >> >> So you have two accounts with the same SPN? (differing by case only?) >> Or did you remove the net ads join created entry first? >> >>> >>> I then ftped this file over to Solaris host and try to >>> authenticate a >>> user >>> login via AD, I get PAM-KRB5 (auth): krb5_verify_init_creds failed: >>> Server not found in Kerberos >>> database >>> >> >> Could be the case issue. krb5 is looking for "host" >>> So, just for the heck of it I generated another krb5.keytab with the >>> following >>> >>> ktpass -princ HOST/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass >>> password >>> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp >>> \krb5.keytab >>> >>> Please note the HOST in capitals. Now, I get this error testing >>> with >>> this >>> keytab >>> >>> PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not >>> found >>> >>> Running PAM in debug mode didn't reveal anything specific other >>> than the >>> obvious. >>> >> >> Wireshark could be used to see the network traffic between server >> and KDC. >> This sounds like a case issue... >> >>> I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP >>> servers >>> return properly. I can add the SPNs forcibly with >>> host/hostname.domain.com >>> and host/hostname and try different combinations. But..first I >>> need to >>> understand this behavior, anyone??? >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> >> >> -- >> >> Douglas E. Engert >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- www.padl.com | www.fghr.net From ravi.channavajhala at dciera.com Wed May 6 23:39:38 2009 From: ravi.channavajhala at dciera.com (Ravi Channavajhala) Date: Thu, 7 May 2009 09:09:38 +0530 Subject: kerberos tickets and the SPNs In-Reply-To: References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> Message-ID: <73739dc10905062039l1a9547aetc525969abb0efcae@mail.gmail.com> On Thu, May 7, 2009 at 1:19 AM, Markus Moeller wrote: > > You could add a copy to the keytab with ktutil which has an uppercase HOST > e.g. > > ?# ktutil > ktutil: ? rkt /tmp/test.keytab > ktutil: ?l -k > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > ? 1 ? ?3 ? ? ?host/opensuse11.suse.home at SUSE.HOME > (0xd962b1ecc18a809eb57c4a031193623a) > ktutil: ?addent -key -p HOST/opensuse11.suse.home at SUSE.HOME -k 3 -e rc4-hmac > Key for HOST/opensuse11.suse.home at SUSE.HOME (hex): > d962b1ecc18a809eb57c4a031193623a > ktutil: ?l -k > slot KVNO Principal > ---- ---- --------------------------------------------------------------------- > ? 1 ? ?3 ? ? ?host/opensuse11.suse.home at SUSE.HOME > (0xd962b1ecc18a809eb57c4a031193623a) > ? 2 ? ?3 ? ? ?HOST/opensuse11.suse.home at SUSE.HOME > (0xd962b1ecc18a809eb57c4a031193623a) > ktutil: ?wkt /tmp/new.keytab > ktutil: quit Interesting. This means, I need to have all the SPNs included in the keytab? Do you see an inherent problem with deleting the existing SPNs on windows KDC and adding only one SPN of the form host/fqdn and generating the keytab? From petesea at bigfoot.com Thu May 7 14:21:21 2009 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Thu, 07 May 2009 11:21:21 -0700 (PDT) Subject: Sudo w/Ticket Support Message-ID: Is there a version of sudo that supports Ticket Exchange? ie. if I have valid TGT it will allow me to sudo without being prompted for a password? It appears there is a version that supports the use of Kerberos passwords, but I'm looking for something that uses that TGT I already have. From miguel.sanders at arcelormittal.com Thu May 7 14:29:46 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Thu, 7 May 2009 20:29:46 +0200 Subject: Sudo w/Ticket Support In-Reply-To: References: Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BA4F66@GEN-MXB-V04.msad.arcelor.net> Afaik that's not available yet (however, you could integrate it yourself). But if you already obtained a TGT, why bother authenticating again? But not use just use NOPASSWD. Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens petesea at bigfoot.com Verzonden: donderdag 7 mei 2009 20:21 Aan: kerberos at mit.edu Onderwerp: Sudo w/Ticket Support Is there a version of sudo that supports Ticket Exchange? ie. if I have valid TGT it will allow me to sudo without being prompted for a password? It appears there is a version that supports the use of Kerberos passwords, but I'm looking for something that uses that TGT I already have. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From miguel.sanders at arcelormittal.com Thu May 7 14:32:35 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Thu, 7 May 2009 20:32:35 +0200 Subject: Sudo w/Ticket Support In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206BA4F66@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206BA4F66@GEN-MXB-V04.msad.arcelor.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BA4F67@GEN-MXB-V04.msad.arcelor.net> Last sentence should have been : "Why not use NOPASSWD?" I'm getting tired... Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens miguel.sanders at arcelormittal.com Verzonden: donderdag 7 mei 2009 20:30 Aan: petesea at bigfoot.com; kerberos at mit.edu Onderwerp: RE: Sudo w/Ticket Support Afaik that's not available yet (however, you could integrate it yourself). But if you already obtained a TGT, why bother authenticating again? But not use just use NOPASSWD. Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens petesea at bigfoot.com Verzonden: donderdag 7 mei 2009 20:21 Aan: kerberos at mit.edu Onderwerp: Sudo w/Ticket Support Is there a version of sudo that supports Ticket Exchange? ie. if I have valid TGT it will allow me to sudo without being prompted for a password? It appears there is a version that supports the use of Kerberos passwords, but I'm looking for something that uses that TGT I already have. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From petesea at bigfoot.com Thu May 7 17:15:11 2009 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Thu, 07 May 2009 14:15:11 -0700 (PDT) Subject: Sudo w/Ticket Support In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206BA4F66@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206BA4F66@GEN-MXB-V04.msad.arcelor.net> Message-ID: On Thu, 7 May 2009, miguel.sanders at arcelormittal.com wrote: > Afaik that's not available yet (however, you could integrate it yourself). bummer. > But if you already obtained a TGT, why bother authenticating again? Because sudo prompts me. That's what I'm trying to avoid. I'd like sudo to look at my ticket cache, see that I already have a valid TGT and give me access without being prompted for a password. >> But not use just use NOPASSWD. > Last sentence should have been : "Why not use NOPASSWD?" Main reason for not setting NOPASSWD is because I don't have control over the sudoers file on most of the systems I have access to. And the SA's are very reluctant to use "NOPASSWD". I believe they just want that extra layer of protection in case a workstation is left unattended. I do see what you mean though. From a security standpoint, if sudo was capable of using an existing TGT, that doesn't seem like it would be too much different then using NOPASSWD in the sudoers file. From cclausen at acm.org Thu May 7 17:35:58 2009 From: cclausen at acm.org (Christopher D. Clausen) Date: Thu, 7 May 2009 16:35:58 -0500 Subject: Sudo w/Ticket Support References: <7DF29B50FFF41848BB2281EC2E71A206BA4F66@GEN-MXB-V04.msad.arcelor.net> Message-ID: <42710EB12789487A8095FA98CB01F1DE@CDCHOME> petesea at bigfoot.com wrote: > Main reason for not setting NOPASSWD is because I don't have control > over the sudoers file on most of the systems I have access to. And > the SA's are very reluctant to use "NOPASSWD". Do you know about the ksu command? Or using a ~root/.k5login and ssh -o "GssapiAuthentication yes" root@`hostname` ? > I believe they just want that extra layer of protection in case a > workstation is left unattended. People who leave workstations unattended should not have sudo access. Also, if unattended and the tickets are still valid, someone can still use them. > I do see what you mean though. From a security standpoint, if sudo > was capable of using an existing TGT, that doesn't seem like it would > be too much different then using NOPASSWD in the sudoers file. Yes, exactly. Except it will stop working once the tickets expire, so there is some trivial level of safety. < (petesea@bigfoot.com's message of "Thu\, 07 May 2009 14\:15\:11 -0700 \(PDT\)") References: <7DF29B50FFF41848BB2281EC2E71A206BA4F66@GEN-MXB-V04.msad.arcelor.net> Message-ID: <87iqkcbnh3.fsf@windlord.stanford.edu> petesea at bigfoot.com writes: > I'd like sudo to look at my ticket cache, see that I already have a > valid TGT and give me access without being prompted for a password. If it helps at all, this is what ksu does. It's more limited than sudo, but it does have some facilities for letting people run only certain commands. -- Russ Allbery (rra at stanford.edu) From huaraz at moeller.plus.com Thu May 7 18:56:55 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Thu, 7 May 2009 23:56:55 +0100 Subject: kerberos tickets and the SPNs In-Reply-To: References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> Message-ID: "Ravi Channavajhala" wrote in message news:mailman.20.1241667589.9729.kerberos at mit.edu... > On Thu, May 7, 2009 at 1:19 AM, Markus Moeller > wrote: >> >> You could add a copy to the keytab with ktutil which has an uppercase >> HOST >> e.g. >> >> # ktutil >> ktutil: rkt /tmp/test.keytab >> ktutil: l -k >> slot KVNO Principal >> ---- ---- --------------------------------------------------------------------- >> 1 3 host/opensuse11.suse.home at SUSE.HOME >> (0xd962b1ecc18a809eb57c4a031193623a) >> ktutil: addent -key -p HOST/opensuse11.suse.home at SUSE.HOME -k 3 -e >> rc4-hmac >> Key for HOST/opensuse11.suse.home at SUSE.HOME (hex): >> d962b1ecc18a809eb57c4a031193623a >> ktutil: l -k >> slot KVNO Principal >> ---- ---- --------------------------------------------------------------------- >> 1 3 host/opensuse11.suse.home at SUSE.HOME >> (0xd962b1ecc18a809eb57c4a031193623a) >> 2 3 HOST/opensuse11.suse.home at SUSE.HOME >> (0xd962b1ecc18a809eb57c4a031193623a) >> ktutil: wkt /tmp/new.keytab >> ktutil: quit > > Interesting. This means, I need to have all the SPNs included in the > keytab? Do you see an inherent problem with deleting the existing > SPNs on windows KDC and adding only one SPN of the form host/fqdn and > generating the keytab? > The best would be to have one entry in AD with the host/fqdn syntax. If you have clients requesting HOST/fqdn just use the above method to add a second entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same way as it is case insensitive, so no need to add a second entry to AD. Markus From SMchugh at grey.com Thu May 7 20:02:06 2009 From: SMchugh at grey.com (Mchugh, Sean) Date: Thu, 7 May 2009 20:02:06 -0400 Subject: cannot kinit to AD realm using alternative dns name Message-ID: Looking for some advice on how to proceed or if anyone has had the same issue; google hasn't come to my rescue yet: Our Active Directory 2003 domain is called: GGG.LOCAL Our userprincipalnames are setup to match our smtp address, in this case username at grey.com I can kinit successfully with: username at GGG.LOCAL But not with: username at grey.com _or_ username at ggg.local ; error message is: "kinit(v5): KRB5 error code 68 while getting initial credentials" Running Centos 5.2 with the following krb5 packages installed: krb5-libs-1.6.1-31.el5_3.3 pam_krb5-2.2.14-1.el5_2.1 pam_krb5-2.2.14-1.el5_2.1 krb5-libs-1.6.1-31.el5_3.3 krb5-workstation-1.6.1-31.el5_3.3 krb5-devel-1.6.1-31.el5_3.3 Following SRV record was manually added: _kerberos._tcp.grey.com 0 100 88 dc.ggg.local. Following is /etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = GGG.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [domain_realm] .ggg.grey.global = GGG.LOCAL ggg.grey.global = GGG.LOCAL .grey.com = GGG.LOCAL grey.com = GGG.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false validate = true } Sean McHugh VP, Dir. of Global Services Grey Group p. 212-546-1926 m. smchugh at grey.com c. 917-916-8644 From ravi.channavajhala at dciera.com Fri May 8 02:07:56 2009 From: ravi.channavajhala at dciera.com (Ravi Channavajhala) Date: Fri, 8 May 2009 11:37:56 +0530 Subject: kerberos tickets and the SPNs In-Reply-To: References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> Message-ID: <73739dc10905072307i7ec2cd2co54dd08f997a8baa5@mail.gmail.com> On Fri, May 8, 2009 at 4:26 AM, Markus Moeller wrote: >> Interesting. ?This means, I need to have all the SPNs included in the >> keytab? ?Do you see an inherent problem with deleting the existing >> SPNs on windows KDC and adding only one SPN of the form host/fqdn and >> generating the keytab? >> > > The best would be to have one entry in AD with the host/fqdn syntax. If you > have clients requesting HOST/fqdn just use the above method to add a second > entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same > way as it is case insensitive, so no need to add a second entry to AD. I deleted the computer object in AD, waited for the replication to complete and then re-added the AD object. Now the SPN appears as host/host.fqdn Which is good. I ran the ktpass to generate the new keys for this host using the SPN created with the correct realm. Now, when Solaris is trying to authenticate a AD user, I still get the server not found in kerberos database, modifying the keytab manually with ktutil on solaris gives me PAM-KRB5 (auth) the key table entry not found. If it is of any academic value, in the -mapuser switch I used is an ordinary AD user (not even a service account) whose name is same as the computer name. One is cn=users, the other cn=computers, so I dont believe this could be the problem. For the kicks, I created another user whose name is not the same as the host and tried...no luck. So having distinct SPN, UPNs also didnt work. As a last desperate measure, is there any elegant way to examine the kerberos database to see if a sticky reference to the host principal is lingering around and forcibly delete it? This is really getting a bit vexing From deengert at anl.gov Fri May 8 10:16:52 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 08 May 2009 09:16:52 -0500 Subject: cannot kinit to AD realm using alternative dns name In-Reply-To: References: Message-ID: <4A043ED4.3040800@anl.gov> Mchugh, Sean wrote: > Looking for some advice on how to proceed or if anyone has had the same > issue; google hasn't come to my rescue yet: > > > Our Active Directory 2003 domain is called: GGG.LOCAL > Our userprincipalnames are setup to match our smtp address, in this case > username at grey.com > > I can kinit successfully with: username at GGG.LOCAL Correct, Kerberos principals are case sensitive, (but Windows and DNS are insensitive.) So you realm name is GGG.LOCAL so must be upper case. > But not with: username at grey.com _or_ username at ggg.local ; error message Won't work, as there is no realm called grey.com (or GRAY.COM) username at ggg.local might get further, but I bet the Windows returns username at GGG.LOCAL and kinit gets confused, as ggg.local != GGG.LOCAL > is: "kinit(v5): KRB5 error code 68 while getting initial credentials" > > Running Centos 5.2 with the following krb5 packages installed: > > krb5-libs-1.6.1-31.el5_3.3 > pam_krb5-2.2.14-1.el5_2.1 > pam_krb5-2.2.14-1.el5_2.1 > krb5-libs-1.6.1-31.el5_3.3 > krb5-workstation-1.6.1-31.el5_3.3 > krb5-devel-1.6.1-31.el5_3.3 > > > Following SRV record was manually added: _kerberos._tcp.grey.com 0 100 88 dc.ggg.local. The above does not look correct. Even if the krb libs find via DNS the dc.ggg.local KDC, the KDC does not support the realm grey.com: only GGG.LOCAL (or ggg.local) > Following is /etc/krb5.conf: > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = GGG.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > > [domain_realm] > .ggg.grey.global = GGG.LOCAL > ggg.grey.global = GGG.LOCAL > .grey.com = GGG.LOCAL > grey.com = GGG.LOCAL > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > validate = true > } > So use uppercase realm names with Kerberos apps. > > Sean McHugh > VP, Dir. of Global Services > Grey Group > p. 212-546-1926 > m. smchugh at grey.com > c. 917-916-8644 > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From deengert at anl.gov Fri May 8 10:40:20 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 08 May 2009 09:40:20 -0500 Subject: kerberos tickets and the SPNs In-Reply-To: <73739dc10905072307i7ec2cd2co54dd08f997a8baa5@mail.gmail.com> References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> <73739dc10905072307i7ec2cd2co54dd08f997a8baa5@mail.gmail.com> Message-ID: <4A044454.4050900@anl.gov> Ravi Channavajhala wrote: > On Fri, May 8, 2009 at 4:26 AM, Markus Moeller wrote: > >>> Interesting. This means, I need to have all the SPNs included in the >>> keytab? Do you see an inherent problem with deleting the existing >>> SPNs on windows KDC and adding only one SPN of the form host/fqdn and >>> generating the keytab? >>> >> The best would be to have one entry in AD with the host/fqdn syntax. If you >> have clients requesting HOST/fqdn just use the above method to add a second >> entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same >> way as it is case insensitive, so no need to add a second entry to AD. > > I deleted the computer object in AD, waited for the replication to > complete and then re-added the AD object. Now the SPN appears as > Note that the MS documentation says to add a "user" account, not a "computer" account. (Sounds counterintuitive...) http://technet.microsoft.com/en-us/library/bb742433.aspx To configure the UNIX hosts Use the Active Directory Management tool to create a new user account for the UNIX host: Select the Users folder, right-click and select New, then choose user. Type the name of the UNIX host. (Last line is pick a unique name in the forest for the account, i.e. uses as SamAccountName (without the $) so must be 19 characters. Use some convention, like host-name-dept where is h short for host, name is the simple host name, and dept. (We have department DNS domains, but the AD is is site wide.) The ktpass then *ADDS* the SPN to the user account using the -principal option. I am pretty sure if you create a "computer" account, the SPN gets added during account creation, and that is why you are seeing the uppercase HOST. > host/host.fqdn > > Which is good. I ran the ktpass to generate the new keys for this > host using the SPN created with the correct realm. Now, when Solaris > is trying to authenticate a AD user, I still get the server not found > in kerberos database, modifying the keytab manually with ktutil on > solaris gives me PAM-KRB5 (auth) the key table entry not found. If it > is of any academic value, in the -mapuser switch I used is an ordinary > AD user (not even a service account) whose name is same as the > computer name. The ktpass -mapuser user refers to the account created to hold the principal, above not a real user. One is cn=users, the other cn=computers, so I dont It does not matter where it is located, but follow some convention, lie create a cn=Unix and you can have Unix admins given rights to add accounts to this subtree. > believe this could be the problem. For the kicks, I created another > user whose name is not the same as the host and tried...no luck. So > having distinct SPN, UPNs also didnt work. > > As a last desperate measure, is there any elegant way to examine the > kerberos database to see if a sticky reference to the host principal > is lingering around and forcibly delete it? This is really getting a > bit vexing You could use ldapsearch and filter for "(serviceprincipalname=host/fqdn)" or "(dnshostname=fqdn)" > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From SMchugh at grey.com Fri May 8 10:55:30 2009 From: SMchugh at grey.com (Mchugh, Sean) Date: Fri, 8 May 2009 10:55:30 -0400 Subject: cannot kinit to AD realm using alternative dns name In-Reply-To: <4A043ED4.3040800@anl.gov> References: <4A043ED4.3040800@anl.gov> Message-ID: Douglas E. Engert [mailto:deengert at anl.gov] wrote: > > [..] > > Correct, Kerberos principals are case sensitive, (but Windows and DNS > are insensitive.) > So you realm name is GGG.LOCAL so must be upper case. > > > But not with: username at grey.com _or_ username at ggg.local ; error message ... thanks for the clarification. I was under the impression that applications use [domain_realm] mappings to translate the RHS of the userprincipalname to ucase or map the dns domain. After re-reading the man page section I understand the purpose now. From aashish.jaipur at gmail.com Fri May 8 03:45:56 2009 From: aashish.jaipur at gmail.com (sonu) Date: Fri, 8 May 2009 00:45:56 -0700 (PDT) Subject: Failed to validate remote GSSAPI token Message-ID: Hi all, I am getting this error while trying to ryn kerberos transaction on IIS7 with AD as KDC: SmKcc::getCredentials][Failed to validate remote GSSAPI token: Key table entry not found Please help. aashish. From w.imig at elo.com Fri May 8 07:32:39 2009 From: w.imig at elo.com (Imig, Wolfgang) Date: Fri, 8 May 2009 13:32:39 +0200 Subject: C# Client and Java Server Message-ID: <0001015E4F9DF648B80ED5CF2A331F2101292265@negril> Hello, we use the JASS to authenticate a Java client to a Java server (J2EE Servlet). The client calls GSSContext.initSecContext to generate an authentication token and the server checks it by calling GSSContext.acceptSecContext. This works fine. Now, we want to authenticate a C# client (>= WindowsXP) to our server. Thus some C# or C++ code has to replace the GSSContext.initSecContext. I tried to obtain a Kerberos ticket using LsaCallAuthenticationPackage with KERB_RETRIEVE_TKT_REQUEST. But the resulting ticket is not accepted by the GSSContext.acceptSecContext. Does anyone know, how to obtain a Kerberos ticket in a C# or C++ application that is accepted by the JASS functions? Thanks Wolfgang --- ELO Digital Office GmbH Firmensitz: Heilbronner Strasse 150, 70191 Stuttgart Fon: +49 711 806089-0, Fax: +49 711 806089-19, Web: www.elo.com Geschaftsfuhrer: Karl Heinz Mosbach, Matthias Thiele BW-Bank, Konto-Nr. 2089782, BLZ 600 501 01 Registergericht Stuttgart HRB 15059 - USt-IdNr.: DE812471516 From deengert at anl.gov Fri May 8 12:21:27 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 08 May 2009 11:21:27 -0500 Subject: C# Client and Java Server In-Reply-To: <0001015E4F9DF648B80ED5CF2A331F2101292265@negril> References: <0001015E4F9DF648B80ED5CF2A331F2101292265@negril> Message-ID: <4A045C07.5050200@anl.gov> Imig, Wolfgang wrote: > Hello, > > we use the JASS to authenticate a Java client to a Java server (J2EE > Servlet). > The client calls GSSContext.initSecContext to generate an authentication > token and the server checks it by calling GSSContext.acceptSecContext. > This works fine. > SSPI uses GSSAPI protocols. Can your C# or C++ use SSPI? > Now, we want to authenticate a C# client (>= WindowsXP) to our server. > Thus some C# or C++ code has to replace the GSSContext.initSecContext. I > tried to obtain a Kerberos ticket using LsaCallAuthenticationPackage > with KERB_RETRIEVE_TKT_REQUEST. But the resulting ticket is not accepted > by the GSSContext.acceptSecContext. > > Does anyone know, how to obtain a Kerberos ticket in a C# or C++ > application that is accepted by the JASS functions? > > Thanks > Wolfgang > --- > > ELO Digital Office GmbH > > Firmensitz: Heilbronner Strasse 150, 70191 Stuttgart > Fon: +49 711 806089-0, Fax: +49 711 806089-19, Web: www.elo.com > > Geschaftsfuhrer: Karl Heinz Mosbach, Matthias Thiele > BW-Bank, Konto-Nr. 2089782, BLZ 600 501 01 > > Registergericht Stuttgart HRB 15059 - USt-IdNr.: DE812471516 > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From paul.moore at centrify.com Fri May 8 12:27:02 2009 From: paul.moore at centrify.com (Paul Moore) Date: Fri, 8 May 2009 09:27:02 -0700 Subject: C# Client and Java Server In-Reply-To: <4A045C07.5050200@anl.gov> References: <0001015E4F9DF648B80ED5CF2A331F2101292265@negril> <4A045C07.5050200@anl.gov> Message-ID: msft has sample wrapper of C# using SSPI - google msdn a bit -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert Sent: Friday, May 08, 2009 9:21 AM To: Imig, Wolfgang Cc: kerberos at mit.edu Subject: Re: C# Client and Java Server Imig, Wolfgang wrote: > Hello, > > we use the JASS to authenticate a Java client to a Java server (J2EE > Servlet). > The client calls GSSContext.initSecContext to generate an authentication > token and the server checks it by calling GSSContext.acceptSecContext. > This works fine. > SSPI uses GSSAPI protocols. Can your C# or C++ use SSPI? > Now, we want to authenticate a C# client (>= WindowsXP) to our server. > Thus some C# or C++ code has to replace the GSSContext.initSecContext. I > tried to obtain a Kerberos ticket using LsaCallAuthenticationPackage > with KERB_RETRIEVE_TKT_REQUEST. But the resulting ticket is not accepted > by the GSSContext.acceptSecContext. > > Does anyone know, how to obtain a Kerberos ticket in a C# or C++ > application that is accepted by the JASS functions? > > Thanks > Wolfgang > --- > > ELO Digital Office GmbH > > Firmensitz: Heilbronner Strasse 150, 70191 Stuttgart > Fon: +49 711 806089-0, Fax: +49 711 806089-19, Web: www.elo.com > > Geschaftsfuhrer: Karl Heinz Mosbach, Matthias Thiele > BW-Bank, Konto-Nr. 2089782, BLZ 600 501 01 > > Registergericht Stuttgart HRB 15059 - USt-IdNr.: DE812471516 > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From ravi.channavajhala at dciera.com Fri May 8 14:55:37 2009 From: ravi.channavajhala at dciera.com (Ravi Channavajhala) Date: Sat, 9 May 2009 00:25:37 +0530 Subject: kerberos tickets and the SPNs In-Reply-To: <4A044454.4050900@anl.gov> References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> <73739dc10905072307i7ec2cd2co54dd08f997a8baa5@mail.gmail.com> <4A044454.4050900@anl.gov> Message-ID: <73739dc10905081155m736f59cet671bcf0bad267eae@mail.gmail.com> On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert wrote: >> I deleted the computer object in AD, waited for the replication to >> complete and then re-added the AD object. ?Now the SPN appears as >> > > Note that the MS documentation says to add a "user" account, not a > "computer" > account. (Sounds counterintuitive...) > > http://technet.microsoft.com/en-us/library/bb742433.aspx > > ?To configure the UNIX hosts > > ? Use the Active Directory Management tool to create a new user account for > the UNIX host: > > ? Select the Users folder, right-click and select New, then choose user. > > ? Type the name of the UNIX host. > > (Last line is pick a unique name in the forest for the account, i.e. uses as > SamAccountName (without the $) so must be 19 characters. Use some > convention, > like host-name-dept where is h short for host, name is the simple host name, > and dept. (We have department DNS domains, but the AD is is site wide.) > > The ktpass then *ADDS* the SPN to the user account using the -principal > option. > I am pretty sure if you create a "computer" account, the SPN gets added > during account creation, and that is why you are seeing the uppercase HOST. This is obviously is not what happens when you use Solaris adjoin.sh (adjoin-s10u5) or Samba's net ads join' command. Both of these approaches create a computer object specifically. The interesting behavior is adjoin.sh creates the computer object with one specific SPN (host/host.fqdn), where as Samba creates (HOST/HOSTNAME and HOST/host.fqdn). Solaris adjoin generates /etc/krb5/krb5.keytab with all the known authentications such as DES-CBC-MD5, DES-CBC-CRC and RC4-HMAC-MD5, where as the samba net ads keytab create simply doesn't create one. Mind you, I'm using Sun natively packaged Samba. Where as I can clearly see the UPN with adjoin.sh, the one I created with net ads doesn't. Both of them show the SamAccount as HOSTNAME$. The adjoin literally uses ldapadd to add the host to computers container.... Alright, I digress....back to Kerberos. I didnt get around the problem. So I'm going to install a Linux server and see how I fare. From deengert at anl.gov Fri May 8 15:32:42 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 08 May 2009 14:32:42 -0500 Subject: kerberos tickets and the SPNs In-Reply-To: <73739dc10905081155m736f59cet671bcf0bad267eae@mail.gmail.com> References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> <73739dc10905072307i7ec2cd2co54dd08f997a8baa5@mail.gmail.com> <4A044454.4050900@anl.gov> <73739dc10905081155m736f59cet671bcf0bad267eae@mail.gmail.com> Message-ID: <4A0488DA.4030708@anl.gov> Ravi Channavajhala wrote: > On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert wrote: > >>> I deleted the computer object in AD, waited for the replication to >>> complete and then re-added the AD object. Now the SPN appears as >>> >> Note that the MS documentation says to add a "user" account, not a >> "computer" >> account. (Sounds counterintuitive...) >> >> http://technet.microsoft.com/en-us/library/bb742433.aspx >> >> To configure the UNIX hosts >> >> Use the Active Directory Management tool to create a new user account for >> the UNIX host: >> >> Select the Users folder, right-click and select New, then choose user. >> >> Type the name of the UNIX host. >> >> (Last line is pick a unique name in the forest for the account, i.e. uses as >> SamAccountName (without the $) so must be 19 characters. Use some >> convention, >> like host-name-dept where is h short for host, name is the simple host name, >> and dept. (We have department DNS domains, but the AD is is site wide.) >> >> The ktpass then *ADDS* the SPN to the user account using the -principal >> option. >> I am pretty sure if you create a "computer" account, the SPN gets added >> during account creation, and that is why you are seeing the uppercase HOST. > > This is obviously is not what happens when you use Solaris adjoin.sh > (adjoin-s10u5) or Samba's net ads join' command. Both of these > approaches create a computer object specifically. The point I was making, is that the Microsoft create computer account may be adding the HOST/hostname for you assuming it is going to be a Windows computer. So ktpass does not change the case of trhe SPN if its already set. > The interesting > behavior is adjoin.sh creates the computer object with one specific > SPN (host/host.fqdn), where as Samba creates (HOST/HOSTNAME and > HOST/host.fqdn). Solaris adjoin generates /etc/krb5/krb5.keytab with > all the known authentications such as DES-CBC-MD5, DES-CBC-CRC and > RC4-HMAC-MD5, where as the samba net ads keytab create simply doesn't > create one. Mind you, I'm using Sun natively packaged Samba. Where > as I can clearly see the UPN with adjoin.sh, the one I created with > net ads doesn't. Both of them show the SamAccount as HOSTNAME$. The > adjoin literally uses ldapadd to add the host to computers > container.... We use msktutil that uses OpenLDAP, to create the account (computer) and msktutil then Kerberos to change the password, and LDAP to set the SPN, and then creates/updates the keytab file. Sort of what adjoin.sh would do. > > Alright, I digress....back to Kerberos. I didnt get around the > problem. So I'm going to install a Linux server and see how I fare. > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From ravi.channavajhala at dciera.com Fri May 8 15:59:55 2009 From: ravi.channavajhala at dciera.com (Ravi Channavajhala) Date: Sat, 9 May 2009 01:29:55 +0530 Subject: kerberos tickets and the SPNs In-Reply-To: <4A0488DA.4030708@anl.gov> References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> <73739dc10905072307i7ec2cd2co54dd08f997a8baa5@mail.gmail.com> <4A044454.4050900@anl.gov> <73739dc10905081155m736f59cet671bcf0bad267eae@mail.gmail.com> <4A0488DA.4030708@anl.gov> Message-ID: <73739dc10905081259l467ed5b9u36be3e8004e4b3c5@mail.gmail.com> On Sat, May 9, 2009 at 1:02 AM, Douglas E. Engert wrote: > > > Ravi Channavajhala wrote: >> >> On Fri, May 8, 2009 at 8:10 PM, Douglas E. Engert >> wrote: >>> Note that the MS documentation says to add a "user" account, not a >>> "computer" >>> account. (Sounds counterintuitive...) >>> >>> http://technet.microsoft.com/en-us/library/bb742433.aspx >>> >>> ?To configure the UNIX hosts >>> >>> ?Use the Active Directory Management tool to create a new user account >>> for >>> the UNIX host: >>> >>> ?Select the Users folder, right-click and select New, then choose user. >>> >>> ?Type the name of the UNIX host. >>> >>> (Last line is pick a unique name in the forest for the account, i.e. uses >>> as >>> SamAccountName (without the $) so must be 19 characters. Use some >>> convention, >>> like host-name-dept where is h short for host, name is the simple host >>> name, >>> and dept. (We have department DNS domains, but the AD is is site wide.) >>> >>> The ktpass then *ADDS* the SPN to the user account using the -principal >>> option. >>> I am pretty sure if you create a "computer" account, the SPN gets added >>> during account creation, and that is why you are seeing the uppercase >>> HOST. >> >> This is obviously is not what happens when you use Solaris adjoin.sh >> (adjoin-s10u5) or Samba's net ads join' command. ?Both of these >> approaches create a computer object specifically. > > The point I was making, is that the Microsoft create computer account may > be adding the HOST/hostname for you assuming it is going to be a Windows > computer. So ktpass does not change the case of trhe SPN if its already > set. Don't agree here. Natively adding a computer to AD and checking with setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R, creates two entries HOST/HOSTNAME$ HOST/HOSTNAME$.SHORTFORM DOMAIN Both are incorrect.... The point is, I can manipulate SPNs to no end, but obviously no success with Kerberos. My real issue is kerberos flip flopping with 'Server not found in Database' to 'Keytable entry incorrect Key version'. From hy93 at cornell.edu Fri May 8 16:13:02 2009 From: hy93 at cornell.edu (Hong Ye) Date: Fri, 08 May 2009 16:13:02 -0400 Subject: help with kerberos windows build Message-ID: <4A04924E.5060304@cornell.edu> Hi, I'm trying to build krb5 1.6 tree on Windows XP. I followed All-Windows Build Method from ReadMe file and got error when doing nmake c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\ntstatus.h(2900) : warning C4005: 'STATUS_PRIVILEGED_INSTRUCTION' : macro r edefinition c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\WinNT.h(1342) : see previous definition of 'STATUS_PRIVILEGED_INSTR UCTION' c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\ntstatus.h(3853) : warning C4005: 'STATUS_STACK_OVERFLOW' : macro redefinit ion c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\WinNT.h(1343) : see previous definition of 'STATUS_STACK_OVERFLOW' c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\ntstatus.h(4426) : warning C4005: 'STATUS_CONTROL_C_EXIT' : macro redefinit ion c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\WinNT.h(1344) : see previous definition of 'STATUS_CONTROL_C_EXIT' c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\ntstatus.h(6834) : warning C4005: 'STATUS_FLOAT_MULTIPLE_FAULTS' : macro re definition c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\WinNT.h(1345) : see previous definition of 'STATUS_FLOAT_MULTIPLE_F AULTS' c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\ntstatus.h(6844) : warning C4005: 'STATUS_FLOAT_MULTIPLE_TRAPS' : macro red efinition c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\WinNT.h(1346) : see previous definition of 'STATUS_FLOAT_MULTIPLE_T RAPS' c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\ntstatus.h(6968) : warning C4005: 'STATUS_REG_NAT_CONSUMPTION' : macro rede finition c:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\WinNT.h(1347) : see previous definition of 'STATUS_REG_NAT_CONSUMPT ION' cc_mslsa.c(192) : error C2065: 'TokenOrigin' : undeclared identifier NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. NMAKE : fatal error U1077: '"c:\Program Files\Microsoft Visual Studio .NET 2003\VC7\BIN\nmake.exe"' : return code '0x2' Stop. NMAKE : fatal error U1077: '"c:\Program Files\Microsoft Visual Studio .NET 2003\VC7\BIN\nmake.exe"' : return code '0x2' Stop. NMAKE : fatal error U1077: '"c:\Program Files\Microsoft Visual Studio .NET 2003\VC7\BIN\nmake.exe"' : return code '0x2' Stop. Any idea or suggestions are appreciated, Hong From SCHREIJM at airproducts.com Fri May 8 16:37:51 2009 From: SCHREIJM at airproducts.com (Schreiter,Jonathan M.) Date: Fri, 8 May 2009 16:37:51 -0400 Subject: Active Directory Kerberos Server and Windows MIT Tools Client Message-ID: <681E55847A76D4449B702D8B7DE7ED851F8C81@US1013EXMP.america.apci.com> Hello, I currently have an AD 2003 environment that serves as a Kerberos server. Normally, with a standard Windows XP / Vista client (that is joined to the domain), when I login with a domain account I get a TGT for the AD domain / realm. This TGT is then used to get tickets for various other services that require Kerberos. When I run a klist from the MIT tools installed on this client, I show my ticket cache: MSLSA. I need to log in with a local account on this same computer (still joined to the domain). I'd like to be able via command line to enter in my AD credentials to acquire a tgt just as if I was a login from the original CTRL+ALT+DEL screen. Also, MYDOMAIN.COM = MYREALM.COM After logging in locally, I tried to do a simple kinit myuser at MYDOMAIN.COM and it took the password. However, if I use Internet Explorer to go to an IIS server that requires kerberos authentication, I am still prompted for my username and password. I then drilled in to the GUI Network Identity Manager. Under Kerberos v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked. Uner Realms I added a new realm MYDOMAIN.COM. I added an AD DC for the Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's supposed to go here). I then entered my kerberos authentication in to the GUI and it took my password. However, it still doesn't see the tgt in the MSLSA (if I try to use a klist from the Windows NT Resource Kit). If I run klist from c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache found (ticket cache API:myuser at MYDOMAIN.COM. Also, If I try to run IE to hit an IIS web server requiring Kerberos, it still prompts me for my credentials. I think I'm almost there - but can someone help me connect the pieces? Again, I would like to log in to a windows xp / vista computer, enter a username and password to obtain a tgt in the mslsa, so that IE can hit an IIS server that requires kerberos w/o typing in the password again. Any help would be GREATLY appreciated. Many thanks, Jonathan From huaraz at moeller.plus.com Fri May 8 17:34:22 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Fri, 8 May 2009 22:34:22 +0100 Subject: kerberos tickets and the SPNs In-Reply-To: <73739dc10905081259l467ed5b9u36be3e8004e4b3c5@mail.gmail.com> References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> <73739dc10905072307i7ec2cd2co54dd08f997a8baa5@mail.gmail.com> <4A044454.4050900@anl.gov> <73739dc10905081155m736f59cet671bcf0bad267eae@mail.gmail.com> <4A0488DA.4030708@anl.gov> <73739dc10905081259l467ed5b9u36be3e8004e4b3c5@mail.gmail.com> Message-ID: I use also msktutil and you can find it here http://dag.wieers.com/rpm/packages/msktutil/ You can also use setspn -A host/fqdn in lowercase. instead of setspn -R. BTW the original netjoin tool from MS used computer accounts not user accounts. http://msdn.microsoft.com/en-us/library/ms808911.aspx http://download.microsoft.com/download/win2000pro/2kkerb2/1.0/nt5/en-us/ad-unix.exe I don't know why they changed their mind. Markus ----- Original Message ----- From: "Ravi Channavajhala" To: "Douglas E. Engert" Cc: "Markus Moeller" ; Sent: Friday, May 08, 2009 8:59 PM Subject: Re: kerberos tickets and the SPNs Don't agree here. Natively adding a computer to AD and checking with setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R, creates two entries HOST/HOSTNAME$ HOST/HOSTNAME$.SHORTFORM DOMAIN Both are incorrect.... The point is, I can manipulate SPNs to no end, but obviously no success with Kerberos. My real issue is kerberos flip flopping with 'Server not found in Database' to 'Keytable entry incorrect Key version'. From kronda at atlas.cz Sat May 9 16:49:05 2009 From: kronda at atlas.cz (Kronus David) Date: Sat, 09 May 2009 20:49:05 GMT Subject: KfW 3.2.2 on Win XP SP3 + file cache = repeated password asking? Message-ID: Hi all, I'm not really expert so this might be a sign of my misunderstanding but... I'm using Network ID manager to authenticate to a Linux server running MIT Kerberos KDC and other kerberized servers (SSHd, Apache+mod_auth_kerb). When I initially configured my identity in NetIdMgr, everything worked fine - input my password just once and then no more (using kerberized Putty, TortoiseSVN, Firefox...). So I conclude from this that there is no problem with the server. Then I played with Java and wanted to use my cached credentials from KfW also using JAAS. I changed the cache in my identity configuration from API:... to FILE:c:\Temp\ccache. Cache worked, the file had been created after obtaining credentials. And after some time JAAS started to work. I was amazed but not for long because I've realized that with file-based cache NetIdMgr is asking for my password each time when some application using KfW dlls needs credentials (Firefox, Putty...). Even when I open putty twice for the same SSH server, NetIdMgr asks for password. Otherwise everything works but this is totally unusable. I tried to play with the settings but haven't arrived to a solution or an explanation. When I change back to API: cache, everything works fine (except JAAS...). So, what's the problem? 1) Is this expected behaviour when using file-based cache? Shall I configure something to get rid of the repeated password prompt? I haven't really found any information about using file cache with KfW, it seems to be out-of-fashion, since Java is probably able to read from LSA, but that doesn't help me in this case (no AD domain), does it? 2) If the answer to question 1) is "YES, it it expected and you can't do anything about it", can you please advice me on a way in which KfW and JAAS can cooperate in a nice way? Thanks for any help. David From rra at stanford.edu Sat May 9 17:13:34 2009 From: rra at stanford.edu (Russ Allbery) Date: Sat, 09 May 2009 14:13:34 -0700 Subject: AFS/Kerberos Workshop key signing Message-ID: <87r5yy6ku9.fsf@windlord.stanford.edu> For those of you who are coming to the 2009 AFS and Kerberos Best Practices Workshop [1] who use PGP and who have an older key, you may want to start thinking about generating a new PGP key in advance of the workshop and then introducing it at a key signing there. If you haven't been following the recent security news, a significant new attack on SHA-1 was revealed at EuroCrypt this year, weakening its protection against hash collisions to 2^52 from 2^63. All 1024-bit DSA GnuPG keys can only use a 160-bit hash, normally SHA-1. You can set your key preferences to use a different hash, but it still truncates to 160 bits. See: http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf http://www.debian-administration.org/users/dkg/weblog/48 http://johans.dreamwidth.org/3744.html Also, SHA-1 and 1024-bit DSA is already not recommended for use after 2010 by the US government even before this attack. So, if you have a 1024-bit DSA key or something older, it's probably time to introduce a new key and be sure the key preferences are set to use SHA-2 hashes. I plan on going straight to 4096-bit RSA; I don't see any reason not to. It's a lot easier to introduce a new key at a conference where you can immediately do a key signing, so this might be a good opportunity for a lot of us. [1] http://workshop.openafs.org/afsbpw09/index.html -- Russ Allbery (rra at stanford.edu) From miguel.sanders at arcelormittal.com Mon May 11 03:58:07 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Mon, 11 May 2009 09:58:07 +0200 Subject: auth_to_local struggle Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BA51AB@GEN-MXB-V04.msad.arcelor.net> Hi folks I'm struggling with the auth_to_local rule. I want the principal root/samehost.some.domain at SOMEREALM to be mapped to the user root. I created the following auth_to_local rule in krb5.conf auth_to_local = RULE:[2:$2/$1@$0](\/.*@SOMEREALM)s/\/.*@.*// I wrote a sample test program in order to verify the authorization part: #include #include int main(int argc, const char **argv){ if (argc != 3) { fprintf(stderr,"Number of arguments incorrect\n"); fprintf(stderr,"1) Kerberos Principal 2) Mapped Local User\n"); exit(1); } krb5_context context; krb5_principal client; krb5_boolean logon; krb5_init_context(&context); krb5_parse_name(context,argv[1],&client); logon = krb5_kuserok(context, client, (char *)argv[2]); if (logon) fprintf(stdout,"Principal %s is authorized to login as user %s\n",(char *)argv[1],(char *)argv[2]); else fprintf(stderr,"Principal %s is NOT authorized to login as user %s\n",(char *)argv[1],(char *)argv[2]); krb5_free_principal(context, client); krb5_free_context(context); } Unfortunately, my test program always says the following: ./krb5 root/samehost.some.domain at SOMEREALM root Principal root/samehost.some.domain at SOMEREALM is NOT authorized to login as user root What's wrong with my rule? The tranformation rule is correct AFAIK. Thanks for your help! Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From jaltman at secure-endpoints.com Mon May 11 07:11:07 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Mon, 11 May 2009 07:11:07 -0400 Subject: KfW 3.2.2 on Win XP SP3 + file cache = repeated password asking? In-Reply-To: References: Message-ID: <4A0807CB.2020900@secure-endpoints.com> Try setting the default identify after you alter the associated cache name. Kronus David wrote: > Hi all, > I'm not really expert so this might be a sign of my misunderstanding but... > > I'm using Network ID manager to authenticate to a Linux server running MIT Kerberos KDC and other kerberized servers (SSHd, Apache+mod_auth_kerb). When I initially configured my identity in NetIdMgr, everything worked fine - input my password just once and then no more (using kerberized Putty, TortoiseSVN, Firefox...). So I conclude from this that there is no problem with the server. > > Then I played with Java and wanted to use my cached credentials from KfW also using JAAS. I changed the cache in my identity configuration from API:... to FILE:c:\Temp\ccache. Cache worked, the file had been created after obtaining credentials. And after some time JAAS started to work. I was amazed but not for long because I've realized that with file-based cache NetIdMgr is asking for my password each time when some application using KfW dlls needs credentials (Firefox, Putty...). Even when I open putty twice for the same SSH server, NetIdMgr asks for password. Otherwise everything works but this is totally unusable. I tried to play with the settings but haven't arrived to a solution or an explanation. When I change back to API: cache, everything works fine (except JAAS...). > > So, what's the problem? > 1) Is this expected behaviour when using file-based cache? Shall I configure something to get rid of the repeated password prompt? I haven't really found any information about using file cache with KfW, it seems to be out-of-fashion, since Java is probably able to read from LSA, but that doesn't help me in this case (no AD domain), does it? > 2) If the answer to question 1) is "YES, it it expected and you can't do anything about it", can you please advice me on a way in which KfW and JAAS can cooperate in a nice way? > > Thanks for any help. > David > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090511/78acbdef/smime.bin From jaltman at secure-endpoints.com Mon May 11 07:15:52 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Mon, 11 May 2009 07:15:52 -0400 Subject: Active Directory Kerberos Server and Windows MIT Tools Client In-Reply-To: <681E55847A76D4449B702D8B7DE7ED851F8C81@US1013EXMP.america.apci.com> References: <681E55847A76D4449B702D8B7DE7ED851F8C81@US1013EXMP.america.apci.com> Message-ID: <4A0808E8.1050904@secure-endpoints.com> IIS and other Windows SSPI based applications will only use credentials that are obtained via the Microsoft logon screen. You cannot use MIT KfW to obtain a TGT for those applications. In other words, you must log onto the machine with the domain account and not a local account if you wish to use IE. Your other option is to start IE using "RunAs " and issue your username/password for the domain account each time you start IE. Jeffrey Altman Schreiter,Jonathan M. wrote: > Hello, > I currently have an AD 2003 environment that serves as a Kerberos server. Normally, with a standard Windows XP / Vista client (that is joined to the domain), when I login with a domain account I get a TGT for the AD domain / realm. This TGT is then used to get tickets for various other services that require Kerberos. When I run a klist from the MIT tools installed on this client, I show my ticket cache: MSLSA. > > I need to log in with a local account on this same computer (still joined to the domain). I'd like to be able via command line to enter in my AD credentials to acquire a tgt just as if I was a login from the original CTRL+ALT+DEL screen. > > Also, MYDOMAIN.COM = MYREALM.COM > > After logging in locally, I tried to do a simple kinit myuser at MYDOMAIN.COM and it took the password. However, if I use Internet Explorer to go to an IIS server that requires kerberos authentication, I am still prompted for my username and password. > > I then drilled in to the GUI Network Identity Manager. Under Kerberos v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked. Uner Realms I added a new realm MYDOMAIN.COM. I added an AD DC for the Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's supposed to go here). > > I then entered my kerberos authentication in to the GUI and it took my password. However, it still doesn't see the tgt in the MSLSA (if I try to use a klist from the Windows NT Resource Kit). If I run klist from c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache found (ticket cache API:myuser at MYDOMAIN.COM. Also, If I try to run IE to hit an IIS web server requiring Kerberos, it still prompts me for my credentials. > > I think I'm almost there - but can someone help me connect the pieces? Again, I would like to log in to a windows xp / vista computer, enter a username and password to obtain a tgt in the mslsa, so that IE can hit an IIS server that requires kerberos w/o typing in the password again. > > Any help would be GREATLY appreciated. > > Many thanks, > Jonathan > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090511/0d8898dd/smime.bin From kronda at atlas.cz Mon May 11 07:32:57 2009 From: kronda at atlas.cz (Kronus David) Date: Mon, 11 May 2009 11:32:57 GMT Subject: KfW 3.2.2 on Win XP SP3 + file cache = repeated password asking? Message-ID: <3cb6c6da59194bd08a11239a9afec80d@a38ebf95e7af45eea4db8645669e8721> Jeffrey, thanks for your sharp answer, it has solved my problem. David -----Original Message----- From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] Sent: Monday, May 11, 2009 1:11 PM To: kronda at atlas.cz Cc: kerberos at mit.edu Subject: Re: KfW 3.2.2 on Win XP SP3 + file cache = repeated password asking? Try setting the default identify after you alter the associated cache name. Kronus David wrote: > Hi all, > I'm not really expert so this might be a sign of my misunderstanding but... > > I'm using Network ID manager to authenticate to a Linux server running MIT Kerberos KDC and other kerberized servers (SSHd, Apache+mod_auth_kerb). When I initially configured my identity in NetIdMgr, everything worked fine - input my password just once and then no more (using kerberized Putty, TortoiseSVN, Firefox...). So I conclude from this that there is no problem with the server. > > Then I played with Java and wanted to use my cached credentials from KfW also using JAAS. I changed the cache in my identity configuration from API:... to FILE:c:\Temp\ccache. Cache worked, the file had been created after obtaining credentials. And after some time JAAS started to work. I was amazed but not for long because I've realized that with file-based cache NetIdMgr is asking for my password each time when some application using KfW dlls needs credentials (Firefox, Putty...). Even when I open putty twice for the same SSH server, NetIdMgr asks for password. Otherwise everything works but this is totally unusable. I tried to play with the settings but haven't arrived to a solution or an explanation. When I change back to API: cache, everything works fine (except JAAS...). > > So, what's the problem? > 1) Is this expected behaviour when using file-based cache? Shall I configure something to get rid of the repeated password prompt? I haven't really found any information about using file cache with KfW, it seems to be out-of-fashion, since Java is probably able to read from LSA, but that doesn't help me in this case (no AD domain), does it? > 2) If the answer to question 1) is "YES, it it expected and you can't do anything about it", can you please advice me on a way in which KfW and JAAS can cooperate in a nice way? > > Thanks for any help. > David > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From deengert at anl.gov Mon May 11 10:24:37 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 11 May 2009 09:24:37 -0500 Subject: Active Directory Kerberos Server and Windows MIT Tools Client In-Reply-To: <681E55847A76D4449B702D8B7DE7ED851F8C81@US1013EXMP.america.apci.com> References: <681E55847A76D4449B702D8B7DE7ED851F8C81@US1013EXMP.america.apci.com> Message-ID: <4A083525.90000@anl.gov> In addition to what Jeff proposed, you can use the runas command with other commands. cmd.exe is one, as it then gives you a command window to start other commands, including explorer or iexplorer, so you only have to enter the user/password once. The runas.exe /netonly can also be used on machines not joined to the domain, to get credentials from the domain, usable on the network. Also see: http://support.microsoft.com/kb/225035 "Secondary Logon (Run As): Starting Programs and Tools in Local Administrative Context" And to get explorer to run also see: http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx "How do you set the ?separate process? flag, then?" "How do I tell my admin windows from my normal windows?" Schreiter,Jonathan M. wrote: > Hello, > I currently have an AD 2003 environment that serves as a Kerberos server. Normally, with a standard Windows XP / Vista client (that is joined to the domain), when I login with a domain account I get a TGT for the AD domain / realm. This TGT is then used to get tickets for various other services that require Kerberos. When I run a klist from the MIT tools installed on this client, I show my ticket cache: MSLSA. > > I need to log in with a local account on this same computer (still joined to the domain). I'd like to be able via command line to enter in my AD credentials to acquire a tgt just as if I was a login from the original CTRL+ALT+DEL screen. > > Also, MYDOMAIN.COM = MYREALM.COM > > After logging in locally, I tried to do a simple kinit myuser at MYDOMAIN.COM and it took the password. However, if I use Internet Explorer to go to an IIS server that requires kerberos authentication, I am still prompted for my username and password. > > I then drilled in to the GUI Network Identity Manager. Under Kerberos v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked. Uner Realms I added a new realm MYDOMAIN.COM. I added an AD DC for the Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's supposed to go here). > > I then entered my kerberos authentication in to the GUI and it took my password. However, it still doesn't see the tgt in the MSLSA (if I try to use a klist from the Windows NT Resource Kit). If I run klist from c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache found (ticket cache API:myuser at MYDOMAIN.COM. Also, If I try to run IE to hit an IIS web server requiring Kerberos, it still prompts me for my credentials. > > I think I'm almost there - but can someone help me connect the pieces? Again, I would like to log in to a windows xp / vista computer, enter a username and password to obtain a tgt in the mslsa, so that IE can hit an IIS server that requires kerberos w/o typing in the password again. > > Any help would be GREATLY appreciated. > > Many thanks, > Jonathan > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From SCHREIJM at airproducts.com Mon May 11 10:33:03 2009 From: SCHREIJM at airproducts.com (Schreiter,Jonathan M.) Date: Mon, 11 May 2009 10:33:03 -0400 Subject: Active Directory Kerberos Server and Windows MIT Tools Client In-Reply-To: <4A083525.90000@anl.gov> References: <681E55847A76D4449B702D8B7DE7ED851F8C81@US1013EXMP.america.apci.com> <4A083525.90000@anl.gov> Message-ID: <681E55847A76D4449B702D8B7DE7ED85019CD718@US1013EXMP.america.apci.com> Thanks Doug and Jeff. I'm not sure the runas will work in the problem I'm trying to solve, but maybe I'm wrong. I have an application that when you click on a button it will spawn an IE window, and there are multiple buttons that link to different URLs (each URL corresponds to an IIS server with Kerberos authentication). During nominal operations, multiple IE windows will be open on a same machine, and new windows will be closed and opened multiple times per day. I guess I could spawn a cmd window from the button, but I'm not sure how to automatically spawn multiple iexplore.exe from this cmd window from an external application. The second part of the problem, is that I'll have multiple computers that fit this category - so I was hoping to use a keytab dump after getting the tgt to copy files to the other computers for a SSO. If anyone has any thoughts, I'd appreciate it. I'm going to take a look at some PKI options here in the meantime. Many thanks, Jonathan -----Original Message----- From: Douglas E. Engert [mailto:deengert at anl.gov] Sent: Monday, May 11, 2009 10:25 AM To: Schreiter,Jonathan M. Cc: kerberos at mit.edu Subject: Re: Active Directory Kerberos Server and Windows MIT Tools Client In addition to what Jeff proposed, you can use the runas command with other commands. cmd.exe is one, as it then gives you a command window to start other commands, including explorer or iexplorer, so you only have to enter the user/password once. The runas.exe /netonly can also be used on machines not joined to the domain, to get credentials from the domain, usable on the network. Also see: http://support.microsoft.com/kb/225035 "Secondary Logon (Run As): Starting Programs and Tools in Local Administrative Context" And to get explorer to run also see: http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx "How do you set the "separate process" flag, then?" "How do I tell my admin windows from my normal windows?" Schreiter,Jonathan M. wrote: > Hello, > I currently have an AD 2003 environment that serves as a Kerberos server. Normally, with a standard Windows XP / Vista client (that is joined to the domain), when I login with a domain account I get a TGT for the AD domain / realm. This TGT is then used to get tickets for various other services that require Kerberos. When I run a klist from the MIT tools installed on this client, I show my ticket cache: MSLSA. > > I need to log in with a local account on this same computer (still joined to the domain). I'd like to be able via command line to enter in my AD credentials to acquire a tgt just as if I was a login from the original CTRL+ALT+DEL screen. > > Also, MYDOMAIN.COM = MYREALM.COM > > After logging in locally, I tried to do a simple kinit myuser at MYDOMAIN.COM and it took the password. However, if I use Internet Explorer to go to an IIS server that requires kerberos authentication, I am still prompted for my username and password. > > I then drilled in to the GUI Network Identity Manager. Under Kerberos v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked. Uner Realms I added a new realm MYDOMAIN.COM. I added an AD DC for the Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's supposed to go here). > > I then entered my kerberos authentication in to the GUI and it took my password. However, it still doesn't see the tgt in the MSLSA (if I try to use a klist from the Windows NT Resource Kit). If I run klist from c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache found (ticket cache API:myuser at MYDOMAIN.COM. Also, If I try to run IE to hit an IIS web server requiring Kerberos, it still prompts me for my credentials. > > I think I'm almost there - but can someone help me connect the pieces? Again, I would like to log in to a windows xp / vista computer, enter a username and password to obtain a tgt in the mslsa, so that IE can hit an IIS server that requires kerberos w/o typing in the password again. > > Any help would be GREATLY appreciated. > > Many thanks, > Jonathan > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From mark at mproehl.net Mon May 11 11:06:42 2009 From: mark at mproehl.net (=?windows-1252?Q?Mark_Pr=F6hl?=) Date: Mon, 11 May 2009 17:06:42 +0200 Subject: auth_to_local struggle In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206BA51AB@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206BA51AB@GEN-MXB-V04.msad.arcelor.net> Message-ID: <4A083F02.8070005@mproehl.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, this works for me: auth_to_local = RULE:[2:$1;$2@$0](root;.*@SOMEREALM)s/;.*@SOMEREALM//g If Mark Pr?hl miguel.sanders at arcelormittal.com wrote: > Hi folks > > I'm struggling with the auth_to_local rule. > I want the principal root/samehost.some.domain at SOMEREALM to be mapped to the user root. > I created the following auth_to_local rule in krb5.conf > auth_to_local = RULE:[2:$2/$1@$0](\/.*@SOMEREALM)s/\/.*@.*// > > I wrote a sample test program in order to verify the authorization part: > #include > #include > > int main(int argc, const char **argv){ > if (argc != 3) { > fprintf(stderr,"Number of arguments incorrect\n"); > fprintf(stderr,"1) Kerberos Principal 2) Mapped Local User\n"); > exit(1); > } > krb5_context context; > krb5_principal client; > krb5_boolean logon; > > krb5_init_context(&context); > krb5_parse_name(context,argv[1],&client); > > logon = krb5_kuserok(context, client, (char *)argv[2]); > if (logon) > fprintf(stdout,"Principal %s is authorized to login as user %s\n",(char *)argv[1],(char *)argv[2]); > else > fprintf(stderr,"Principal %s is NOT authorized to login as user %s\n",(char *)argv[1],(char *)argv[2]); > > krb5_free_principal(context, client); > krb5_free_context(context); > } > > Unfortunately, my test program always says the following: > > ./krb5 root/samehost.some.domain at SOMEREALM root > Principal root/samehost.some.domain at SOMEREALM is NOT authorized to login as user root > > What's wrong with my rule? The tranformation rule is correct AFAIK. > > Thanks for your help! > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E miguel.sanders at arcelormittal.com > www.arcelormittal.com/gent > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoIPwEACgkQNP9kGj7lDw5MvACg4pKNBOmpgzttTVrg7rATIVoJ 3x8AoPdRG3m2Ccj+aIK/jy/S4Qpf+CIm =8QJf -----END PGP SIGNATURE----- From deengert at anl.gov Mon May 11 14:36:02 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 11 May 2009 13:36:02 -0500 Subject: kerberos tickets and the SPNs In-Reply-To: References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> <73739dc10905072307i7ec2cd2co54dd08f997a8baa5@mail.gmail.com> <4A044454.4050900@anl.gov> <73739dc10905081155m736f59cet671bcf0bad267eae@mail.gmail.com> <4A0488DA.4030708@anl.gov> <73739dc10905081259l467ed5b9u36be3e8004e4b3c5@mail.gmail.com> Message-ID: <4A087012.9040803@anl.gov> Markus Moeller wrote: > > I use also msktutil and you can find it here > http://dag.wieers.com/rpm/packages/msktutil/ That points to: http://download.systemimager.org/~finley/msktutil/ and Finley is here at ANL. We now have Debian mods to 0.3.16-7 to work with W2008, and use the Windows attribute msDs-supportedEncryptionTypes so one can use AES. Any one interested? > > You can also use setspn -A host/fqdn in lowercase. instead of setspn -R. > > BTW the original netjoin tool from MS used computer accounts not user > accounts. http://msdn.microsoft.com/en-us/library/ms808911.aspx > http://download.microsoft.com/download/win2000pro/2kkerb2/1.0/nt5/en-us/ad-unix.exe > I don't know why they changed their mind. > > Markus > > ----- Original Message ----- From: "Ravi Channavajhala" > > To: "Douglas E. Engert" > Cc: "Markus Moeller" ; > Sent: Friday, May 08, 2009 8:59 PM > Subject: Re: kerberos tickets and the SPNs > > > Don't agree here. Natively adding a computer to AD and checking with > setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R, > creates two entries > > HOST/HOSTNAME$ > HOST/HOSTNAME$.SHORTFORM DOMAIN > > Both are incorrect.... > > The point is, I can manipulate SPNs to no end, but obviously no > success with Kerberos. My real issue is kerberos flip flopping with > 'Server not found in Database' to 'Keytable entry incorrect Key > version'. > > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From miguel.sanders at arcelormittal.com Mon May 11 15:14:46 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Mon, 11 May 2009 21:14:46 +0200 Subject: auth_to_local struggle In-Reply-To: <4A083F02.8070005@mproehl.net> References: <7DF29B50FFF41848BB2281EC2E71A206BA51AB@GEN-MXB-V04.msad.arcelor.net> <4A083F02.8070005@mproehl.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BA538A@GEN-MXB-V04.msad.arcelor.net> Thanks a lot Mark! Works fine! Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: Mark Pr?hl [mailto:mark at mproehl.net] Verzonden: maandag 11 mei 2009 17:07 Aan: SANDERS Miguel CC: kerberos at mit.edu Onderwerp: Re: auth_to_local struggle -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, this works for me: auth_to_local = RULE:[2:$1;$2@$0](root;.*@SOMEREALM)s/;.*@SOMEREALM//g If Mark Pr?hl miguel.sanders at arcelormittal.com wrote: > Hi folks > > I'm struggling with the auth_to_local rule. > I want the principal root/samehost.some.domain at SOMEREALM to be mapped to the user root. > I created the following auth_to_local rule in krb5.conf > auth_to_local = RULE:[2:$2/$1@$0](\/.*@SOMEREALM)s/\/.*@.*// > > I wrote a sample test program in order to verify the authorization part: > #include > #include > > int main(int argc, const char **argv){ > if (argc != 3) { > fprintf(stderr,"Number of arguments incorrect\n"); > fprintf(stderr,"1) Kerberos Principal 2) Mapped Local User\n"); > exit(1); > } > krb5_context context; > krb5_principal client; > krb5_boolean logon; > > krb5_init_context(&context); > krb5_parse_name(context,argv[1],&client); > > logon = krb5_kuserok(context, client, (char *)argv[2]); > if (logon) > fprintf(stdout,"Principal %s is authorized to login as user %s\n",(char *)argv[1],(char *)argv[2]); > else > fprintf(stderr,"Principal %s is NOT authorized to > login as user %s\n",(char *)argv[1],(char *)argv[2]); > > krb5_free_principal(context, client); > krb5_free_context(context); > } > > Unfortunately, my test program always says the following: > > ./krb5 root/samehost.some.domain at SOMEREALM root Principal > root/samehost.some.domain at SOMEREALM is NOT authorized to login as user > root > > What's wrong with my rule? The tranformation rule is correct AFAIK. > > Thanks for your help! > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E > miguel.sanders at arcelormittal.com www.arcelormittal.com/gent > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoIPwEACgkQNP9kGj7lDw5MvACg4pKNBOmpgzttTVrg7rATIVoJ 3x8AoPdRG3m2Ccj+aIK/jy/S4Qpf+CIm =8QJf -----END PGP SIGNATURE----- **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From res at qoxp.net Mon May 11 14:34:05 2009 From: res at qoxp.net (Richard E. Silverman) Date: Mon, 11 May 2009 14:34:05 -0400 Subject: Principal for Apache httpd vhost References: Message-ID: >>>>> "Frank" == Frank Gruellich writes: Frank> Hi, I have a Linux server which is named goofy (as in the Frank> output of hostname command) with full qualified hostname Frank> goofy.example.com (as indicated by hostname -f on the server Frank> itself). DNS has an A record pointing from goofy.example.com Frank> to 191.168.0.123, including reverse lookup (dig confirms this, Frank> even at other machines). This server runs an Apache httpd with Frank> several vhosts configured, one of them www.example.com. This Frank> is configured to use mod_auth_kerb for authentication. A CNAME Frank> www.example.com is pointing to goofy.example.com. Frank> Which principal do I add to the KDC database and export to Frank> mod_auth_kerb's keytab? Howtos suggest to use the full Frank> qualified hostname, eg. HTTP/goofy.example.com at EXAMPLE.COM. Frank> However, browsers have different opinions about that. Frank> Firefox/Seamonkey (I guess all Gecko based browsers) on Linux Frank> use HTTP/goofy.example.com at EXAMPLE.COM. Safari on Apples Mac Frank> OSX requests HTTP/www.example.com at EXAMPLE.COM from KDC. Frank> Firefox on Mac OSX behaves like the Linux version. I don't Frank> have more browsers available right now, but I will test others. Frank> What is the correct behavior and configuration? Thanks for Frank> your help. try setting dns_fallback=yes in /Library/Preferences/edu.mit.Kerberos Frank> Kind regards, -- Navteq (DE) GmbH Frank Gruellich Map24 Systems Frank> and Networks Frank> Duesseldorfer Strasse 40a 65760 Eschborn Germany Frank> Phone: +49 6196 77756-414 Fax: +49 6196 77756-100 Frank> USt-ID-No.: DE 197947163 Managing Directors: Thomas Golob, Frank> Alexander Wiegand, Hans Pieter Gieszen, Martin Robert Stockman -- Richard Silverman res at qoxp.net From finley at anl.gov Mon May 11 14:54:20 2009 From: finley at anl.gov (Brian Elliott Finley) Date: Mon, 11 May 2009 13:54:20 -0500 Subject: kerberos tickets and the SPNs In-Reply-To: <4A087012.9040803@anl.gov> References: <4a01d971.08b38c0a.776a.7f76@mx.google.com> <73739dc10905072307i7ec2cd2co54dd08f997a8baa5@mail.gmail.com> <4A044454.4050900@anl.gov> <73739dc10905081155m736f59cet671bcf0bad267eae@mail.gmail.com> <4A0488DA.4030708@anl.gov> <73739dc10905081259l467ed5b9u36be3e8004e4b3c5@mail.gmail.com> <4A087012.9040803@anl.gov> Message-ID: <4A08745C.6060108@anl.gov> I've uploaded the latest changes: http://download.systemimager.org/~finley/msktutil/ Douglas E. Engert wrote: > > > Markus Moeller wrote: >> >> I use also msktutil and you can find it here >> http://dag.wieers.com/rpm/packages/msktutil/ > > That points to: > http://download.systemimager.org/~finley/msktutil/ > and Finley is here at ANL. > > We now have Debian mods to 0.3.16-7 to work with W2008, and use the > Windows attribute msDs-supportedEncryptionTypes so one can use AES. > Any one interested? > >> >> You can also use setspn -A host/fqdn in lowercase. instead of setspn -R. >> >> BTW the original netjoin tool from MS used computer accounts not user >> accounts. http://msdn.microsoft.com/en-us/library/ms808911.aspx >> http://download.microsoft.com/download/win2000pro/2kkerb2/1.0/nt5/en-us/ad-unix.exe >> I don't know why they changed their mind. >> >> Markus >> >> ----- Original Message ----- From: "Ravi Channavajhala" >> >> To: "Douglas E. Engert" >> Cc: "Markus Moeller" ; >> Sent: Friday, May 08, 2009 8:59 PM >> Subject: Re: kerberos tickets and the SPNs >> >> >> Don't agree here. Natively adding a computer to AD and checking with >> setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R, >> creates two entries >> >> HOST/HOSTNAME$ >> HOST/HOSTNAME$.SHORTFORM DOMAIN >> >> Both are incorrect.... >> >> The point is, I can manipulate SPNs to no end, but obviously no >> success with Kerberos. My real issue is kerberos flip flopping with >> 'Server not found in Database' to 'Keytable entry incorrect Key >> version'. >> >> >> > -- Brian Elliott Finley Deputy Manager, Unix, Storage, and Operations Computing and Information Systems Argonne National Laboratory Office: 630.252.4742 Mobile: 630.631.6621 From simon at sxw.org.uk Mon May 11 15:52:10 2009 From: simon at sxw.org.uk (Simon Wilkinson) Date: Mon, 11 May 2009 20:52:10 +0100 Subject: Principal for Apache httpd vhost In-Reply-To: References: Message-ID: On 11 May 2009, at 19:34, Richard E. Silverman wrote: > > Frank> What is the correct behavior and configuration? Thanks for > Frank> your help. If you don't control your clients, then you want to add a principal for every name that a client may use to reach your server. And then use the 'KrbServiceName Any' option to mod_auth_kerb to allow it to use any name contained within that keytab. S. From v.sricharan at gmail.com Mon May 11 16:49:16 2009 From: v.sricharan at gmail.com (charan) Date: Mon, 11 May 2009 13:49:16 -0700 (PDT) Subject: Heimdal: Delegation + Cross-realm authentication Message-ID: <424490af-6082-4a1b-af8d-afaabc945549@d19g2000prh.googlegroups.com> Hi, Does Heimdal (open source implementation of Kerberos V), support cross-realm authentication by a service that is delegated to obtain credentials on behalf of a client? Following is the use case: 1. Client delegates authentication of credentials to a service 2. The service how has privilege to get credentials / tickets on behalf of the client (in the same realm). 3. Client access a service on a different (but trusted) realm. The question is, can the service that is delegated to fetch credentials on behalf of the client, get the credentials for a different realm. Thanks for the help! Charan From greg at enjellic.com Tue May 12 11:04:11 2009 From: greg at enjellic.com (greg@enjellic.com) Date: Tue, 12 May 2009 10:04:11 -0500 Subject: Sudo w/Ticket Support In-Reply-To: petesea@bigfoot.com "Sudo w/Ticket Support" (May 7, 11:21am) Message-ID: <200905121504.n4CF4Bt9002178@wind.enjellic.com> On May 7, 11:21am, petesea at bigfoot.com wrote: } Subject: Sudo w/Ticket Support Good morning to everyone, hope your respective weeks are going well. > Is there a version of sudo that supports Ticket Exchange? > > ie. if I have valid TGT it will allow me to sudo without being prompted > for a password? > > It appears there is a version that supports the use of Kerberos passwords, > but I'm looking for something that uses that TGT I already have. TGT authenticated sudo transition is a bit of a security hole in general. It essentially defeats the notion which sudo has of enforcing user immediacy at the time of the security transition request. The other major hole with using Kerberos to authenticate a password is that it defeats the underlying premise of the Kerberos security model which states that a password is never typed into a remote machine. I've got the most recent copy of OpenSSH taken apart right now in an attempt to implement an alternative strategy. I'm teaching the client to open an authenticated channel over which a short lived host based service ticket is passed to the SSHD daemon. After authenticating the service ticket the daemon updates the timestamp on the sudo sentinel file. The user uses the ~S command to initiate the sequence. The user is prompted for a password which is used to obtain a TGT which is then used to obtain a service ticket which is sent over the channel for authentication. By enforcing a very short ticket lifetime parameter user immediacy can be enforced. I plan on posting the patches when they are complete. Much like Simon Wilkinson's excellent patches it is unlikely they will see the light of day but local system administrators may find them useful. They will be more palatable then the current situation with respect to Kerberized authentication for sudo. I know in the shops I work with this approach is more favored then typing in remote passwords or usingn NOPASSWD. Best wishes for a productive week. Greg }-- End of excerpt from petesea at bigfoot.com As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: greg at enjellic.com ------------------------------------------------------------------------------ "C++ is designed to allow you to express ideas, but if you don't have any ideas or don't have any clue about how to express them, C++ doesn't offer much help." -- Bjarne Stroustrup Technology Review From pgnet.dev+krb at gmail.com Tue May 12 11:26:00 2009 From: pgnet.dev+krb at gmail.com (PGNet Dev) Date: Tue, 12 May 2009 08:26:00 -0700 Subject: differences (function? performance?) between 'db2' & 'kldap' as database_module? Message-ID: <94f2e81e0905120826g594107ecvbc3d31d85bb82780@mail.gmail.com> hi, i've installed openDS ldap server to using krb5/gssapi for authentication. can anyone point to a reference that compares/contrasts the differences using 'db2' & 'kldap' as kerberos database modules? it'c clear both can be used; my question is -- what are the criteria for choosing one over the other? thanks. From aashish.jaipur at gmail.com Tue May 12 03:04:36 2009 From: aashish.jaipur at gmail.com (sonu) Date: Tue, 12 May 2009 00:04:36 -0700 (PDT) Subject: Failed to validate remote GSSAPI token Message-ID: <906787d4-02d4-4d41-9b6c-c665da6b86c8@i28g2000prd.googlegroups.com> Hi all, I am getting this error while trying to ryn kerberos transaction on IIS7 with AD as KDC: SmKcc::getCredentials][Failed to validate remote GSSAPI token: Key table entry not found Please help. aashish. From huaraz at moeller.plus.com Tue May 12 15:14:45 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Tue, 12 May 2009 20:14:45 +0100 Subject: Failed to validate remote GSSAPI token In-Reply-To: <906787d4-02d4-4d41-9b6c-c665da6b86c8@i28g2000prd.googlegroups.com> References: <906787d4-02d4-4d41-9b6c-c665da6b86c8@i28g2000prd.googlegroups.com> Message-ID: Or do you use a cname ? "sonu" wrote in message news:906787d4-02d4-4d41-9b6c-c665da6b86c8 at i28g2000prd.googlegroups.com... > Hi all, > > I am getting this error while trying to ryn kerberos transaction on > IIS7 with AD as KDC: > > > SmKcc::getCredentials][Failed to validate remote GSSAPI token: Key > table entry not found > > > Please help. > > > aashish. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From huaraz at moeller.plus.com Tue May 12 16:35:26 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Tue, 12 May 2009 21:35:26 +0100 Subject: Failed to validate remote GSSAPI token In-Reply-To: <906787d4-02d4-4d41-9b6c-c665da6b86c8@i28g2000prd.googlegroups.com> References: <906787d4-02d4-4d41-9b6c-c665da6b86c8@i28g2000prd.googlegroups.com> Message-ID: That looks like the client is sending a wrong token. Markus "sonu" wrote in message news:906787d4-02d4-4d41-9b6c-c665da6b86c8 at i28g2000prd.googlegroups.com... > Hi all, > > I am getting this error while trying to ryn kerberos transaction on > IIS7 with AD as KDC: > > > SmKcc::getCredentials][Failed to validate remote GSSAPI token: Key > table entry not found > > > Please help. > > > aashish. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From luke.scharf at clusterbee.net Wed May 13 11:17:27 2009 From: luke.scharf at clusterbee.net (Luke Scharf) Date: Wed, 13 May 2009 10:17:27 -0500 Subject: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? Message-ID: <4A0AE487.9000702@clusterbee.net> I'm attempting to build MIT Kerberos version 1.6.1 on AIX 6.1. I'm mostly in need of the client libraries and utilities. I'm using the following special additions to the build environment: $ export PTHREAD_LIBS="-lpthread" $ export RPATH_FLAG="-Wl,-brtl,-blibpath:" I'm using the following ./configure command: $ ./configure --prefix=/usr/local/krb5-1.6.3 --enable-log-preauth-logins --enable-login-print-issue --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off --without-anonymous-ftp And I get the following results when I run it: [snip] configure: enabling thread support checking for pthread_join in LIBS=-lpthread with CFLAGS=... yes checking for joinable pthread attribute... unknown configure: WARNING: we do not know how to create joinable pthreads checking if more special flags are required for pthreads... -D_THREAD_SAFE checking for cc_r... cc_r configure: PTHREAD_CC = cc_r configure: PTHREAD_CFLAGS = -D_THREAD_SAFE configure: PTHREAD_LIBS = -lpthread checking for pthread_once... yes checking for pthread_rwlock_init... yes configure: rechecking with PTHREAD_... options checking for pthread_rwlock_init in -lc... yes checking for library containing dlopen... none required checking keyutils.h usability... no checking keyutils.h presence... no checking for keyutils.h... no configure: disabling static libraries configure: WARNING: shared libraries not supported on this architecture configure: error: must enable one of shared or static libraries $ Does anyone have any suggestions? Many thanks, -Luke From miguel.sanders at arcelormittal.com Wed May 13 11:26:28 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Wed, 13 May 2009 17:26:28 +0200 Subject: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? In-Reply-To: <4A0AE487.9000702@clusterbee.net> References: <4A0AE487.9000702@clusterbee.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BA5755@GEN-MXB-V04.msad.arcelor.net> Luke You should take a look at the config/shlib.conf Apparently krb5-1.6.3 is not yet AIX6.1 aware. Just alter the *-*-aix5*) on line 410 to f.e. *-*-aix*) Should I file a bug report for this? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Luke Scharf Verzonden: woensdag 13 mei 2009 17:17 Aan: kerberos at mit.edu Onderwerp: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? I'm attempting to build MIT Kerberos version 1.6.1 on AIX 6.1. I'm mostly in need of the client libraries and utilities. I'm using the following special additions to the build environment: $ export PTHREAD_LIBS="-lpthread" $ export RPATH_FLAG="-Wl,-brtl,-blibpath:" I'm using the following ./configure command: $ ./configure --prefix=/usr/local/krb5-1.6.3 --enable-log-preauth-logins --enable-login-print-issue --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off --without-anonymous-ftp And I get the following results when I run it: [snip] configure: enabling thread support checking for pthread_join in LIBS=-lpthread with CFLAGS=... yes checking for joinable pthread attribute... unknown configure: WARNING: we do not know how to create joinable pthreads checking if more special flags are required for pthreads... -D_THREAD_SAFE checking for cc_r... cc_r configure: PTHREAD_CC = cc_r configure: PTHREAD_CFLAGS = -D_THREAD_SAFE configure: PTHREAD_LIBS = -lpthread checking for pthread_once... yes checking for pthread_rwlock_init... yes configure: rechecking with PTHREAD_... options checking for pthread_rwlock_init in -lc... yes checking for library containing dlopen... none required checking keyutils.h usability... no checking keyutils.h presence... no checking for keyutils.h... no configure: disabling static libraries configure: WARNING: shared libraries not supported on this architecture configure: error: must enable one of shared or static libraries $ Does anyone have any suggestions? Many thanks, -Luke ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From luke.scharf at clusterbee.net Wed May 13 12:16:47 2009 From: luke.scharf at clusterbee.net (Luke Scharf) Date: Wed, 13 May 2009 11:16:47 -0500 Subject: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206BA5755@GEN-MXB-V04.msad.arcelor.net> References: <4A0AE487.9000702@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5755@GEN-MXB-V04.msad.arcelor.net> Message-ID: <4A0AF26F.6000908@clusterbee.net> Awesome! Editing shlib.conf did the trick, and I'm unstuck! I do consider this a bug. If you feel like submitting the report, that would save me the trouble of figuring out and signing up for an account on the bug tracking system. If not, I'll be happy to be a good open-source citizen and submit it. Thanks again! -Luke I'm still mucking with getting pthreads enabled properly, but I have a little bit more Googling to do before I can ask a proper question about that. miguel.sanders at arcelormittal.com wrote: > Luke > > You should take a look at the config/shlib.conf > Apparently krb5-1.6.3 is not yet AIX6.1 aware. > Just alter the *-*-aix5*) on line 410 to f.e. *-*-aix*) > > Should I file a bug report for this? > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E miguel.sanders at arcelormittal.com > www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Luke Scharf > Verzonden: woensdag 13 mei 2009 17:17 > Aan: kerberos at mit.edu > Onderwerp: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? > > I'm attempting to build MIT Kerberos version 1.6.1 on AIX 6.1. I'm mostly in need of the client libraries and utilities. > > I'm using the following special additions to the build environment: > > $ export PTHREAD_LIBS="-lpthread" > $ export RPATH_FLAG="-Wl,-brtl,-blibpath:" > > > I'm using the following ./configure command: > > $ ./configure --prefix=/usr/local/krb5-1.6.3 > --enable-log-preauth-logins --enable-login-print-issue > --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off > --without-anonymous-ftp > > > And I get the following results when I run it: > > [snip] > configure: enabling thread support > checking for pthread_join in LIBS=-lpthread with CFLAGS=... yes > checking for joinable pthread attribute... unknown > configure: WARNING: we do not know how to create joinable pthreads > checking if more special flags are required for pthreads... -D_THREAD_SAFE > checking for cc_r... cc_r > configure: PTHREAD_CC = cc_r > configure: PTHREAD_CFLAGS = -D_THREAD_SAFE > configure: PTHREAD_LIBS = -lpthread > checking for pthread_once... yes > checking for pthread_rwlock_init... yes > configure: rechecking with PTHREAD_... options > checking for pthread_rwlock_init in -lc... yes > checking for library containing dlopen... none required > checking keyutils.h usability... no > checking keyutils.h presence... no > checking for keyutils.h... no > configure: disabling static libraries > configure: WARNING: shared libraries not supported on this architecture > configure: error: must enable one of shared or static libraries > $ > > > Does anyone have any suggestions? > > Many thanks, > -Luke > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > From miguel.sanders at arcelormittal.com Wed May 13 12:40:16 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Wed, 13 May 2009 18:40:16 +0200 Subject: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? In-Reply-To: <4A0AF26F.6000908@clusterbee.net> References: <4A0AE487.9000702@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5755@GEN-MXB-V04.msad.arcelor.net> <4A0AF26F.6000908@clusterbee.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BA5764@GEN-MXB-V04.msad.arcelor.net> I'll open a bug report for it. If you have further questions on how to get this going on AIX, you can always send me a mail. Good luck! Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] Verzonden: woensdag 13 mei 2009 18:17 Aan: SANDERS Miguel CC: kerberos at mit.edu Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? Awesome! Editing shlib.conf did the trick, and I'm unstuck! I do consider this a bug. If you feel like submitting the report, that would save me the trouble of figuring out and signing up for an account on the bug tracking system. If not, I'll be happy to be a good open-source citizen and submit it. Thanks again! -Luke I'm still mucking with getting pthreads enabled properly, but I have a little bit more Googling to do before I can ask a proper question about that. miguel.sanders at arcelormittal.com wrote: > Luke > > You should take a look at the config/shlib.conf Apparently krb5-1.6.3 > is not yet AIX6.1 aware. > Just alter the *-*-aix5*) on line 410 to f.e. *-*-aix*) > > Should I file a bug report for this? > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E > miguel.sanders at arcelormittal.com www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens > Luke Scharf > Verzonden: woensdag 13 mei 2009 17:17 > Aan: kerberos at mit.edu > Onderwerp: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? > > I'm attempting to build MIT Kerberos version 1.6.1 on AIX 6.1. I'm mostly in need of the client libraries and utilities. > > I'm using the following special additions to the build environment: > > $ export PTHREAD_LIBS="-lpthread" > $ export RPATH_FLAG="-Wl,-brtl,-blibpath:" > > > I'm using the following ./configure command: > > $ ./configure --prefix=/usr/local/krb5-1.6.3 > --enable-log-preauth-logins --enable-login-print-issue > --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off > --without-anonymous-ftp > > > And I get the following results when I run it: > > [snip] > configure: enabling thread support > checking for pthread_join in LIBS=-lpthread with CFLAGS=... yes > checking for joinable pthread attribute... unknown > configure: WARNING: we do not know how to create joinable pthreads > checking if more special flags are required for pthreads... -D_THREAD_SAFE > checking for cc_r... cc_r > configure: PTHREAD_CC = cc_r > configure: PTHREAD_CFLAGS = -D_THREAD_SAFE > configure: PTHREAD_LIBS = -lpthread > checking for pthread_once... yes > checking for pthread_rwlock_init... yes > configure: rechecking with PTHREAD_... options > checking for pthread_rwlock_init in -lc... yes > checking for library containing dlopen... none required > checking keyutils.h usability... no > checking keyutils.h presence... no > checking for keyutils.h... no > configure: disabling static libraries > configure: WARNING: shared libraries not supported on this architecture > configure: error: must enable one of shared or static libraries > $ > > > Does anyone have any suggestions? > > Many thanks, > -Luke > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From luke.scharf at clusterbee.net Wed May 13 14:23:17 2009 From: luke.scharf at clusterbee.net (Luke Scharf) Date: Wed, 13 May 2009 13:23:17 -0500 Subject: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206BA5764@GEN-MXB-V04.msad.arcelor.net> References: <4A0AE487.9000702@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5755@GEN-MXB-V04.msad.arcelor.net> <4A0AF26F.6000908@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5764@GEN-MXB-V04.msad.arcelor.net> Message-ID: <4A0B1015.3090000@clusterbee.net> I'm using the same build-environment as before. The pthreads error may be similar, but I haven't been able to figure out where to look to see how pthreads is detected. Output: checking for constructor/destructor attribute support... (cached) yes,yes configure: enabling thread support checking for the pthreads library -lpthreads... no checking whether pthreads work without any flags... no checking whether pthreads work with -Kthread... no checking whether pthreads work with -kthread... no checking for the pthreads library -llthread... no checking whether pthreads work with -pthread... no checking whether pthreads work with -pthreads... no checking whether pthreads work with -mthreads... no checking for the pthreads library -lpthread... no checking whether pthreads work with --thread-safe... no checking whether pthreads work with -mt... no checking for pthread-config... no configure: error: cannot determine options for enabling thread support; try --disable-thread-support configure: error: /bin/sh './configure' failed for plugins/preauth/pkinit Does this ring any bells? Also, is there any big disadvantage to building the client-side libraries and utilities with --disable-thread-support? Thanks again, -Luke miguel.sanders at arcelormittal.com wrote: > I'll open a bug report for it. > If you have further questions on how to get this going on AIX, you can always send me a mail. > > Good luck! > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E miguel.sanders at arcelormittal.com > www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] > Verzonden: woensdag 13 mei 2009 18:17 > Aan: SANDERS Miguel > CC: kerberos at mit.edu > Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? > > Awesome! Editing shlib.conf did the trick, and I'm unstuck! > > I do consider this a bug. If you feel like submitting the report, that would save me the trouble of figuring out and signing up for an account on the bug tracking system. If not, I'll be happy to be a good open-source citizen and submit it. > > Thanks again! > -Luke > > I'm still mucking with getting pthreads enabled properly, but I have a little bit more Googling to do before I can ask a proper question about that. > > > miguel.sanders at arcelormittal.com wrote: > >> Luke >> >> You should take a look at the config/shlib.conf Apparently krb5-1.6.3 >> is not yet AIX6.1 aware. >> Just alter the *-*-aix5*) on line 410 to f.e. *-*-aix*) >> >> Should I file a bug report for this? >> >> >> Met vriendelijke groet >> Best regards >> Bien ? vous >> >> Miguel SANDERS >> ArcelorMittal Gent >> >> UNIX Systems & Storage >> IT Supply Western Europe | John Kennedylaan 51 >> B-9042 Gent >> >> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent >> >> -----Oorspronkelijk bericht----- >> Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens >> Luke Scharf >> Verzonden: woensdag 13 mei 2009 17:17 >> Aan: kerberos at mit.edu >> Onderwerp: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? >> >> I'm attempting to build MIT Kerberos version 1.6.1 on AIX 6.1. I'm mostly in need of the client libraries and utilities. >> >> I'm using the following special additions to the build environment: >> >> $ export PTHREAD_LIBS="-lpthread" >> $ export RPATH_FLAG="-Wl,-brtl,-blibpath:" >> >> >> I'm using the following ./configure command: >> >> $ ./configure --prefix=/usr/local/krb5-1.6.3 >> --enable-log-preauth-logins --enable-login-print-issue >> --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off >> --without-anonymous-ftp >> >> >> And I get the following results when I run it: >> >> [snip] >> configure: enabling thread support >> checking for pthread_join in LIBS=-lpthread with CFLAGS=... yes >> checking for joinable pthread attribute... unknown >> configure: WARNING: we do not know how to create joinable pthreads >> checking if more special flags are required for pthreads... -D_THREAD_SAFE >> checking for cc_r... cc_r >> configure: PTHREAD_CC = cc_r >> configure: PTHREAD_CFLAGS = -D_THREAD_SAFE >> configure: PTHREAD_LIBS = -lpthread >> checking for pthread_once... yes >> checking for pthread_rwlock_init... yes >> configure: rechecking with PTHREAD_... options >> checking for pthread_rwlock_init in -lc... yes >> checking for library containing dlopen... none required >> checking keyutils.h usability... no >> checking keyutils.h presence... no >> checking for keyutils.h... no >> configure: disabling static libraries >> configure: WARNING: shared libraries not supported on this architecture >> configure: error: must enable one of shared or static libraries >> $ >> >> >> Does anyone have any suggestions? >> >> Many thanks, >> -Luke >> >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> **** >> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >> **** >> >> > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > From miguel.sanders at arcelormittal.com Wed May 13 14:40:30 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Wed, 13 May 2009 20:40:30 +0200 Subject: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? In-Reply-To: <4A0B1015.3090000@clusterbee.net> References: <4A0AE487.9000702@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5755@GEN-MXB-V04.msad.arcelor.net> <4A0AF26F.6000908@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5764@GEN-MXB-V04.msad.arcelor.net> <4A0B1015.3090000@clusterbee.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BA5769@GEN-MXB-V04.msad.arcelor.net> Well, I thought it wasn't really necesarry to compile pthreads support since I was, just like you, only interested in the client libraries. Could you just send the config.log part where is does the test for: "checking for the pthreads library -lpthreads... No" Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] Verzonden: woensdag 13 mei 2009 20:23 Aan: SANDERS Miguel; kerberos at mit.edu Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? I'm using the same build-environment as before. The pthreads error may be similar, but I haven't been able to figure out where to look to see how pthreads is detected. Output: checking for constructor/destructor attribute support... (cached) yes,yes configure: enabling thread support checking for the pthreads library -lpthreads... no checking whether pthreads work without any flags... no checking whether pthreads work with -Kthread... no checking whether pthreads work with -kthread... no checking for the pthreads library -llthread... no checking whether pthreads work with -pthread... no checking whether pthreads work with -pthreads... no checking whether pthreads work with -mthreads... no checking for the pthreads library -lpthread... no checking whether pthreads work with --thread-safe... no checking whether pthreads work with -mt... no checking for pthread-config... no configure: error: cannot determine options for enabling thread support; try --disable-thread-support configure: error: /bin/sh './configure' failed for plugins/preauth/pkinit Does this ring any bells? Also, is there any big disadvantage to building the client-side libraries and utilities with --disable-thread-support? Thanks again, -Luke miguel.sanders at arcelormittal.com wrote: > I'll open a bug report for it. > If you have further questions on how to get this going on AIX, you can always send me a mail. > > Good luck! > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E > miguel.sanders at arcelormittal.com www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] > Verzonden: woensdag 13 mei 2009 18:17 > Aan: SANDERS Miguel > CC: kerberos at mit.edu > Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? > > Awesome! Editing shlib.conf did the trick, and I'm unstuck! > > I do consider this a bug. If you feel like submitting the report, that would save me the trouble of figuring out and signing up for an account on the bug tracking system. If not, I'll be happy to be a good open-source citizen and submit it. > > Thanks again! > -Luke > > I'm still mucking with getting pthreads enabled properly, but I have a little bit more Googling to do before I can ask a proper question about that. > > > miguel.sanders at arcelormittal.com wrote: > >> Luke >> >> You should take a look at the config/shlib.conf Apparently krb5-1.6.3 >> is not yet AIX6.1 aware. >> Just alter the *-*-aix5*) on line 410 to f.e. *-*-aix*) >> >> Should I file a bug report for this? >> >> >> Met vriendelijke groet >> Best regards >> Bien ? vous >> >> Miguel SANDERS >> ArcelorMittal Gent >> >> UNIX Systems & Storage >> IT Supply Western Europe | John Kennedylaan 51 >> B-9042 Gent >> >> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent >> >> -----Oorspronkelijk bericht----- >> Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] >> Namens Luke Scharf >> Verzonden: woensdag 13 mei 2009 17:17 >> Aan: kerberos at mit.edu >> Onderwerp: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? >> >> I'm attempting to build MIT Kerberos version 1.6.1 on AIX 6.1. I'm mostly in need of the client libraries and utilities. >> >> I'm using the following special additions to the build environment: >> >> $ export PTHREAD_LIBS="-lpthread" >> $ export RPATH_FLAG="-Wl,-brtl,-blibpath:" >> >> >> I'm using the following ./configure command: >> >> $ ./configure --prefix=/usr/local/krb5-1.6.3 >> --enable-log-preauth-logins --enable-login-print-issue >> --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off >> --without-anonymous-ftp >> >> >> And I get the following results when I run it: >> >> [snip] >> configure: enabling thread support >> checking for pthread_join in LIBS=-lpthread with CFLAGS=... yes >> checking for joinable pthread attribute... unknown >> configure: WARNING: we do not know how to create joinable pthreads >> checking if more special flags are required for pthreads... -D_THREAD_SAFE >> checking for cc_r... cc_r >> configure: PTHREAD_CC = cc_r >> configure: PTHREAD_CFLAGS = -D_THREAD_SAFE >> configure: PTHREAD_LIBS = -lpthread >> checking for pthread_once... yes >> checking for pthread_rwlock_init... yes >> configure: rechecking with PTHREAD_... options >> checking for pthread_rwlock_init in -lc... yes >> checking for library containing dlopen... none required >> checking keyutils.h usability... no >> checking keyutils.h presence... no >> checking for keyutils.h... no >> configure: disabling static libraries >> configure: WARNING: shared libraries not supported on this architecture >> configure: error: must enable one of shared or static libraries >> $ >> >> >> Does anyone have any suggestions? >> >> Many thanks, >> -Luke >> >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> **** >> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >> **** >> >> > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From luke.scharf at clusterbee.net Wed May 13 15:14:17 2009 From: luke.scharf at clusterbee.net (Luke Scharf) Date: Wed, 13 May 2009 14:14:17 -0500 Subject: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206BA5769@GEN-MXB-V04.msad.arcelor.net> References: <4A0AE487.9000702@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5755@GEN-MXB-V04.msad.arcelor.net> <4A0AF26F.6000908@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5764@GEN-MXB-V04.msad.arcelor.net> <4A0B1015.3090000@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5769@GEN-MXB-V04.msad.arcelor.net> Message-ID: <4A0B1C09.3000702@clusterbee.net> If I unset PTHREAD_LIBS and RPATH_FLAG, the error messages look useful. Also the make fails, if I supply the --disable-thread-support flag. Here is the relevant section of the log: configure:4930: enabling thread support configure:5131: checking for the pthreads library -lpthreads configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -lpthreads >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5078: checking whether pthreads work without any flags configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -Kthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -Kthread conftest.c >&5 gcc: unrecognized option '-Kthread' In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -kthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -kthread conftest.c >&5 gcc: unrecognized option '-kthread' In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5131: checking for the pthreads library -llthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -llthread >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -pthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -pthread conftest.c >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -pthreads configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -pthreads conftest.c >&5 gcc: unrecognized option '-pthreads' In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -mthreads configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -mthreads conftest.c >&5 cc1: error: unrecognized command line option "-mthreads" configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5131: checking for the pthreads library -lpthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -lpthread >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with --thread-safe configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic --thread-safe conftest.c >&5 cc1: error: unrecognized command line option "-fthread-safe" configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -mt configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -mt conftest.c >&5 cc1: error: unrecognized command line option "-mt" configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5091: checking for pthread-config configure:5118: result: no configure:5403: error: cannot determine options for enabling thread support; try --disable-thread-support Any thoughts? Thanks, -Luke miguel.sanders at arcelormittal.com wrote: > Well, I thought it wasn't really necesarry to compile pthreads support since I was, just like you, only interested in the client libraries. > Could you just send the config.log part where is does the test for: > "checking for the pthreads library -lpthreads... No" > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E miguel.sanders at arcelormittal.com > www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] > Verzonden: woensdag 13 mei 2009 20:23 > Aan: SANDERS Miguel; kerberos at mit.edu > Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? > > I'm using the same build-environment as before. The pthreads error may be similar, but I haven't been able to figure out where to look to see how pthreads is detected. > > Output: > > checking for constructor/destructor attribute support... (cached) yes,yes > configure: enabling thread support > checking for the pthreads library -lpthreads... no > checking whether pthreads work without any flags... no > checking whether pthreads work with -Kthread... no > checking whether pthreads work with -kthread... no > checking for the pthreads library -llthread... no > checking whether pthreads work with -pthread... no > checking whether pthreads work with -pthreads... no > checking whether pthreads work with -mthreads... no > checking for the pthreads library -lpthread... no > checking whether pthreads work with --thread-safe... no > checking whether pthreads work with -mt... no > checking for pthread-config... no > configure: error: cannot determine options for enabling thread support; try --disable-thread-support > configure: error: /bin/sh './configure' failed for plugins/preauth/pkinit > > > > > Does this ring any bells? > > Also, is there any big disadvantage to building the client-side libraries and utilities with --disable-thread-support? > > Thanks again, > -Luke > > > > miguel.sanders at arcelormittal.com wrote: > >> I'll open a bug report for it. >> If you have further questions on how to get this going on AIX, you can always send me a mail. >> >> Good luck! >> >> >> Met vriendelijke groet >> Best regards >> Bien ? vous >> >> Miguel SANDERS >> ArcelorMittal Gent >> >> UNIX Systems & Storage >> IT Supply Western Europe | John Kennedylaan 51 >> B-9042 Gent >> >> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent >> >> -----Oorspronkelijk bericht----- >> Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] >> Verzonden: woensdag 13 mei 2009 18:17 >> Aan: SANDERS Miguel >> CC: kerberos at mit.edu >> Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? >> >> Awesome! Editing shlib.conf did the trick, and I'm unstuck! >> >> I do consider this a bug. If you feel like submitting the report, that would save me the trouble of figuring out and signing up for an account on the bug tracking system. If not, I'll be happy to be a good open-source citizen and submit it. >> >> Thanks again! >> -Luke >> >> I'm still mucking with getting pthreads enabled properly, but I have a little bit more Googling to do before I can ask a proper question about that. >> >> >> miguel.sanders at arcelormittal.com wrote: >> >> >>> Luke >>> >>> You should take a look at the config/shlib.conf Apparently krb5-1.6.3 >>> is not yet AIX6.1 aware. >>> Just alter the *-*-aix5*) on line 410 to f.e. *-*-aix*) >>> >>> Should I file a bug report for this? >>> >>> >>> Met vriendelijke groet >>> Best regards >>> Bien ? vous >>> >>> Miguel SANDERS >>> ArcelorMittal Gent >>> >>> UNIX Systems & Storage >>> IT Supply Western Europe | John Kennedylaan 51 >>> B-9042 Gent >>> >>> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >>> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent >>> >>> -----Oorspronkelijk bericht----- >>> Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] >>> Namens Luke Scharf >>> Verzonden: woensdag 13 mei 2009 17:17 >>> Aan: kerberos at mit.edu >>> Onderwerp: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? >>> >>> I'm attempting to build MIT Kerberos version 1.6.1 on AIX 6.1. I'm mostly in need of the client libraries and utilities. >>> >>> I'm using the following special additions to the build environment: >>> >>> $ export PTHREAD_LIBS="-lpthread" >>> $ export RPATH_FLAG="-Wl,-brtl,-blibpath:" >>> >>> >>> I'm using the following ./configure command: >>> >>> $ ./configure --prefix=/usr/local/krb5-1.6.3 >>> --enable-log-preauth-logins --enable-login-print-issue >>> --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off >>> --without-anonymous-ftp >>> >>> >>> And I get the following results when I run it: >>> >>> [snip] >>> configure: enabling thread support >>> checking for pthread_join in LIBS=-lpthread with CFLAGS=... yes >>> checking for joinable pthread attribute... unknown >>> configure: WARNING: we do not know how to create joinable pthreads >>> checking if more special flags are required for pthreads... -D_THREAD_SAFE >>> checking for cc_r... cc_r >>> configure: PTHREAD_CC = cc_r >>> configure: PTHREAD_CFLAGS = -D_THREAD_SAFE >>> configure: PTHREAD_LIBS = -lpthread >>> checking for pthread_once... yes >>> checking for pthread_rwlock_init... yes >>> configure: rechecking with PTHREAD_... options >>> checking for pthread_rwlock_init in -lc... yes >>> checking for library containing dlopen... none required >>> checking keyutils.h usability... no >>> checking keyutils.h presence... no >>> checking for keyutils.h... no >>> configure: disabling static libraries >>> configure: WARNING: shared libraries not supported on this architecture >>> configure: error: must enable one of shared or static libraries >>> $ >>> >>> >>> Does anyone have any suggestions? >>> >>> Many thanks, >>> -Luke >>> >>> >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> **** >>> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >>> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >>> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >>> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >>> **** >>> >>> >>> >> **** >> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >> **** >> >> > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > From luke.scharf at clusterbee.net Wed May 13 15:14:25 2009 From: luke.scharf at clusterbee.net (Luke Scharf) Date: Wed, 13 May 2009 14:14:25 -0500 Subject: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206BA5769@GEN-MXB-V04.msad.arcelor.net> References: <4A0AE487.9000702@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5755@GEN-MXB-V04.msad.arcelor.net> <4A0AF26F.6000908@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5764@GEN-MXB-V04.msad.arcelor.net> <4A0B1015.3090000@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5769@GEN-MXB-V04.msad.arcelor.net> Message-ID: <4A0B1C11.1060303@clusterbee.net> If I unset PTHREAD_LIBS and RPATH_FLAG, the error messages look useful. Also the make fails, if I supply the --disable-thread-support flag. Here is the relevant section of the log: configure:4930: enabling thread support configure:5131: checking for the pthreads library -lpthreads configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -lpthreads >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5078: checking whether pthreads work without any flags configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -Kthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -Kthread conftest.c >&5 gcc: unrecognized option '-Kthread' In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -kthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -kthread conftest.c >&5 gcc: unrecognized option '-kthread' In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5131: checking for the pthreads library -llthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -llthread >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -pthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -pthread conftest.c >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -pthreads configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -pthreads conftest.c >&5 gcc: unrecognized option '-pthreads' In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -mthreads configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -mthreads conftest.c >&5 cc1: error: unrecognized command line option "-mthreads" configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5131: checking for the pthreads library -lpthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -lpthread >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with --thread-safe configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic --thread-safe conftest.c >&5 cc1: error: unrecognized command line option "-fthread-safe" configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -mt configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -mt conftest.c >&5 cc1: error: unrecognized command line option "-mt" configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5091: checking for pthread-config configure:5118: result: no configure:5403: error: cannot determine options for enabling thread support; try --disable-thread-support Any thoughts? Thanks, -Luke miguel.sanders at arcelormittal.com wrote: > Well, I thought it wasn't really necesarry to compile pthreads support since I was, just like you, only interested in the client libraries. > Could you just send the config.log part where is does the test for: > "checking for the pthreads library -lpthreads... No" > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E miguel.sanders at arcelormittal.com > www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] > Verzonden: woensdag 13 mei 2009 20:23 > Aan: SANDERS Miguel; kerberos at mit.edu > Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? > > I'm using the same build-environment as before. The pthreads error may be similar, but I haven't been able to figure out where to look to see how pthreads is detected. > > Output: > > checking for constructor/destructor attribute support... (cached) yes,yes > configure: enabling thread support > checking for the pthreads library -lpthreads... no > checking whether pthreads work without any flags... no > checking whether pthreads work with -Kthread... no > checking whether pthreads work with -kthread... no > checking for the pthreads library -llthread... no > checking whether pthreads work with -pthread... no > checking whether pthreads work with -pthreads... no > checking whether pthreads work with -mthreads... no > checking for the pthreads library -lpthread... no > checking whether pthreads work with --thread-safe... no > checking whether pthreads work with -mt... no > checking for pthread-config... no > configure: error: cannot determine options for enabling thread support; try --disable-thread-support > configure: error: /bin/sh './configure' failed for plugins/preauth/pkinit > > > > > Does this ring any bells? > > Also, is there any big disadvantage to building the client-side libraries and utilities with --disable-thread-support? > > Thanks again, > -Luke > > > > miguel.sanders at arcelormittal.com wrote: > >> I'll open a bug report for it. >> If you have further questions on how to get this going on AIX, you can always send me a mail. >> >> Good luck! >> >> >> Met vriendelijke groet >> Best regards >> Bien ? vous >> >> Miguel SANDERS >> ArcelorMittal Gent >> >> UNIX Systems & Storage >> IT Supply Western Europe | John Kennedylaan 51 >> B-9042 Gent >> >> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent >> >> -----Oorspronkelijk bericht----- >> Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] >> Verzonden: woensdag 13 mei 2009 18:17 >> Aan: SANDERS Miguel >> CC: kerberos at mit.edu >> Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? >> >> Awesome! Editing shlib.conf did the trick, and I'm unstuck! >> >> I do consider this a bug. If you feel like submitting the report, that would save me the trouble of figuring out and signing up for an account on the bug tracking system. If not, I'll be happy to be a good open-source citizen and submit it. >> >> Thanks again! >> -Luke >> >> I'm still mucking with getting pthreads enabled properly, but I have a little bit more Googling to do before I can ask a proper question about that. >> >> >> miguel.sanders at arcelormittal.com wrote: >> >> >>> Luke >>> >>> You should take a look at the config/shlib.conf Apparently krb5-1.6.3 >>> is not yet AIX6.1 aware. >>> Just alter the *-*-aix5*) on line 410 to f.e. *-*-aix*) >>> >>> Should I file a bug report for this? >>> >>> >>> Met vriendelijke groet >>> Best regards >>> Bien ? vous >>> >>> Miguel SANDERS >>> ArcelorMittal Gent >>> >>> UNIX Systems & Storage >>> IT Supply Western Europe | John Kennedylaan 51 >>> B-9042 Gent >>> >>> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >>> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent >>> >>> -----Oorspronkelijk bericht----- >>> Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] >>> Namens Luke Scharf >>> Verzonden: woensdag 13 mei 2009 17:17 >>> Aan: kerberos at mit.edu >>> Onderwerp: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? >>> >>> I'm attempting to build MIT Kerberos version 1.6.1 on AIX 6.1. I'm mostly in need of the client libraries and utilities. >>> >>> I'm using the following special additions to the build environment: >>> >>> $ export PTHREAD_LIBS="-lpthread" >>> $ export RPATH_FLAG="-Wl,-brtl,-blibpath:" >>> >>> >>> I'm using the following ./configure command: >>> >>> $ ./configure --prefix=/usr/local/krb5-1.6.3 >>> --enable-log-preauth-logins --enable-login-print-issue >>> --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off >>> --without-anonymous-ftp >>> >>> >>> And I get the following results when I run it: >>> >>> [snip] >>> configure: enabling thread support >>> checking for pthread_join in LIBS=-lpthread with CFLAGS=... yes >>> checking for joinable pthread attribute... unknown >>> configure: WARNING: we do not know how to create joinable pthreads >>> checking if more special flags are required for pthreads... -D_THREAD_SAFE >>> checking for cc_r... cc_r >>> configure: PTHREAD_CC = cc_r >>> configure: PTHREAD_CFLAGS = -D_THREAD_SAFE >>> configure: PTHREAD_LIBS = -lpthread >>> checking for pthread_once... yes >>> checking for pthread_rwlock_init... yes >>> configure: rechecking with PTHREAD_... options >>> checking for pthread_rwlock_init in -lc... yes >>> checking for library containing dlopen... none required >>> checking keyutils.h usability... no >>> checking keyutils.h presence... no >>> checking for keyutils.h... no >>> configure: disabling static libraries >>> configure: WARNING: shared libraries not supported on this architecture >>> configure: error: must enable one of shared or static libraries >>> $ >>> >>> >>> Does anyone have any suggestions? >>> >>> Many thanks, >>> -Luke >>> >>> >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> **** >>> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >>> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >>> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >>> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >>> **** >>> >>> >>> >> **** >> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >> **** >> >> > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > From miguel.sanders at arcelormittal.com Wed May 13 15:21:12 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Wed, 13 May 2009 21:21:12 +0200 Subject: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? In-Reply-To: <4A0B1C09.3000702@clusterbee.net> References: <4A0AE487.9000702@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5755@GEN-MXB-V04.msad.arcelor.net> <4A0AF26F.6000908@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5764@GEN-MXB-V04.msad.arcelor.net> <4A0B1015.3090000@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5769@GEN-MXB-V04.msad.arcelor.net> <4A0B1C09.3000702@clusterbee.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BA576D@GEN-MXB-V04.msad.arcelor.net> Luke I have seen similar errors in the past and I couldn't figure them out either. Then I used IBM XLC instead of gcc and then everything went fine (Never really knew what the problem was). Do you want me to compile the client libs with cc? If so, 32 of 64 bit? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] Verzonden: woensdag 13 mei 2009 21:14 Aan: SANDERS Miguel CC: kerberos at mit.edu Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? If I unset PTHREAD_LIBS and RPATH_FLAG, the error messages look useful. Also the make fails, if I supply the --disable-thread-support flag. Here is the relevant section of the log: configure:4930: enabling thread support configure:5131: checking for the pthreads library -lpthreads configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -lpthreads >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5078: checking whether pthreads work without any flags configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -Kthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -Kthread conftest.c >&5 gcc: unrecognized option '-Kthread' In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -kthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -kthread conftest.c >&5 gcc: unrecognized option '-kthread' In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5131: checking for the pthreads library -llthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -llthread >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -pthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -pthread conftest.c >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -pthreads configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -pthreads conftest.c >&5 gcc: unrecognized option '-pthreads' In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -mthreads configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -mthreads conftest.c >&5 cc1: error: unrecognized command line option "-mthreads" configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5131: checking for the pthreads library -lpthread configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -lpthread >&5 In file included from /usr/include/sys/cred.h:49, from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' In file included from /usr/include/sys/thread.h:43, from /usr/include/sys/ptrace.h:28, from /usr/include/sys/proc.h:48, from /usr/include/sys/pri.h:43, from /usr/include/sys/sched.h:38, from /usr/include/sched.h:51, from /usr/include/pthread.h:64, from conftest.c:34: /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' In file included from /usr/include/pthread.h:66, from conftest.c:34: /usr/include/unistd.h:923: error: expected ')' before '[' token /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with --thread-safe configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic --thread-safe conftest.c >&5 cc1: error: unrecognized command line option "-fthread-safe" configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5083: checking whether pthreads work with -mt configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -mt conftest.c >&5 cc1: error: unrecognized command line option "-mt" configure:5175: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.6.3" | #define PACKAGE_STRING "Kerberos 5 1.6.3" | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define KRB5_KRB4_COMPAT 1 | #define HAVE_BT_RSEQ 1 | #define KRB5_DNS_LOOKUP_KDC 1 | #define KRB5_DNS_LOOKUP 1 | #define HAVE_RES_NINIT 1 | #define HAVE_RES_NCLOSE 1 | #define HAVE_RES_NSEARCH 1 | #define HAVE_NS_INITPARSE 1 | #define HAVE_NS_NAME_UNCOMPRESS 1 | #define HAVE_DN_SKIPNAME 1 | #define HAVE_RES_SEARCH 1 | #define DELAY_INITIALIZER 1 | #define CONSTRUCTOR_ATTR_WORKS 1 | #define DESTRUCTOR_ATTR_WORKS 1 | #define USE_LINKER_FINI_OPTION 1 | #define ENABLE_THREADS 1 | /* end confdefs.h. */ | #include | int | main () | { | pthread_t th; pthread_join(th, 0); | pthread_attr_init(0); pthread_cleanup_push(0, 0); | pthread_create(0,0,0,0); pthread_cleanup_pop(0); | ; | return 0; | } configure:5202: result: no configure:5091: checking for pthread-config configure:5118: result: no configure:5403: error: cannot determine options for enabling thread support; try --disable-thread-support Any thoughts? Thanks, -Luke miguel.sanders at arcelormittal.com wrote: > Well, I thought it wasn't really necesarry to compile pthreads support since I was, just like you, only interested in the client libraries. > Could you just send the config.log part where is does the test for: > "checking for the pthreads library -lpthreads... No" > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E > miguel.sanders at arcelormittal.com www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] > Verzonden: woensdag 13 mei 2009 20:23 > Aan: SANDERS Miguel; kerberos at mit.edu > Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? > > I'm using the same build-environment as before. The pthreads error may be similar, but I haven't been able to figure out where to look to see how pthreads is detected. > > Output: > > checking for constructor/destructor attribute support... (cached) yes,yes > configure: enabling thread support > checking for the pthreads library -lpthreads... no > checking whether pthreads work without any flags... no > checking whether pthreads work with -Kthread... no > checking whether pthreads work with -kthread... no > checking for the pthreads library -llthread... no > checking whether pthreads work with -pthread... no > checking whether pthreads work with -pthreads... no > checking whether pthreads work with -mthreads... no > checking for the pthreads library -lpthread... no > checking whether pthreads work with --thread-safe... no > checking whether pthreads work with -mt... no > checking for pthread-config... no > configure: error: cannot determine options for enabling thread support; try --disable-thread-support > configure: error: /bin/sh './configure' failed for > plugins/preauth/pkinit > > > > > Does this ring any bells? > > Also, is there any big disadvantage to building the client-side libraries and utilities with --disable-thread-support? > > Thanks again, > -Luke > > > > miguel.sanders at arcelormittal.com wrote: > >> I'll open a bug report for it. >> If you have further questions on how to get this going on AIX, you can always send me a mail. >> >> Good luck! >> >> >> Met vriendelijke groet >> Best regards >> Bien ? vous >> >> Miguel SANDERS >> ArcelorMittal Gent >> >> UNIX Systems & Storage >> IT Supply Western Europe | John Kennedylaan 51 >> B-9042 Gent >> >> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent >> >> -----Oorspronkelijk bericht----- >> Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] >> Verzonden: woensdag 13 mei 2009 18:17 >> Aan: SANDERS Miguel >> CC: kerberos at mit.edu >> Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? >> >> Awesome! Editing shlib.conf did the trick, and I'm unstuck! >> >> I do consider this a bug. If you feel like submitting the report, that would save me the trouble of figuring out and signing up for an account on the bug tracking system. If not, I'll be happy to be a good open-source citizen and submit it. >> >> Thanks again! >> -Luke >> >> I'm still mucking with getting pthreads enabled properly, but I have a little bit more Googling to do before I can ask a proper question about that. >> >> >> miguel.sanders at arcelormittal.com wrote: >> >> >>> Luke >>> >>> You should take a look at the config/shlib.conf Apparently >>> krb5-1.6.3 is not yet AIX6.1 aware. >>> Just alter the *-*-aix5*) on line 410 to f.e. *-*-aix*) >>> >>> Should I file a bug report for this? >>> >>> >>> Met vriendelijke groet >>> Best regards >>> Bien ? vous >>> >>> Miguel SANDERS >>> ArcelorMittal Gent >>> >>> UNIX Systems & Storage >>> IT Supply Western Europe | John Kennedylaan 51 >>> B-9042 Gent >>> >>> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >>> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent >>> >>> -----Oorspronkelijk bericht----- >>> Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] >>> Namens Luke Scharf >>> Verzonden: woensdag 13 mei 2009 17:17 >>> Aan: kerberos at mit.edu >>> Onderwerp: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? >>> >>> I'm attempting to build MIT Kerberos version 1.6.1 on AIX 6.1. I'm mostly in need of the client libraries and utilities. >>> >>> I'm using the following special additions to the build environment: >>> >>> $ export PTHREAD_LIBS="-lpthread" >>> $ export RPATH_FLAG="-Wl,-brtl,-blibpath:" >>> >>> >>> I'm using the following ./configure command: >>> >>> $ ./configure --prefix=/usr/local/krb5-1.6.3 >>> --enable-log-preauth-logins --enable-login-print-issue >>> --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off >>> --without-anonymous-ftp >>> >>> >>> And I get the following results when I run it: >>> >>> [snip] >>> configure: enabling thread support >>> checking for pthread_join in LIBS=-lpthread with CFLAGS=... yes >>> checking for joinable pthread attribute... unknown >>> configure: WARNING: we do not know how to create joinable pthreads >>> checking if more special flags are required for pthreads... -D_THREAD_SAFE >>> checking for cc_r... cc_r >>> configure: PTHREAD_CC = cc_r >>> configure: PTHREAD_CFLAGS = -D_THREAD_SAFE >>> configure: PTHREAD_LIBS = -lpthread >>> checking for pthread_once... yes >>> checking for pthread_rwlock_init... yes >>> configure: rechecking with PTHREAD_... options >>> checking for pthread_rwlock_init in -lc... yes >>> checking for library containing dlopen... none required >>> checking keyutils.h usability... no >>> checking keyutils.h presence... no >>> checking for keyutils.h... no >>> configure: disabling static libraries >>> configure: WARNING: shared libraries not supported on this architecture >>> configure: error: must enable one of shared or static libraries >>> $ >>> >>> >>> Does anyone have any suggestions? >>> >>> Many thanks, >>> -Luke >>> >>> >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> **** >>> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >>> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >>> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >>> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >>> **** >>> >>> >>> >> **** >> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >> **** >> >> > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From raeburn at MIT.EDU Wed May 13 16:35:55 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Wed, 13 May 2009 16:35:55 -0400 Subject: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? In-Reply-To: <4A0B1C11.1060303@clusterbee.net> References: <4A0AE487.9000702@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5755@GEN-MXB-V04.msad.arcelor.net> <4A0AF26F.6000908@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5764@GEN-MXB-V04.msad.arcelor.net> <4A0B1015.3090000@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5769@GEN-MXB-V04.msad.arcelor.net> <4A0B1C11.1060303@clusterbee.net> Message-ID: On May 13, 2009, at 15:14, Luke Scharf wrote: > Here is the relevant section of the log: > > configure:4930: enabling thread support > configure:5131: checking for the pthreads library -lpthreads > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes > -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic > conftest.c -lpthreads >&5 > In file included from /usr/include/sys/cred.h:49, > from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/secattr.h:49: error: expected specifier- > qualifier-list before 'rid_t' This sounds like the configure script found GCC on the system, but GCC can't compile some of the system headers. (Or, maybe certain headers require the prior inclusion of certain other headers that the tests aren't set up to do.) If you want to keep a broken GCC installation on your system, use the CC=... option to configure to force it to use the IBM compiler. The main autoconf code for testing thread compilation options is in src/config/ac-archive/acx_pthread.m4. I'm curious what fails when you try to disable thread support and build it, but if it's just another case of GCC not handling system headers, you might follow that up on a GCC support list. (From my experience with GCC, I'd suggest some things to check for at first: Install location for GCC was changed somehow so it lost track of where to find its "fixed" copy of some system headers that are adjusted to remove constructs that depend on the native compiler. An old GCC installation predates a major OS upgrade that changed system headers in a significant way, leading to inconsistencies. An old version of GCC where the header-fixing script didn't know about some interesting quirks added in the latest OS rev.) Also, make sure you're using a fresh build tree (or a clean source tree, if you're building inside the source tree) when you switch compilers. For performance, the configure script caches some information about the build environment so it doesn't have to be re- checked if the script is run again, but if you've switched compilers that information may be invalid. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From miguel.sanders at arcelormittal.com Wed May 13 15:34:47 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Wed, 13 May 2009 21:34:47 +0200 Subject: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? In-Reply-To: <4A0B2066.4070909@clusterbee.net> References: <4A0AE487.9000702@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5755@GEN-MXB-V04.msad.arcelor.net> <4A0AF26F.6000908@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5764@GEN-MXB-V04.msad.arcelor.net> <4A0B1015.3090000@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA5769@GEN-MXB-V04.msad.arcelor.net> <4A0B1C09.3000702@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BA576D@GEN-MXB-V04.msad.arcelor.net> <4A0B2066.4070909@clusterbee.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BA576E@GEN-MXB-V04.msad.arcelor.net> Indeed :-) Good luck! Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] Verzonden: woensdag 13 mei 2009 21:33 Aan: SANDERS Miguel CC: kerberos at mit.edu Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? I had the same thought, after looking at log you requested. When I defined CC=xlc, the configure finished and the build is off and running! I guess the moral of the story is to do things IBM's way on IBM's platform. :-) Many thanks, -Luke miguel.sanders at arcelormittal.com wrote: > Luke > > I have seen similar errors in the past and I couldn't figure them out either. > Then I used IBM XLC instead of gcc and then everything went fine (Never really knew what the problem was). > Do you want me to compile the client libs with cc? If so, 32 of 64 bit? > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E > miguel.sanders at arcelormittal.com www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] > Verzonden: woensdag 13 mei 2009 21:14 > Aan: SANDERS Miguel > CC: kerberos at mit.edu > Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? > > If I unset PTHREAD_LIBS and RPATH_FLAG, the error messages look useful. > Also the make fails, if I supply the --disable-thread-support flag. > > Here is the relevant section of the log: > > configure:4930: enabling thread support > configure:5131: checking for the pthreads library -lpthreads > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -lpthreads >&5 > In file included from /usr/include/sys/cred.h:49, > from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' > /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' > In file included from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' > In file included from /usr/include/pthread.h:66, > from conftest.c:34: > /usr/include/unistd.h:923: error: expected ')' before '[' token > /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' > configure:5175: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "Kerberos 5" > | #define PACKAGE_TARNAME "krb5" > | #define PACKAGE_VERSION "1.6.3" > | #define PACKAGE_STRING "Kerberos 5 1.6.3" > | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_STDINT_H 1 > | #define KRB5_KRB4_COMPAT 1 > | #define HAVE_BT_RSEQ 1 > | #define KRB5_DNS_LOOKUP_KDC 1 > | #define KRB5_DNS_LOOKUP 1 > | #define HAVE_RES_NINIT 1 > | #define HAVE_RES_NCLOSE 1 > | #define HAVE_RES_NSEARCH 1 > | #define HAVE_NS_INITPARSE 1 > | #define HAVE_NS_NAME_UNCOMPRESS 1 > | #define HAVE_DN_SKIPNAME 1 > | #define HAVE_RES_SEARCH 1 > | #define DELAY_INITIALIZER 1 > | #define CONSTRUCTOR_ATTR_WORKS 1 > | #define DESTRUCTOR_ATTR_WORKS 1 > | #define USE_LINKER_FINI_OPTION 1 > | #define ENABLE_THREADS 1 > | /* end confdefs.h. */ > | #include > | int > | main () > | { > | pthread_t th; pthread_join(th, 0); > | pthread_attr_init(0); pthread_cleanup_push(0, 0); > | pthread_create(0,0,0,0); pthread_cleanup_pop(0); > | ; > | return 0; > | } > configure:5202: result: no > configure:5078: checking whether pthreads work without any flags > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c >&5 > In file included from /usr/include/sys/cred.h:49, > from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' > /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' > In file included from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' > In file included from /usr/include/pthread.h:66, > from conftest.c:34: > /usr/include/unistd.h:923: error: expected ')' before '[' token > /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' > configure:5175: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "Kerberos 5" > | #define PACKAGE_TARNAME "krb5" > | #define PACKAGE_VERSION "1.6.3" > | #define PACKAGE_STRING "Kerberos 5 1.6.3" > | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_STDINT_H 1 > | #define KRB5_KRB4_COMPAT 1 > | #define HAVE_BT_RSEQ 1 > | #define KRB5_DNS_LOOKUP_KDC 1 > | #define KRB5_DNS_LOOKUP 1 > | #define HAVE_RES_NINIT 1 > | #define HAVE_RES_NCLOSE 1 > | #define HAVE_RES_NSEARCH 1 > | #define HAVE_NS_INITPARSE 1 > | #define HAVE_NS_NAME_UNCOMPRESS 1 > | #define HAVE_DN_SKIPNAME 1 > | #define HAVE_RES_SEARCH 1 > | #define DELAY_INITIALIZER 1 > | #define CONSTRUCTOR_ATTR_WORKS 1 > | #define DESTRUCTOR_ATTR_WORKS 1 > | #define USE_LINKER_FINI_OPTION 1 > | #define ENABLE_THREADS 1 > | /* end confdefs.h. */ > | #include > | int > | main () > | { > | pthread_t th; pthread_join(th, 0); > | pthread_attr_init(0); pthread_cleanup_push(0, 0); > | pthread_create(0,0,0,0); pthread_cleanup_pop(0); > | ; > | return 0; > | } > configure:5202: result: no > configure:5083: checking whether pthreads work with -Kthread > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -Kthread conftest.c >&5 > gcc: unrecognized option '-Kthread' > In file included from /usr/include/sys/cred.h:49, > from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' > /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' > In file included from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' > In file included from /usr/include/pthread.h:66, > from conftest.c:34: > /usr/include/unistd.h:923: error: expected ')' before '[' token > /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' > configure:5175: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "Kerberos 5" > | #define PACKAGE_TARNAME "krb5" > | #define PACKAGE_VERSION "1.6.3" > | #define PACKAGE_STRING "Kerberos 5 1.6.3" > | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_STDINT_H 1 > | #define KRB5_KRB4_COMPAT 1 > | #define HAVE_BT_RSEQ 1 > | #define KRB5_DNS_LOOKUP_KDC 1 > | #define KRB5_DNS_LOOKUP 1 > | #define HAVE_RES_NINIT 1 > | #define HAVE_RES_NCLOSE 1 > | #define HAVE_RES_NSEARCH 1 > | #define HAVE_NS_INITPARSE 1 > | #define HAVE_NS_NAME_UNCOMPRESS 1 > | #define HAVE_DN_SKIPNAME 1 > | #define HAVE_RES_SEARCH 1 > | #define DELAY_INITIALIZER 1 > | #define CONSTRUCTOR_ATTR_WORKS 1 > | #define DESTRUCTOR_ATTR_WORKS 1 > | #define USE_LINKER_FINI_OPTION 1 > | #define ENABLE_THREADS 1 > | /* end confdefs.h. */ > | #include > | int > | main () > | { > | pthread_t th; pthread_join(th, 0); > | pthread_attr_init(0); pthread_cleanup_push(0, 0); > | pthread_create(0,0,0,0); pthread_cleanup_pop(0); > | ; > | return 0; > | } > configure:5202: result: no > configure:5083: checking whether pthreads work with -kthread > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -kthread conftest.c >&5 > gcc: unrecognized option '-kthread' > In file included from /usr/include/sys/cred.h:49, > from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' > /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' > In file included from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' > In file included from /usr/include/pthread.h:66, > from conftest.c:34: > /usr/include/unistd.h:923: error: expected ')' before '[' token > /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' > configure:5175: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "Kerberos 5" > | #define PACKAGE_TARNAME "krb5" > | #define PACKAGE_VERSION "1.6.3" > | #define PACKAGE_STRING "Kerberos 5 1.6.3" > | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_STDINT_H 1 > | #define KRB5_KRB4_COMPAT 1 > | #define HAVE_BT_RSEQ 1 > | #define KRB5_DNS_LOOKUP_KDC 1 > | #define KRB5_DNS_LOOKUP 1 > | #define HAVE_RES_NINIT 1 > | #define HAVE_RES_NCLOSE 1 > | #define HAVE_RES_NSEARCH 1 > | #define HAVE_NS_INITPARSE 1 > | #define HAVE_NS_NAME_UNCOMPRESS 1 > | #define HAVE_DN_SKIPNAME 1 > | #define HAVE_RES_SEARCH 1 > | #define DELAY_INITIALIZER 1 > | #define CONSTRUCTOR_ATTR_WORKS 1 > | #define DESTRUCTOR_ATTR_WORKS 1 > | #define USE_LINKER_FINI_OPTION 1 > | #define ENABLE_THREADS 1 > | /* end confdefs.h. */ > | #include > | int > | main () > | { > | pthread_t th; pthread_join(th, 0); > | pthread_attr_init(0); pthread_cleanup_push(0, 0); > | pthread_create(0,0,0,0); pthread_cleanup_pop(0); > | ; > | return 0; > | } > configure:5202: result: no > configure:5131: checking for the pthreads library -llthread > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -llthread >&5 > In file included from /usr/include/sys/cred.h:49, > from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' > /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' > In file included from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' > In file included from /usr/include/pthread.h:66, > from conftest.c:34: > /usr/include/unistd.h:923: error: expected ')' before '[' token > /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' > configure:5175: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "Kerberos 5" > | #define PACKAGE_TARNAME "krb5" > | #define PACKAGE_VERSION "1.6.3" > | #define PACKAGE_STRING "Kerberos 5 1.6.3" > | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_STDINT_H 1 > | #define KRB5_KRB4_COMPAT 1 > | #define HAVE_BT_RSEQ 1 > | #define KRB5_DNS_LOOKUP_KDC 1 > | #define KRB5_DNS_LOOKUP 1 > | #define HAVE_RES_NINIT 1 > | #define HAVE_RES_NCLOSE 1 > | #define HAVE_RES_NSEARCH 1 > | #define HAVE_NS_INITPARSE 1 > | #define HAVE_NS_NAME_UNCOMPRESS 1 > | #define HAVE_DN_SKIPNAME 1 > | #define HAVE_RES_SEARCH 1 > | #define DELAY_INITIALIZER 1 > | #define CONSTRUCTOR_ATTR_WORKS 1 > | #define DESTRUCTOR_ATTR_WORKS 1 > | #define USE_LINKER_FINI_OPTION 1 > | #define ENABLE_THREADS 1 > | /* end confdefs.h. */ > | #include > | int > | main () > | { > | pthread_t th; pthread_join(th, 0); > | pthread_attr_init(0); pthread_cleanup_push(0, 0); > | pthread_create(0,0,0,0); pthread_cleanup_pop(0); > | ; > | return 0; > | } > configure:5202: result: no > configure:5083: checking whether pthreads work with -pthread > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -pthread conftest.c >&5 > In file included from /usr/include/sys/cred.h:49, > from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' > /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' > In file included from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' > In file included from /usr/include/pthread.h:66, > from conftest.c:34: > /usr/include/unistd.h:923: error: expected ')' before '[' token > /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' > configure:5175: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "Kerberos 5" > | #define PACKAGE_TARNAME "krb5" > | #define PACKAGE_VERSION "1.6.3" > | #define PACKAGE_STRING "Kerberos 5 1.6.3" > | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_STDINT_H 1 > | #define KRB5_KRB4_COMPAT 1 > | #define HAVE_BT_RSEQ 1 > | #define KRB5_DNS_LOOKUP_KDC 1 > | #define KRB5_DNS_LOOKUP 1 > | #define HAVE_RES_NINIT 1 > | #define HAVE_RES_NCLOSE 1 > | #define HAVE_RES_NSEARCH 1 > | #define HAVE_NS_INITPARSE 1 > | #define HAVE_NS_NAME_UNCOMPRESS 1 > | #define HAVE_DN_SKIPNAME 1 > | #define HAVE_RES_SEARCH 1 > | #define DELAY_INITIALIZER 1 > | #define CONSTRUCTOR_ATTR_WORKS 1 > | #define DESTRUCTOR_ATTR_WORKS 1 > | #define USE_LINKER_FINI_OPTION 1 > | #define ENABLE_THREADS 1 > | /* end confdefs.h. */ > | #include > | int > | main () > | { > | pthread_t th; pthread_join(th, 0); > | pthread_attr_init(0); pthread_cleanup_push(0, 0); > | pthread_create(0,0,0,0); pthread_cleanup_pop(0); > | ; > | return 0; > | } > configure:5202: result: no > configure:5083: checking whether pthreads work with -pthreads > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -pthreads conftest.c >&5 > gcc: unrecognized option '-pthreads' > In file included from /usr/include/sys/cred.h:49, > from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' > /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' > In file included from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' > In file included from /usr/include/pthread.h:66, > from conftest.c:34: > /usr/include/unistd.h:923: error: expected ')' before '[' token > /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' > configure:5175: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "Kerberos 5" > | #define PACKAGE_TARNAME "krb5" > | #define PACKAGE_VERSION "1.6.3" > | #define PACKAGE_STRING "Kerberos 5 1.6.3" > | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_STDINT_H 1 > | #define KRB5_KRB4_COMPAT 1 > | #define HAVE_BT_RSEQ 1 > | #define KRB5_DNS_LOOKUP_KDC 1 > | #define KRB5_DNS_LOOKUP 1 > | #define HAVE_RES_NINIT 1 > | #define HAVE_RES_NCLOSE 1 > | #define HAVE_RES_NSEARCH 1 > | #define HAVE_NS_INITPARSE 1 > | #define HAVE_NS_NAME_UNCOMPRESS 1 > | #define HAVE_DN_SKIPNAME 1 > | #define HAVE_RES_SEARCH 1 > | #define DELAY_INITIALIZER 1 > | #define CONSTRUCTOR_ATTR_WORKS 1 > | #define DESTRUCTOR_ATTR_WORKS 1 > | #define USE_LINKER_FINI_OPTION 1 > | #define ENABLE_THREADS 1 > | /* end confdefs.h. */ > | #include > | int > | main () > | { > | pthread_t th; pthread_join(th, 0); > | pthread_attr_init(0); pthread_cleanup_push(0, 0); > | pthread_create(0,0,0,0); pthread_cleanup_pop(0); > | ; > | return 0; > | } > configure:5202: result: no > configure:5083: checking whether pthreads work with -mthreads > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -mthreads conftest.c >&5 > cc1: error: unrecognized command line option "-mthreads" > configure:5175: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "Kerberos 5" > | #define PACKAGE_TARNAME "krb5" > | #define PACKAGE_VERSION "1.6.3" > | #define PACKAGE_STRING "Kerberos 5 1.6.3" > | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_STDINT_H 1 > | #define KRB5_KRB4_COMPAT 1 > | #define HAVE_BT_RSEQ 1 > | #define KRB5_DNS_LOOKUP_KDC 1 > | #define KRB5_DNS_LOOKUP 1 > | #define HAVE_RES_NINIT 1 > | #define HAVE_RES_NCLOSE 1 > | #define HAVE_RES_NSEARCH 1 > | #define HAVE_NS_INITPARSE 1 > | #define HAVE_NS_NAME_UNCOMPRESS 1 > | #define HAVE_DN_SKIPNAME 1 > | #define HAVE_RES_SEARCH 1 > | #define DELAY_INITIALIZER 1 > | #define CONSTRUCTOR_ATTR_WORKS 1 > | #define DESTRUCTOR_ATTR_WORKS 1 > | #define USE_LINKER_FINI_OPTION 1 > | #define ENABLE_THREADS 1 > | /* end confdefs.h. */ > | #include > | int > | main () > | { > | pthread_t th; pthread_join(th, 0); > | pthread_attr_init(0); pthread_cleanup_push(0, 0); > | pthread_create(0,0,0,0); pthread_cleanup_pop(0); > | ; > | return 0; > | } > configure:5202: result: no > configure:5131: checking for the pthreads library -lpthread > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic conftest.c -lpthread >&5 > In file included from /usr/include/sys/cred.h:49, > from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/secattr.h:49: error: expected specifier-qualifier-list before 'rid_t' > /usr/include/sys/secattr.h:65: error: expected specifier-qualifier-list before 'authnum_t' > In file included from /usr/include/sys/thread.h:43, > from /usr/include/sys/ptrace.h:28, > from /usr/include/sys/proc.h:48, > from /usr/include/sys/pri.h:43, > from /usr/include/sys/sched.h:38, > from /usr/include/sched.h:51, > from /usr/include/pthread.h:64, > from conftest.c:34: > /usr/include/sys/cred.h:331: error: expected specifier-qualifier-list before 'rid_t' > In file included from /usr/include/pthread.h:66, > from conftest.c:34: > /usr/include/unistd.h:923: error: expected ')' before '[' token > /usr/include/unistd.h:924: error: expected declaration specifiers or '...' before 'rid_t' > configure:5175: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "Kerberos 5" > | #define PACKAGE_TARNAME "krb5" > | #define PACKAGE_VERSION "1.6.3" > | #define PACKAGE_STRING "Kerberos 5 1.6.3" > | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_STDINT_H 1 > | #define KRB5_KRB4_COMPAT 1 > | #define HAVE_BT_RSEQ 1 > | #define KRB5_DNS_LOOKUP_KDC 1 > | #define KRB5_DNS_LOOKUP 1 > | #define HAVE_RES_NINIT 1 > | #define HAVE_RES_NCLOSE 1 > | #define HAVE_RES_NSEARCH 1 > | #define HAVE_NS_INITPARSE 1 > | #define HAVE_NS_NAME_UNCOMPRESS 1 > | #define HAVE_DN_SKIPNAME 1 > | #define HAVE_RES_SEARCH 1 > | #define DELAY_INITIALIZER 1 > | #define CONSTRUCTOR_ATTR_WORKS 1 > | #define DESTRUCTOR_ATTR_WORKS 1 > | #define USE_LINKER_FINI_OPTION 1 > | #define ENABLE_THREADS 1 > | /* end confdefs.h. */ > | #include > | int > | main () > | { > | pthread_t th; pthread_join(th, 0); > | pthread_attr_init(0); pthread_cleanup_push(0, 0); > | pthread_create(0,0,0,0); pthread_cleanup_pop(0); > | ; > | return 0; > | } > configure:5202: result: no > configure:5083: checking whether pthreads work with --thread-safe > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic --thread-safe conftest.c >&5 > cc1: error: unrecognized command line option "-fthread-safe" > configure:5175: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "Kerberos 5" > | #define PACKAGE_TARNAME "krb5" > | #define PACKAGE_VERSION "1.6.3" > | #define PACKAGE_STRING "Kerberos 5 1.6.3" > | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_STDINT_H 1 > | #define KRB5_KRB4_COMPAT 1 > | #define HAVE_BT_RSEQ 1 > | #define KRB5_DNS_LOOKUP_KDC 1 > | #define KRB5_DNS_LOOKUP 1 > | #define HAVE_RES_NINIT 1 > | #define HAVE_RES_NCLOSE 1 > | #define HAVE_RES_NSEARCH 1 > | #define HAVE_NS_INITPARSE 1 > | #define HAVE_NS_NAME_UNCOMPRESS 1 > | #define HAVE_DN_SKIPNAME 1 > | #define HAVE_RES_SEARCH 1 > | #define DELAY_INITIALIZER 1 > | #define CONSTRUCTOR_ATTR_WORKS 1 > | #define DESTRUCTOR_ATTR_WORKS 1 > | #define USE_LINKER_FINI_OPTION 1 > | #define ENABLE_THREADS 1 > | /* end confdefs.h. */ > | #include > | int > | main () > | { > | pthread_t th; pthread_join(th, 0); > | pthread_attr_init(0); pthread_cleanup_push(0, 0); > | pthread_create(0,0,0,0); pthread_cleanup_pop(0); > | ; > | return 0; > | } > configure:5202: result: no > configure:5083: checking whether pthreads work with -mt > configure:5169: gcc -o conftest -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -mt conftest.c >&5 > cc1: error: unrecognized command line option "-mt" > configure:5175: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "Kerberos 5" > | #define PACKAGE_TARNAME "krb5" > | #define PACKAGE_VERSION "1.6.3" > | #define PACKAGE_STRING "Kerberos 5 1.6.3" > | #define PACKAGE_BUGREPORT "krb5-bugs at mit.edu" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_STDINT_H 1 > | #define KRB5_KRB4_COMPAT 1 > | #define HAVE_BT_RSEQ 1 > | #define KRB5_DNS_LOOKUP_KDC 1 > | #define KRB5_DNS_LOOKUP 1 > | #define HAVE_RES_NINIT 1 > | #define HAVE_RES_NCLOSE 1 > | #define HAVE_RES_NSEARCH 1 > | #define HAVE_NS_INITPARSE 1 > | #define HAVE_NS_NAME_UNCOMPRESS 1 > | #define HAVE_DN_SKIPNAME 1 > | #define HAVE_RES_SEARCH 1 > | #define DELAY_INITIALIZER 1 > | #define CONSTRUCTOR_ATTR_WORKS 1 > | #define DESTRUCTOR_ATTR_WORKS 1 > | #define USE_LINKER_FINI_OPTION 1 > | #define ENABLE_THREADS 1 > | /* end confdefs.h. */ > | #include > | int > | main () > | { > | pthread_t th; pthread_join(th, 0); > | pthread_attr_init(0); pthread_cleanup_push(0, 0); > | pthread_create(0,0,0,0); pthread_cleanup_pop(0); > | ; > | return 0; > | } > configure:5202: result: no > configure:5091: checking for pthread-config > configure:5118: result: no > configure:5403: error: cannot determine options for enabling > thread support; try --disable-thread-support > > > > > Any thoughts? > > Thanks, > -Luke > > miguel.sanders at arcelormittal.com wrote: > >> Well, I thought it wasn't really necesarry to compile pthreads support since I was, just like you, only interested in the client libraries. >> Could you just send the config.log part where is does the test for: >> "checking for the pthreads library -lpthreads... No" >> >> >> Met vriendelijke groet >> Best regards >> Bien ? vous >> >> Miguel SANDERS >> ArcelorMittal Gent >> >> UNIX Systems & Storage >> IT Supply Western Europe | John Kennedylaan 51 >> B-9042 Gent >> >> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent >> >> -----Oorspronkelijk bericht----- >> Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] >> Verzonden: woensdag 13 mei 2009 20:23 >> Aan: SANDERS Miguel; kerberos at mit.edu >> Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? >> >> I'm using the same build-environment as before. The pthreads error may be similar, but I haven't been able to figure out where to look to see how pthreads is detected. >> >> Output: >> >> checking for constructor/destructor attribute support... (cached) yes,yes >> configure: enabling thread support >> checking for the pthreads library -lpthreads... no >> checking whether pthreads work without any flags... no >> checking whether pthreads work with -Kthread... no >> checking whether pthreads work with -kthread... no >> checking for the pthreads library -llthread... no >> checking whether pthreads work with -pthread... no >> checking whether pthreads work with -pthreads... no >> checking whether pthreads work with -mthreads... no >> checking for the pthreads library -lpthread... no >> checking whether pthreads work with --thread-safe... no >> checking whether pthreads work with -mt... no >> checking for pthread-config... no >> configure: error: cannot determine options for enabling thread support; try --disable-thread-support >> configure: error: /bin/sh './configure' failed for >> plugins/preauth/pkinit >> >> >> >> >> Does this ring any bells? >> >> Also, is there any big disadvantage to building the client-side libraries and utilities with --disable-thread-support? >> >> Thanks again, >> -Luke >> >> >> >> miguel.sanders at arcelormittal.com wrote: >> >> >>> I'll open a bug report for it. >>> If you have further questions on how to get this going on AIX, you can always send me a mail. >>> >>> Good luck! >>> >>> >>> Met vriendelijke groet >>> Best regards >>> Bien ? vous >>> >>> Miguel SANDERS >>> ArcelorMittal Gent >>> >>> UNIX Systems & Storage >>> IT Supply Western Europe | John Kennedylaan 51 >>> B-9042 Gent >>> >>> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >>> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent >>> >>> -----Oorspronkelijk bericht----- >>> Van: Luke Scharf [mailto:luke.scharf at clusterbee.net] >>> Verzonden: woensdag 13 mei 2009 18:17 >>> Aan: SANDERS Miguel >>> CC: kerberos at mit.edu >>> Onderwerp: Re: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? >>> >>> Awesome! Editing shlib.conf did the trick, and I'm unstuck! >>> >>> I do consider this a bug. If you feel like submitting the report, that would save me the trouble of figuring out and signing up for an account on the bug tracking system. If not, I'll be happy to be a good open-source citizen and submit it. >>> >>> Thanks again! >>> -Luke >>> >>> I'm still mucking with getting pthreads enabled properly, but I have a little bit more Googling to do before I can ask a proper question about that. >>> >>> >>> miguel.sanders at arcelormittal.com wrote: >>> >>> >>> >>>> Luke >>>> >>>> You should take a look at the config/shlib.conf Apparently >>>> krb5-1.6.3 is not yet AIX6.1 aware. >>>> Just alter the *-*-aix5*) on line 410 to f.e. *-*-aix*) >>>> >>>> Should I file a bug report for this? >>>> >>>> >>>> Met vriendelijke groet >>>> Best regards >>>> Bien ? vous >>>> >>>> Miguel SANDERS >>>> ArcelorMittal Gent >>>> >>>> UNIX Systems & Storage >>>> IT Supply Western Europe | John Kennedylaan 51 >>>> B-9042 Gent >>>> >>>> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >>>> miguel.sanders at arcelormittal.com www.arcelormittal.com/gent >>>> >>>> -----Oorspronkelijk bericht----- >>>> Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] >>>> Namens Luke Scharf >>>> Verzonden: woensdag 13 mei 2009 17:17 >>>> Aan: kerberos at mit.edu >>>> Onderwerp: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1? >>>> >>>> I'm attempting to build MIT Kerberos version 1.6.1 on AIX 6.1. I'm mostly in need of the client libraries and utilities. >>>> >>>> I'm using the following special additions to the build environment: >>>> >>>> $ export PTHREAD_LIBS="-lpthread" >>>> $ export RPATH_FLAG="-Wl,-brtl,-blibpath:" >>>> >>>> >>>> I'm using the following ./configure command: >>>> >>>> $ ./configure --prefix=/usr/local/krb5-1.6.3 >>>> --enable-log-preauth-logins --enable-login-print-issue >>>> --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off >>>> --without-anonymous-ftp >>>> >>>> >>>> And I get the following results when I run it: >>>> >>>> [snip] >>>> configure: enabling thread support >>>> checking for pthread_join in LIBS=-lpthread with CFLAGS=... yes >>>> checking for joinable pthread attribute... unknown >>>> configure: WARNING: we do not know how to create joinable pthreads >>>> checking if more special flags are required for pthreads... -D_THREAD_SAFE >>>> checking for cc_r... cc_r >>>> configure: PTHREAD_CC = cc_r >>>> configure: PTHREAD_CFLAGS = -D_THREAD_SAFE >>>> configure: PTHREAD_LIBS = -lpthread >>>> checking for pthread_once... yes >>>> checking for pthread_rwlock_init... yes >>>> configure: rechecking with PTHREAD_... options >>>> checking for pthread_rwlock_init in -lc... yes >>>> checking for library containing dlopen... none required >>>> checking keyutils.h usability... no >>>> checking keyutils.h presence... no >>>> checking for keyutils.h... no >>>> configure: disabling static libraries >>>> configure: WARNING: shared libraries not supported on this architecture >>>> configure: error: must enable one of shared or static libraries >>>> $ >>>> >>>> >>>> Does anyone have any suggestions? >>>> >>>> Many thanks, >>>> -Luke >>>> >>>> >>>> >>>> ________________________________________________ >>>> Kerberos mailing list Kerberos at mit.edu >>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> >>>> **** >>>> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >>>> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >>>> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >>>> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >>>> **** >>>> >>>> >>>> >>>> >>> **** >>> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >>> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >>> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >>> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >>> **** >>> >>> >>> >> **** >> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >> **** >> >> > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From luke.scharf at clusterbee.net Thu May 14 11:23:43 2009 From: luke.scharf at clusterbee.net (Luke Scharf) Date: Thu, 14 May 2009 10:23:43 -0500 Subject: Kerberos linking on AIX 6.1 Message-ID: <4A0C377F.5010409@clusterbee.net> I'm attempting to build Kerberos on AIX 6.1. This list provided a couple of great workarounds for issues that I've encountered, but I was hoping to submit one more (like editing krb5-1.6.3/src/config/shlib.conf:410 so that "aix6" can be recognized as aix -- and also using xlc as the compiler instead of gcc). I'm running with the following configure command: ./configure --prefix=/usr/local/krb5-1.6.3 --enable-log-preauth-logins --enable-login-print-issue --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off --without-anonymous-ftp --without-server And with CC=xlc. The configure completes nicely, I get through a large portion of the "make". However, Make fails with the following error: xlc -L../../../lib -blibpath:/usr/local/krb5-1.6.3/lib::/usr/lib:/lib -g -qhalt=e -O -D_THREAD_SAFE -o server server.o rpc_test_svc.o \ -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lpthreads ld: 0706-006 Cannot find or open library file: -l gssrpc ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l gssapi_krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5support ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l gssrpc ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l gssapi_krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5support ld:open(): A file or directory in the path name does not exist. make[3]: *** [client] Error 255 make[3]: *** Waiting for unfinished jobs.... make[3]: *** [server] Error 255 make[3]: Leaving directory `/home/home/ac/lscharf/krb5/krb5-1.6.3/src/lib/rpc/unit-test' make[2]: *** [all-recurse] Error 1 make[2]: Leaving directory `/home/home/ac/lscharf/krb5/krb5-1.6.3/src/lib/rpc' make[1]: *** [all-recurse] Error 1 make[1]: Leaving directory `/home/home/ac/lscharf/krb5/krb5-1.6.3/src/lib' make: *** [all-recurse] Error 1 I've mucked around with LDFLAGS and -blibpath, attempting to include the src/lib/ directory in my build-environment, and I've gone as far as hard-coding the path into krb5-1.6.3/src/config/shlib.conf. But that hasn't seemed to had any effect on the linking errors. Does this ring a bell for anyone? Thanks, -Luke From anandhm_psg at yahoo.com Thu May 14 07:16:21 2009 From: anandhm_psg at yahoo.com (Anandan) Date: Thu, 14 May 2009 04:16:21 -0700 (PDT) Subject: Racoon ipsec configuration with GSSAPI/kerberos Message-ID: <23538533.post@talk.nabble.com> Hi, I have been trying to configure ipsec between two machines with kerberos..I have one Windows 2003 server which has active directory configured... these two linux machines are connected to that Windows machine... I am not able to get any proper documentation on how to use kerberos with racoon.. Any help would be appreciated.. Thanks & Regards Anandan -- View this message in context: http://www.nabble.com/Racoon-ipsec-configuration-with-GSSAPI-kerberos-tp23538533p23538533.html Sent from the Kerberos - General mailing list archive at Nabble.com. From jchitanie at cbvs.sr Thu May 14 09:36:17 2009 From: jchitanie at cbvs.sr (jchitanie@cbvs.sr) Date: Thu, 14 May 2009 09:36:17 -0400 Subject: configure SSO on i5 and windows 2000 Message-ID: <23087774.61242308177588.JavaMail.root@wombat> Hi All, I am busy with SSO and I am using the red book of IBM. At the moment I do kinit I get the followwing message can anyone help me? I am struggling for weeks with this. Hellllppppp please kinit -k krbsvr400/cbsys01.cbvs.local at CBDKS01.CBVS.LOCAL Message 0x96c73a44 not found in catalog SKRBDLL.CAT EUVF06014E Unable to obtain initial credentials. Status 0x96c73a44 - N/A. -- This message was sent on behalf of jchitanie at cbvs.sr at openSubscriber.com http://www.opensubscriber.com/messages/kerberos at mit.edu/topic.html From Matthew.GARRETT at external.total.com Thu May 14 12:23:53 2009 From: Matthew.GARRETT at external.total.com (Matthew.GARRETT@external.total.com) Date: Thu, 14 May 2009 17:23:53 +0100 Subject: Solaris 8 Kerberos / Ldap Client Setup Message-ID: Folks I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap instead of using NIS Ldap works fine e.g getent passwd Displays the LDAP Pasword entries Kerberos: Doing a kinit USERNAME , works fine if I am logged on to the console as root user So would seem that /etc/krb/krb5.conf is configured correctly. I have changed /etc/pam.conf to use krb5 e.g # PAM configuration # # This file is configured to try pam_unix first, then pam_krb5 # # Authentication management # other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 other auth required /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass # # Account management # # pam_krb5 has a no-op account module, so we don't bother listing it here # other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required /usr/lib/security/$ISA/pam_projects.so.1 other account required /usr/lib/security/$ISA/pam_unix.so.1 # # Session management # # pam_krb5 destroys any credential cache on session close, so it's good # to have it here. However, we also need pam_unix to be called, so don't # make pam_krb5 "sufficient". # other session optional /usr/lib/security/$ISA/pam_krb5.so.1 other session required /usr/lib/security/$ISA/pam_unix.so.1 # # Password management # # You may have to fiddle with this if you have other account databases. # If you have some centralized user management tool that users use to # change their password then you may just want to remove the pam_krb5 # here. # other password sufficient /usr/lib/security/$ISA/pam_unix.so.1 other password required /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass # However when I try and login as a normal user /var/adm/authlog shows the following error's May 14 17:20:48 bruce PAM: [ID 702575 auth.debug] pam_start(telnet ) - debug = 1 May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(1) May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(2) May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(5) May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(3) May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(4) May 14 17:20:48 bruce login: [ID 859314 auth.debug] pam_set_item(9) May 14 17:20:48 bruce login: [ID 207130 auth.debug] pam_authenticate() May 14 17:20:48 bruce login: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_unix.so.1 May 14 17:20:48 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_authenticate May 14 17:20:48 bruce login: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_krb5.so.1 May 14 17:20:48 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_authenticate May 14 17:20:53 bruce login: [ID 859314 auth.debug] pam_set_item(2) May 14 17:20:53 bruce login: [ID 976026 auth.warning] Unknown keyword encountered 'AP_BIND_TIME'. (at or near line 0). May 14 17:20:55 bruce login: [ID 859314 auth.debug] pam_set_item(6) May 14 17:20:55 bruce login: [ID 427203 auth.debug] pam_authenticate: error Authentication failed May 14 17:20:55 bruce login: [ID 859314 auth.debug] pam_set_item(6) May 14 17:20:55 bruce login: [ID 997726 auth.debug] pam_acct_mgmt() May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_roles.so.1 May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_acct_mgmt May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_projects.so.1 May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_acct_mgmt May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_unix.so.1 May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: successful load of pam_sm_acct_mgmt May 14 17:20:55 bruce login: [ID 308033 auth.debug] pam_acct_mgmt: error No account present for user May 14 17:20:55 bruce login: [ID 468494 auth.crit] login account failure: No account present for user May 14 17:20:55 bruce login: [ID 690057 auth.debug] pam_end(): status = General PAM failure May 14 17:20:55 bruce PAM: [ID 702575 auth.debug] pam_start(telnet .telnet) - debug = 1 May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(1) May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(2) May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(5) May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(3) May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(4) May 14 17:20:55 bruce PAM: [ID 924963 auth.debug] pam_close_session() May 14 17:20:55 bruce PAM: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_krb5.so.1 May 14 17:20:55 bruce PAM: [ID 265225 auth.debug] load_function: successful load of pam_sm_close_session May 14 17:20:55 bruce PAM: [ID 305314 auth.debug] load_modules: /usr/lib/security/pam_unix.so.1 May 14 17:20:55 bruce PAM: [ID 265225 auth.debug] load_function: successful load of pam_sm_close_session May 14 17:20:55 bruce PAM: [ID 976026 auth.warning] Unknown keyword encountered 'AP_BIND_TIME'. (at or near line 0). May 14 17:20:55 bruce PAM: [ID 599088 auth.debug] pam_close_session: error Authentication token manipulation error May 14 17:20:55 bruce PAM: [ID 690057 auth.debug] pam_end(): status = Success I am guessing that this is somthing to do with the message Unknown keyword encountered 'AP_BIND_TIME'. (at or near line 0). But I have no idea how this is been generated. Note Kerberos / Ldap works fine on the RedHat Clients that I have all so setup. Can any body sugest what I am doing wrong. Thanks Matthew Matthew Garrett Senior IS Technical Analyst Tel: 01224 297889 Fax: 01224 296806 Email: Matthew.Garrett at total.com Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG Registered in England and Wales No.811900????????? Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information.? If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached. From deengert at anl.gov Thu May 14 15:13:25 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 14 May 2009 14:13:25 -0500 Subject: Solaris 8 Kerberos / Ldap Client Setup In-Reply-To: References: Message-ID: <4A0C6D55.4040207@anl.gov> Matthew.GARRETT at external.total.com wrote: > Folks > > I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap instead > of using NIS > > Ldap works fine e.g getent passwd > Displays the LDAP Pasword entries > > Kerberos: > Doing a kinit USERNAME , works fine if I am logged on to the console as > root user > So would seem that /etc/krb/krb5.conf is configured correctly. > > I have changed /etc/pam.conf to use krb5 > e.g > # PAM configuration > # > # This file is configured to try pam_unix first, then pam_krb5 > # > # Authentication management > # > other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 > other auth required /usr/lib/security/$ISA/pam_krb5.so.1 > use_first_pass > # > # Account management > # > # pam_krb5 has a no-op account module, so we don't bother listing it here > # > other account requisite /usr/lib/security/$ISA/pam_roles.so.1 > other account required /usr/lib/security/$ISA/pam_projects.so.1 > other account required /usr/lib/security/$ISA/pam_unix.so.1 > # > # Session management > # > # pam_krb5 destroys any credential cache on session close, so it's good > # to have it here. However, we also need pam_unix to be called, so don't > # make pam_krb5 "sufficient". > # > other session optional /usr/lib/security/$ISA/pam_krb5.so.1 > other session required /usr/lib/security/$ISA/pam_unix.so.1 > # > # Password management > # > # You may have to fiddle with this if you have other account databases. > # If you have some centralized user management tool that users use to > # change their password then you may just want to remove the pam_krb5 > # here. > # > other password sufficient /usr/lib/security/$ISA/pam_unix.so.1 > other password required /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass > # > Try adding debug as a param on the above line. > However when I try and login as a normal user /var/adm/authlog shows the > following error's > > May 14 17:20:48 bruce PAM: [ID 702575 auth.debug] pam_start(telnet ) - > debug = 1 First of all you should not use telnet, as the password maybe sent over the network in the clear. Consider using ssh. > May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(1) > May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(2) > May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(5) > May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(3) > May 14 17:20:48 bruce PAM: [ID 859314 auth.debug] pam_set_item(4) > May 14 17:20:48 bruce login: [ID 859314 auth.debug] pam_set_item(9) > May 14 17:20:48 bruce login: [ID 207130 auth.debug] pam_authenticate() > May 14 17:20:48 bruce login: [ID 305314 auth.debug] load_modules: > /usr/lib/security/pam_unix.so.1 > May 14 17:20:48 bruce login: [ID 265225 auth.debug] load_function: > successful load of pam_sm_authenticate > May 14 17:20:48 bruce login: [ID 305314 auth.debug] load_modules: > /usr/lib/security/pam_krb5.so.1 > May 14 17:20:48 bruce login: [ID 265225 auth.debug] load_function: > successful load of pam_sm_authenticate > May 14 17:20:53 bruce login: [ID 859314 auth.debug] pam_set_item(2) > May 14 17:20:53 bruce login: [ID 976026 auth.warning] Unknown keyword > encountered 'AP_BIND_TIME'. (at or near line 0). > May 14 17:20:55 bruce login: [ID 859314 auth.debug] pam_set_item(6) > May 14 17:20:55 bruce login: [ID 427203 auth.debug] pam_authenticate: > error Authentication failed > May 14 17:20:55 bruce login: [ID 859314 auth.debug] pam_set_item(6) > May 14 17:20:55 bruce login: [ID 997726 auth.debug] pam_acct_mgmt() > May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: > /usr/lib/security/pam_roles.so.1 > May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: > successful load of pam_sm_acct_mgmt > May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: > /usr/lib/security/pam_projects.so.1 > May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: > successful load of pam_sm_acct_mgmt > May 14 17:20:55 bruce login: [ID 305314 auth.debug] load_modules: > /usr/lib/security/pam_unix.so.1 > May 14 17:20:55 bruce login: [ID 265225 auth.debug] load_function: > successful load of pam_sm_acct_mgmt > May 14 17:20:55 bruce login: [ID 308033 auth.debug] pam_acct_mgmt: error > No account present for user > May 14 17:20:55 bruce login: [ID 468494 auth.crit] login account failure: > No account present for user This says it can not find the account, so there is some issue with the user account or the nsswitch.conf finding ldap, or how telnet is passing in the username. > May 14 17:20:55 bruce login: [ID 690057 auth.debug] pam_end(): status = > General PAM failure The rest of this looks like it is in the close session after the above failure. > May 14 17:20:55 bruce PAM: [ID 702575 auth.debug] pam_start(telnet > .telnet) - debug = 1 > May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(1) > May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(2) > May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(5) > May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(3) > May 14 17:20:55 bruce PAM: [ID 859314 auth.debug] pam_set_item(4) > May 14 17:20:55 bruce PAM: [ID 924963 auth.debug] pam_close_session() > May 14 17:20:55 bruce PAM: [ID 305314 auth.debug] load_modules: > /usr/lib/security/pam_krb5.so.1 > May 14 17:20:55 bruce PAM: [ID 265225 auth.debug] load_function: > successful load of pam_sm_close_session > May 14 17:20:55 bruce PAM: [ID 305314 auth.debug] load_modules: > /usr/lib/security/pam_unix.so.1 > May 14 17:20:55 bruce PAM: [ID 265225 auth.debug] load_function: > successful load of pam_sm_close_session > May 14 17:20:55 bruce PAM: [ID 976026 auth.warning] Unknown keyword > encountered 'AP_BIND_TIME'. (at or near line 0). > May 14 17:20:55 bruce PAM: [ID 599088 auth.debug] pam_close_session: error > Authentication token manipulation error > May 14 17:20:55 bruce PAM: [ID 690057 auth.debug] pam_end(): status = > Success > > I am guessing that this is somthing to do with the message > Unknown keyword encountered 'AP_BIND_TIME'. (at or near line 0). > > But I have no idea how this is been generated. > Note Kerberos / Ldap works fine on the RedHat Clients that I have all so > setup. > > Can any body sugest what I am doing wrong. add debug options to the pam.conf entries. We don't have any Solaris 8 anymore but when we did, we did not use the Sun version of Kerberos or pam_krb5. We have uses MIT Kerberos and various pam_krb5 modules. (On Solaris 10 the Sun Kerberos, ssh and pam_krb5 work well.) > > Thanks > > Matthew > > > > > > > Matthew Garrett > Senior IS Technical Analyst > Tel: 01224 297889 > Fax: 01224 296806 > Email: Matthew.Garrett at total.com > Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG > Registered in England and Wales No.811900 > Registered Office 33 Cavendish Square, London W1G 0PW > This e-mail and any attachments are intended only for the person or entity > to whom it is addressed and may contain confidential or privileged > information. If you are not the addressee, any disclosure, reproduction, > copying, distribution, or use of this communication is strictly prohibited. > If you are not the intended recipient or person responsible for delivering > this message to the named addressee, please notify us immediately and delete > this e-mail. > It is the responsibility of the addressee to scan this email and any > attachments for computer viruses or other defects. The sender does not > accept liability for any loss or damage of any nature, however caused, > which may result directly or indirectly from this email or any file attached. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From Matthew.GARRETT at external.total.com Fri May 15 04:17:42 2009 From: Matthew.GARRETT at external.total.com (Matthew.GARRETT@external.total.com) Date: Fri, 15 May 2009 09:17:42 +0100 Subject: Solaris 8 Kerberos / Ldap Client Setup In-Reply-To: <4A0C6D55.4040207@anl.gov> Message-ID: "Douglas E. Engert" wrote on 14/05/2009 20:13:25: > > Matthew.GARRETT at external.total.com wrote: > > Folks > > > > I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap instead > > of using NIS > > > > Ldap works fine e.g getent passwd > > Displays the LDAP Pasword entries > > > > Kerberos: > > Doing a kinit USERNAME , works fine if I am logged on to the console as > > root user > > So would seem that /etc/krb/krb5.conf is configured correctly. > > > > I have changed /etc/pam.conf to use krb5 > > other password sufficient /usr/lib/security/$ISA/pam_unix.so.1 > > other password required /usr/lib/security/$ISA/pam_krb5. > so.1 use_first_pass > > # > > > Adding debug does not seem to generate aany more details. > Try adding debug as a param on the above line. > > > However when I try and login as a normal user /var/adm/authlog shows the > > following error's > > > > May 14 17:20:48 bruce PAM: [ID 702575 auth.debug] pam_start(telnet ) - > > debug = 1 > > First of all you should not use telnet, as the password maybe sent over > the network in the clear. Consider using ssh. Normaly we do use ssh but for testing turned on telnet In case ssh was causing problems. > > No account present for user > > This says it can not find the account, so there is some issue with > the user account or the nsswitch.conf finding ldap, or how telnet is > passing in the username. > > > add debug options to the pam.conf entries. > > We don't have any Solaris 8 anymore but when we did, we did not use the > Sun version of Kerberos or pam_krb5. We have uses MIT Kerberos and various > pam_krb5 modules. (On Solaris 10 the Sun Kerberos, ssh and pam_krb5 > work well.) > Now that bit is intersting , maybe Solaris 8 stock version of Kerberos is broken. I will download the latest version and see if that makes any differance. Matt Registered in England and Wales No.811900????????? Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information.? If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached. From miguel.sanders at arcelormittal.com Fri May 15 07:03:47 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Fri, 15 May 2009 13:03:47 +0200 Subject: Kerberos linking on AIX 6.1 In-Reply-To: <4A0C377F.5010409@clusterbee.net> References: <4A0C377F.5010409@clusterbee.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BDC22F@GEN-MXB-V04.msad.arcelor.net> Luke The problem here lies in the fact that the libraries you build before you run into the error are not included in the libpath (-L). Could you try added the folder that contains the libraries as an addional CFLAGS argument? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Luke Scharf Verzonden: donderdag 14 mei 2009 17:24 Aan: kerberos at mit.edu Onderwerp: Kerberos linking on AIX 6.1 I'm attempting to build Kerberos on AIX 6.1. This list provided a couple of great workarounds for issues that I've encountered, but I was hoping to submit one more (like editing krb5-1.6.3/src/config/shlib.conf:410 so that "aix6" can be recognized as aix -- and also using xlc as the compiler instead of gcc). I'm running with the following configure command: ./configure --prefix=/usr/local/krb5-1.6.3 --enable-log-preauth-logins --enable-login-print-issue --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off --without-anonymous-ftp --without-server And with CC=xlc. The configure completes nicely, I get through a large portion of the "make". However, Make fails with the following error: xlc -L../../../lib -blibpath:/usr/local/krb5-1.6.3/lib::/usr/lib:/lib -g -qhalt=e -O -D_THREAD_SAFE -o server server.o rpc_test_svc.o \ -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lpthreads ld: 0706-006 Cannot find or open library file: -l gssrpc ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l gssapi_krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5support ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l gssrpc ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l gssapi_krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5support ld:open(): A file or directory in the path name does not exist. make[3]: *** [client] Error 255 make[3]: *** Waiting for unfinished jobs.... make[3]: *** [server] Error 255 make[3]: Leaving directory `/home/home/ac/lscharf/krb5/krb5-1.6.3/src/lib/rpc/unit-test' make[2]: *** [all-recurse] Error 1 make[2]: Leaving directory `/home/home/ac/lscharf/krb5/krb5-1.6.3/src/lib/rpc' make[1]: *** [all-recurse] Error 1 make[1]: Leaving directory `/home/home/ac/lscharf/krb5/krb5-1.6.3/src/lib' make: *** [all-recurse] Error 1 I've mucked around with LDFLAGS and -blibpath, attempting to include the src/lib/ directory in my build-environment, and I've gone as far as hard-coding the path into krb5-1.6.3/src/config/shlib.conf. But that hasn't seemed to had any effect on the linking errors. Does this ring a bell for anyone? Thanks, -Luke ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From miguel.sanders at arcelormittal.com Fri May 15 07:11:56 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Fri, 15 May 2009 13:11:56 +0200 Subject: Kerberos linking on AIX 6.1 In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206BDC22F@GEN-MXB-V04.msad.arcelor.net> References: <4A0C377F.5010409@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BDC22F@GEN-MXB-V04.msad.arcelor.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BDC233@GEN-MXB-V04.msad.arcelor.net> Moreover, since you're on AIX, adding -lsomelib as a XLC argument expects to find an archive libsomelib.a and not an object file. So you will have to archive the shared libraries with ar. F.e. The built created the shared library gssapi_krb5.so (which is in AIX a bad name for a shared library, all libraries (static/shared) should end with .o) Archive it: # ar -v -q gssapi_krb5.a gssapi_krb5.so Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens miguel.sanders at arcelormittal.com Verzonden: vrijdag 15 mei 2009 13:04 Aan: luke.scharf at clusterbee.net; kerberos at mit.edu Onderwerp: RE: Kerberos linking on AIX 6.1 Luke The problem here lies in the fact that the libraries you build before you run into the error are not included in the libpath (-L). Could you try added the folder that contains the libraries as an addional CFLAGS argument? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Luke Scharf Verzonden: donderdag 14 mei 2009 17:24 Aan: kerberos at mit.edu Onderwerp: Kerberos linking on AIX 6.1 I'm attempting to build Kerberos on AIX 6.1. This list provided a couple of great workarounds for issues that I've encountered, but I was hoping to submit one more (like editing krb5-1.6.3/src/config/shlib.conf:410 so that "aix6" can be recognized as aix -- and also using xlc as the compiler instead of gcc). I'm running with the following configure command: ./configure --prefix=/usr/local/krb5-1.6.3 --enable-log-preauth-logins --enable-login-print-issue --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off --without-anonymous-ftp --without-server And with CC=xlc. The configure completes nicely, I get through a large portion of the "make". However, Make fails with the following error: xlc -L../../../lib -blibpath:/usr/local/krb5-1.6.3/lib::/usr/lib:/lib -g -qhalt=e -O -D_THREAD_SAFE -o server server.o rpc_test_svc.o \ -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lpthreads ld: 0706-006 Cannot find or open library file: -l gssrpc ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l gssapi_krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5support ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l gssrpc ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l gssapi_krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5support ld:open(): A file or directory in the path name does not exist. make[3]: *** [client] Error 255 make[3]: *** Waiting for unfinished jobs.... make[3]: *** [server] Error 255 make[3]: Leaving directory `/home/home/ac/lscharf/krb5/krb5-1.6.3/src/lib/rpc/unit-test' make[2]: *** [all-recurse] Error 1 make[2]: Leaving directory `/home/home/ac/lscharf/krb5/krb5-1.6.3/src/lib/rpc' make[1]: *** [all-recurse] Error 1 make[1]: Leaving directory `/home/home/ac/lscharf/krb5/krb5-1.6.3/src/lib' make: *** [all-recurse] Error 1 I've mucked around with LDFLAGS and -blibpath, attempting to include the src/lib/ directory in my build-environment, and I've gone as far as hard-coding the path into krb5-1.6.3/src/config/shlib.conf. But that hasn't seemed to had any effect on the linking errors. Does this ring a bell for anyone? Thanks, -Luke ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From deengert at anl.gov Fri May 15 10:15:57 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 15 May 2009 09:15:57 -0500 Subject: Solaris 8 Kerberos / Ldap Client Setup In-Reply-To: References: Message-ID: <4A0D791D.40400@anl.gov> I don't thing your problem is Kerberos, but rather nss and pam finding the account. Could also be telnet issues too. Matthew.GARRETT at external.total.com wrote: > "Douglas E. Engert" wrote on 14/05/2009 20:13:25: > >> Matthew.GARRETT at external.total.com wrote: >>> Folks >>> >>> I am trying to setup a Solaris 8 client to talk to Kerberos / Ldap > instead >>> of using NIS >>> >>> Ldap works fine e.g getent passwd >>> Displays the LDAP Pasword entries >>> >>> Kerberos: >>> Doing a kinit USERNAME , works fine if I am logged on to the console > as >>> root user >>> So would seem that /etc/krb/krb5.conf is configured correctly. >>> >>> I have changed /etc/pam.conf to use krb5 >>> other password sufficient /usr/lib/security/$ISA/pam_unix.so.1 >>> other password required /usr/lib/security/$ISA/pam_krb5. >> so.1 use_first_pass >>> # >>> > Adding debug does not seem to generate aany more details. > >> Try adding debug as a param on the above line. >> >>> However when I try and login as a normal user /var/adm/authlog shows > the >>> following error's >>> >>> May 14 17:20:48 bruce PAM: [ID 702575 auth.debug] pam_start(telnet ) - > >>> debug = 1 >> First of all you should not use telnet, as the password maybe sent over >> the network in the clear. Consider using ssh. > > Normaly we do use ssh but for testing turned on telnet > In case ssh was causing problems. > >>> No account present for user >> This says it can not find the account, so there is some issue with >> the user account or the nsswitch.conf finding ldap, or how telnet is >> passing in the username. >> > >> add debug options to the pam.conf entries. >> >> We don't have any Solaris 8 anymore but when we did, we did not use the >> Sun version of Kerberos or pam_krb5. We have uses MIT Kerberos and > various >> pam_krb5 modules. (On Solaris 10 the Sun Kerberos, ssh and pam_krb5 >> work well.) >> > Now that bit is intersting , maybe Solaris 8 stock version of Kerberos is > broken. > I will download the latest version and see if that makes any differance. The Solaris 8 Kerberos may work fine in your situation. We where running Kerberos long before Sun implemented it. Sun did not expose the API in 8 and 9. We also use Windows AD as the KDC, which if I recall had issues. So we kept running the MIT versions on 8 and 9. > > Matt > > > Registered in England and Wales No.811900 > Registered Office 33 Cavendish Square, London W1G 0PW > This e-mail and any attachments are intended only for the person or entity > to whom it is addressed and may contain confidential or privileged > information. If you are not the addressee, any disclosure, reproduction, > copying, distribution, or use of this communication is strictly prohibited. > If you are not the intended recipient or person responsible for delivering > this message to the named addressee, please notify us immediately and delete > this e-mail. > It is the responsibility of the addressee to scan this email and any > attachments for computer viruses or other defects. The sender does not > accept liability for any loss or damage of any nature, however caused, > which may result directly or indirectly from this email or any file attached. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From raeburn at MIT.EDU Fri May 15 10:19:17 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Fri, 15 May 2009 10:19:17 -0400 Subject: Kerberos linking on AIX 6.1 In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206BDC233@GEN-MXB-V04.msad.arcelor.net> References: <4A0C377F.5010409@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BDC22F@GEN-MXB-V04.msad.arcelor.net> <7DF29B50FFF41848BB2281EC2E71A206BDC233@GEN-MXB-V04.msad.arcelor.net> Message-ID: <96B35E1F-A3F8-4F64-9A74-28C72920A732@mit.edu> On May 15, 2009, at 07:11, miguel.sanders at arcelormittal.com wrote: > Moreover, since you're on AIX, adding -lsomelib as a XLC argument > expects to find an archive libsomelib.a and not an object file. > So you will have to archive the shared libraries with ar. > > F.e. > The built created the shared library gssapi_krb5.so (which is in AIX > a bad name for a shared library, all libraries (static/shared) > should end with .o) > Archive it: > # ar -v -q gssapi_krb5.a gssapi_krb5.so If I recall correctly, earlier versions of AIX at least had a compiler option telling it to look for the .so files instead. However, that would mean that you always have to use this option when building application programs as well. Once upon a time, we built the shared libraries with .a suffixes using ar as above. This was changed some time ago -- I think maybe to let us build both static and shared versions of the libraries at once, though I'm not sure that was the reason, and we don't support building static versions of the installed libraries on any platform any more. So it may have been a mistake, and it might be a good idea to consider reverting that change, though it would mean another ABI change on AIX. Straightening this out requires AIX expertise (or at least the ability to read the documentation plus the experience to say which approach work better overall for AIX developers and system maintainers, factoring in backwards compatibility and versioning and such) plus hardware to test changes on. MIT's test AIX machine died some years ago, and it was running an old version of the OS even then. I assume you meant to write "libgssapi_krb5" above? For shared libraries, we build the individual object files with a .so suffix for mostly historical reasons -- so static and shared libraries could be built in the same directory, on platforms where they have to be compiled with different options (unlike AIX). So "gssapi_krb5.so" is the object file compiled from "gssapi_krb5.c"; libgssapi_krb5.* is the linked or archive forms of the library, and the similarity to the name of one of the source/object files is accidental. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From miguel.sanders at arcelormittal.com Fri May 15 14:35:03 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Fri, 15 May 2009 20:35:03 +0200 Subject: Kerberos linking on AIX 6.1 In-Reply-To: <96B35E1F-A3F8-4F64-9A74-28C72920A732@mit.edu> References: <4A0C377F.5010409@clusterbee.net> <7DF29B50FFF41848BB2281EC2E71A206BDC22F@GEN-MXB-V04.msad.arcelor.net> <7DF29B50FFF41848BB2281EC2E71A206BDC233@GEN-MXB-V04.msad.arcelor.net> <96B35E1F-A3F8-4F64-9A74-28C72920A732@mit.edu> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BDC311@GEN-MXB-V04.msad.arcelor.net> Hi Ken I just made a typo (I meant libgssapi_krb5.a, sorry for that). A few remarks: On AIX, you cannot see from the object file whether it is static or shared. For that you have to examine the XCOFF header. As a general convention in AIX all objects (static/shared) have the ".o" extension. Searching for objects and libraries on AIX at link-time differs a bit from what is observed on other UNIX systems. F.e. let's say we have a shared object foo.o which is required at link-time for main.c Three ways to do it 1) absolute path # cc main.c /someabsolutepath/foo.o 2) relative path # cc main.c ../../../foo.o 3) If it is located in the same folder as main.c # cc main.c foo.o The main difference between the three options is that the generated executable will have a path component for the dependant shared object foo.o in the XCOFF header (which makes its location fixed for this executable). The same applies for libraries actually. If we were to create an archive libfoo.a which contains foo.o, compiling/linking would go like: 1) absolute path # cc main.c /someabsolutepath/libfoo.a 2) relative path # cc main.c ../../../libfoo.a 3) -L / -l linker flags # cc main.c -L/someabsolutepath -lfoo If wanted, I'm willing to participate on this. Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: Ken Raeburn [mailto:raeburn at MIT.EDU] Verzonden: vrijdag 15 mei 2009 16:19 Aan: SANDERS Miguel CC: luke.scharf at clusterbee.net; kerberos at mit.edu Onderwerp: Re: Kerberos linking on AIX 6.1 On May 15, 2009, at 07:11, miguel.sanders at arcelormittal.com wrote: > Moreover, since you're on AIX, adding -lsomelib as a XLC argument > expects to find an archive libsomelib.a and not an object file. > So you will have to archive the shared libraries with ar. > > F.e. > The built created the shared library gssapi_krb5.so (which is in AIX a > bad name for a shared library, all libraries (static/shared) should > end with .o) Archive it: > # ar -v -q gssapi_krb5.a gssapi_krb5.so If I recall correctly, earlier versions of AIX at least had a compiler option telling it to look for the .so files instead. However, that would mean that you always have to use this option when building application programs as well. Once upon a time, we built the shared libraries with .a suffixes using ar as above. This was changed some time ago -- I think maybe to let us build both static and shared versions of the libraries at once, though I'm not sure that was the reason, and we don't support building static versions of the installed libraries on any platform any more. So it may have been a mistake, and it might be a good idea to consider reverting that change, though it would mean another ABI change on AIX. Straightening this out requires AIX expertise (or at least the ability to read the documentation plus the experience to say which approach work better overall for AIX developers and system maintainers, factoring in backwards compatibility and versioning and such) plus hardware to test changes on. MIT's test AIX machine died some years ago, and it was running an old version of the OS even then. I assume you meant to write "libgssapi_krb5" above? For shared libraries, we build the individual object files with a .so suffix for mostly historical reasons -- so static and shared libraries could be built in the same directory, on platforms where they have to be compiled with different options (unlike AIX). So "gssapi_krb5.so" is the object file compiled from "gssapi_krb5.c"; libgssapi_krb5.* is the linked or archive forms of the library, and the similarity to the name of one of the source/object files is accidental. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From kronda at atlas.cz Mon May 18 07:03:21 2009 From: kronda at atlas.cz (Kronus David) Date: Mon, 18 May 2009 11:03:21 GMT Subject: ok_as_delegation status Message-ID: <6b1ea5c5c7ad4991844f741b050663db@40873c88860d488b9d1be3f0127ba1bb> Hi all, I'm trying to use the following setup (everything on Linux): server: Apache2 + mod_auth_kerb + MIT KDC klient: Firefox with properly configured MIT Kerberos support for the local server User has a kerberos ticket in its cache and is able to access protected webpage using firefox without entering their password, the ticket for HTTP/ is being successfully obtained. However, in .htaccess of that webpage I have set KrbSaveCredentials and this setting is only working when I enter the password for authentication directly, not use the ticket from cache to authenticate. In apache log I can see the following when not entering the password: [Mon May 18 11:41:25 2009] [error] [client 192.168.13.133] Cannot store delegated credential (gss_krb5_copy_ccache: Invalid credential was supplied (No error)), referer: http:///php/test.php I've found on several pages that this is related to the ok_as_delegate flag set for HTTP/ principal. So my first question is, whether this is true, whether this is needed in my situation. And if yes then my second question is how can I set this flag in kadmin (or any other way)? I've seen some activity going on on this feature recently in MIT Kerberos svn, so maybe it will be available in the next release of MIT Kerberos? I'm using version 1.6.3. Thanks for any help. David From hubert.chomette at unilim.fr Mon May 18 10:26:36 2009 From: hubert.chomette at unilim.fr (Hubert Chomette) Date: Mon, 18 May 2009 16:26:36 +0200 Subject: NIS => Kerberos/LDAP Migration Message-ID: <4932A448-2381-4E40-9405-C536628B31D6@unilim.fr> Hi I try to use pam_krb5_migrate pam module on debian lenny using package pam-krb5-migrate-heimdal package. I've see past messages on this subject : http://www.mail-archive.com/kerberos at mit.edu/msg12701.html Does this module works with MIT kerberos ? I try to do, but don't succeed. thank's fro your help regards, From ghudson at MIT.EDU Mon May 18 13:13:22 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 18 May 2009 13:13:22 -0400 Subject: ok_as_delegation status In-Reply-To: <6b1ea5c5c7ad4991844f741b050663db@40873c88860d488b9d1be3f0127ba1bb> References: <6b1ea5c5c7ad4991844f741b050663db@40873c88860d488b9d1be3f0127ba1bb> Message-ID: <1242666802.4146.32.camel@ray> kadmin support for ok_as_delegate has been added on the trunk but is not currently scheduled to go into 1.7, as the cutoff for new features was a while ago. That could probably change if we find conclusive evidence that ok_as_delegate support is more important than we thought. However, I think your problem may not be related to the ok_as_delegate flag. http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your symptoms and is a totally different bug, which will be fixed in 1.7. (The relevant version in this case is the Kerberos code running on your Apache HTTPD server.) http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html suggests that you might be able to work around the problem by using mod_auth_kerb's SPNEGO code instead of MIT krb5's. I don't know if that's still possible two years later. From tmp+rnpc at echo.disfinite.org Mon May 18 11:40:16 2009 From: tmp+rnpc at echo.disfinite.org (T. M. Pederson) Date: Mon, 18 May 2009 10:40:16 -0500 Subject: Racoon ipsec configuration with GSSAPI/kerberos References: Message-ID: <04c8e6-o7j.ln1@echo.disfinite.org> In article , Anandan writes: > > Hi, > I have been trying to configure ipsec between two machines with kerberos..I > have one Windows 2003 server which has active directory configured... these > two linux machines are connected to that Windows machine... > I am not able to get any proper documentation on how to use kerberos with > racoon.. > Any help would be appreciated.. Racoon works with Kerberos through GSSAPI, and only for Phase 1. I've been working with some Racoon/Heimdal installations on *BSD and the occasional Linux box, where the configuration (racoon.conf) has generally had the phase 1 section as: -------- # No address lookup by name in this implementation, so this file needs # a remote inherit section for EACH OTHER ADDRESS a host has. remote { exchange_mode main; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method gssapi_krb; # For compatibility, use the GSS-API ID "host/fqdn", # where fqdn is the output of the hostname(1) # command. You probably want this to match your system's # host principal. ktutil(8)'s "list" command will list # the principals in your system's keytab. If you need # to, you can change the GSS-API ID here. # Older implementations used "ike/fqdn" gss_id "host/fqdn"; dh_group 1; } # Used by client hosts (initiators). Should be off for servers. generate_policy on; } -------- Note that you could instead use the usual "anonymous" instead of an address if you're going with the same phase 1 between all machines. Also, depending on implementation, encyrption_algorithm may be 3des or aes (I've been working with both). The rest of the Racoon configuration (phase 2, etc.) is independent of Kerberos and is covered by the standard documentation. Just had a jump from Heimdal 0.x to 1.1 and it looks like racoon needs to adjust for an API change to work with the new Heimdal. Still tracking down what's going on with that combo. Otherwise, Racoon w/Heimdal 0.6 and 0.7 has been working just fine. I have no experience with Racoon interacting with MIT or MS Kerberos implementations. -- T. M. Pederson GPG key fingerprint = FFAF D056 F12B E03F 7084 1288 EF8B E1FE 1693 21EB +Accept: text/plain; charset=ISO-8859-*,UTF-* From rra at stanford.edu Mon May 18 14:00:00 2009 From: rra at stanford.edu (Russ Allbery) Date: Mon, 18 May 2009 11:00:00 -0700 Subject: NIS => Kerberos/LDAP Migration In-Reply-To: <4932A448-2381-4E40-9405-C536628B31D6@unilim.fr> (Hubert Chomette's message of "Mon\, 18 May 2009 16\:26\:36 +0200") References: <4932A448-2381-4E40-9405-C536628B31D6@unilim.fr> Message-ID: <87tz3invfj.fsf@windlord.stanford.edu> Hubert Chomette writes: > I try to use pam_krb5_migrate pam module on debian lenny using package > pam-krb5-migrate-heimdal package. > I've see past messages on this subject : > http://www.mail-archive.com/kerberos at mit.edu/msg12701.html > Does this module works with MIT kerberos ? > I try to do, but don't succeed. This module won't work with the MIT Kerberos in lenny since it didn't provide a public API for the kadmin libraries. This is fixed in squeeze (the current testing), but that's probably not horribly helpful for your current purpose. :/ -- Russ Allbery (rra at stanford.edu) From mikkel at linet.dk Tue May 19 02:55:35 2009 From: mikkel at linet.dk (Mikkel Kruse Johnsen) Date: Tue, 19 May 2009 08:55:35 +0200 Subject: ok_as_delegation status In-Reply-To: <1242666802.4146.32.camel@ray> References: <6b1ea5c5c7ad4991844f741b050663db@40873c88860d488b9d1be3f0127ba1bb> <1242666802.4146.32.camel@ray> Message-ID: <1242716135.2652.5.camel@localhost.localdomain> Hi Kronus You definitely have to use mod_auth_kerb's internal SPNEGO to get it to work. I spent a lot of time realizing that. the "ok_as_delegate" flag is not in kerberos, but it is a very simple patch. See attacthment. Med Venlig Hilsen / Kind Regards Mikkel Kruse Johnsen Adm.Dir. Linet ?rholmgade 6 st tv Copenhagen N 2200 Denmark Work: +45 21287793 Mobile: +45 21287793 Email: mikkel at linet.dk IM: mikkel at linet.dk (MSN) Professional Profile Healthcare Network Consultant man, 18 05 2009 kl. 13:13 -0400, skrev Greg Hudson: > kadmin support for ok_as_delegate has been added on the trunk but is not > currently scheduled to go into 1.7, as the cutoff for new features was a > while ago. That could probably change if we find conclusive evidence > that ok_as_delegate support is more important than we thought. > > However, I think your problem may not be related to the ok_as_delegate > flag. http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your > symptoms and is a totally different bug, which will be fixed in 1.7. > (The relevant version in this case is the Kerberos code running on your > Apache HTTPD server.) > > http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html > suggests that you might be able to work around the problem by using > mod_auth_kerb's SPNEGO code instead of MIT krb5's. I don't know if > that's still possible two years later. > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -------------- next part -------------- A non-text attachment was scrubbed... Name: krb5-1.6-ok-as-delegate.patch Type: text/x-patch Size: 6472 bytes Desc: not available Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090519/927f72c6/krb5-1.6-ok-as-delegate.bin From hubert.chomette at unilim.fr Tue May 19 04:07:45 2009 From: hubert.chomette at unilim.fr (Hubert Chomette) Date: Tue, 19 May 2009 10:07:45 +0200 Subject: NIS => Kerberos/LDAP Migration In-Reply-To: <87tz3invfj.fsf@windlord.stanford.edu> References: <4932A448-2381-4E40-9405-C536628B31D6@unilim.fr> <87tz3invfj.fsf@windlord.stanford.edu> Message-ID: <52BCDB62-B821-4329-BF6A-F51CDF22FBB5@unilim.fr> So If I correctly understand, I've got two choice: - migrate my kdc to version 1.7 (I suppose you mean experimental, cause there is no major differents release between stable ans testing) / or use heimdal kerberos - make my own pam module using perl to send login/passwd with kadmin Le 18 mai 09 ? 20:00, Russ Allbery a ?crit : > Hubert Chomette writes: > >> I try to use pam_krb5_migrate pam module on debian lenny using >> package >> pam-krb5-migrate-heimdal package. > >> I've see past messages on this subject : >> http://www.mail-archive.com/kerberos at mit.edu/msg12701.html >> Does this module works with MIT kerberos ? >> I try to do, but don't succeed. > > This module won't work with the MIT Kerberos in lenny since it didn't > provide a public API for the kadmin libraries. This is fixed in > squeeze > (the current testing), but that's probably not horribly helpful for > your > current purpose. :/ > > -- > Russ Allbery (rra at stanford.edu) > > From l.schimmer at cgv.tugraz.at Tue May 19 04:40:50 2009 From: l.schimmer at cgv.tugraz.at (Lars Schimmer) Date: Tue, 19 May 2009 10:40:50 +0200 Subject: debian unstable krb5 and Win2003 AD server Message-ID: <4A127092.4020407@cgv.tugraz.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! While updating we got a few problems here. We got a Win 2003AD server as a krb5 auth server and tried to get a amd64 system with Debian unstable to auth against it. OpenAFS 1.4.10 openafs-krb5 1.4.10 libkrb5-3 with 1.7 version of krb5 kernel 2.6.29-2-amd64 And we cannot auth, we always get a error: Kerberos error code returned by get_cred : -1765328343 With the libkrb5-3 in version 1.6.dfsg.4~beta1-13 I do not get the error, with 1.7dfsg~beta2-3 I get the error message. Any idea what bad? MfG, Lars Schimmer - -- - ------------------------------------------------------------- TU Graz, Institut f?r ComputerGraphik & WissensVisualisierung Tel: +43 316 873-5405 E-Mail: l.schimmer at cgv.tugraz.at Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoScJEACgkQmWhuE0qbFyM61ACeIsQt95Mjqq8Qo1oiDfjEq7LV Y/YAn3soraOqAfXgqxB9nAXrcraBaFNQ =DgDa -----END PGP SIGNATURE----- From tlyu at MIT.EDU Tue May 19 08:13:33 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 19 May 2009 08:13:33 -0400 Subject: debian unstable krb5 and Win2003 AD server In-Reply-To: <4A127092.4020407@cgv.tugraz.at> (Lars Schimmer's message of "Tue, 19 May 2009 10:40:50 +0200") References: <4A127092.4020407@cgv.tugraz.at> Message-ID: Lars Schimmer writes: > Hi! > > While updating we got a few problems here. > We got a Win 2003AD server as a krb5 auth server and tried to get a > amd64 system with Debian unstable to auth against it. > OpenAFS 1.4.10 > openafs-krb5 1.4.10 > libkrb5-3 with 1.7 version of krb5 > kernel 2.6.29-2-amd64 > > And we cannot auth, we always get a error: > Kerberos error code returned by get_cred : -1765328343 > > With the libkrb5-3 in version 1.6.dfsg.4~beta1-13 I do not get the > error, with 1.7dfsg~beta2-3 I get the error message. > > Any idea what bad? This is a known bug (RT ticket #6490) and we are still investigating. If you have additional insights, please let us know. Some of our initial analysis is already documented in the ticket: http://krbdev.mit.edu/rt/Ticket/Display.html?id=6490 From ghudson at MIT.EDU Tue May 19 11:11:45 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Tue, 19 May 2009 11:11:45 -0400 Subject: ok_as_delegation status In-Reply-To: <1242716135.2652.5.camel@localhost.localdomain> References: <6b1ea5c5c7ad4991844f741b050663db@40873c88860d488b9d1be3f0127ba1bb> <1242666802.4146.32.camel@ray> <1242716135.2652.5.camel@localhost.localdomain> Message-ID: <1242745905.4146.72.camel@ray> A correction: ok_as_delegate kadmin support will be in MIT krb5 1.7, contrary to what I wrote previously. On Tue, 2009-05-19 at 08:55 +0200, Mikkel Kruse Johnsen wrote: > Hi Kronus > > You definitely have to use mod_auth_kerb's internal SPNEGO to get it > to work. I spent a lot of time realizing that. > > the "ok_as_delegate" flag is not in kerberos, but it is a very simple > patch. See attacthment. > > Med Venlig Hilsen / Kind Regards > > > > > Mikkel Kruse > Johnsen > Adm.Dir. > > Linet > ?rholmgade 6 st > tv > Copenhagen N 2200 > Denmark > > Work: +45 > 21287793 > Mobile: +45 > 21287793 > Email: > mikkel at linet.dk > IM: > mikkel at linet.dk > (MSN) > Professional > Profile > Healthcare > > > Network > Consultant > > > man, 18 05 2009 kl. 13:13 -0400, skrev Greg Hudson: > > kadmin support for ok_as_delegate has been added on the trunk but is not > > currently scheduled to go into 1.7, as the cutoff for new features was a > > while ago. That could probably change if we find conclusive evidence > > that ok_as_delegate support is more important than we thought. > > > > However, I think your problem may not be related to the ok_as_delegate > > flag. http://krbdev.mit.edu/rt/Ticket/Display.html?id=5807 matches your > > symptoms and is a totally different bug, which will be fixed in 1.7. > > (The relevant version in this case is the Kerberos code running on your > > Apache HTTPD server.) > > > > http://mailman.mit.edu/pipermail/kerberos/2007-August/012104.html > > suggests that you might be able to work around the problem by using > > mod_auth_kerb's SPNEGO code instead of MIT krb5's. I don't know if > > that's still possible two years later. > > > > > > ________________________________________________ > > Kerberos mailing list Kerberos at mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos From rra at stanford.edu Tue May 19 13:52:35 2009 From: rra at stanford.edu (Russ Allbery) Date: Tue, 19 May 2009 10:52:35 -0700 Subject: NIS => Kerberos/LDAP Migration In-Reply-To: <52BCDB62-B821-4329-BF6A-F51CDF22FBB5@unilim.fr> (Hubert Chomette's message of "Tue\, 19 May 2009 10\:07\:45 +0200") References: <4932A448-2381-4E40-9405-C536628B31D6@unilim.fr> <87tz3invfj.fsf@windlord.stanford.edu> <52BCDB62-B821-4329-BF6A-F51CDF22FBB5@unilim.fr> Message-ID: <87my99askc.fsf@windlord.stanford.edu> Hubert Chomette writes: > So If I correctly understand, I've got two choice: > > - migrate my kdc to version 1.7 (I suppose you mean experimental, > cause there is no major differents release between stable ans testing) > / or use heimdal kerberos It's not the KDC that's the issue, just the libraries for the client systems where the PAM module would be running. And yeah, sorry, it's only in unstable so far. > - make my own pam module using perl to send login/passwd with kadmin You'll run into the same problem that the existing PAM module has unless you run the kadmin command-line client with system(), which is going to be tricky from an authentication perspective. -- Russ Allbery (rra at stanford.edu) From mdw at umich.edu Tue May 19 14:51:56 2009 From: mdw at umich.edu (Marcus Watts) Date: Tue, 19 May 2009 14:51:56 -0400 Subject: NIS => Kerberos/LDAP Migration In-Reply-To: <87my99askc.fsf@windlord.stanford.edu> References: <4932A448-2381-4E40-9405-C536628B31D6@unilim.fr> <87tz3invfj.fsf@windlord.stanford.edu> <52BCDB62-B821-4329-BF6A-F51CDF22FBB5@unilim.fr> <87my99askc.fsf@windlord.stanford.edu> Message-ID: Russ Allbery writes: ... > > > - make my own pam module using perl to send login/passwd with kadmin > > You'll run into the same problem that the existing PAM module has unless > you run the kadmin command-line client with system(), which is going to > be tricky from an authentication perspective. > > -- > Russ Allbery (rra at stanford.edu) > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos While I don't greatly recommend using kadmin for this, it *is* possible. When you run kadmin, you can give it: /1/ a keytab against which to authenticate, (-k -t). /2/ a command to execute. (-q) You'll need to make sure users can't run this directly, of course. You'll also need to think about passwords. You can just pass them in on the command line with "ank -pw", but that exposes them briefly via ps. You could create the principal with "-randkey", then use the kpasswd protocol right afterward to set it to the desired value. Another way to hide the password might be to use the perl (or c) remctl library to call a remote remctl server, then have that machine run kadmin. The password would be then only be exposed on the command line on the remote remctl server. This might simplify development too. I'm not sure I understand why Authen::Krb5::Admin http://search.cpan.org/~korty/Authen-Krb5-Admin-0.11/Admin.pm is a problem. I've run it with various incarnations of MIT 1.4.3 / 1.6.3 for a while now. Ok, they weren't stock, but I don't remember doing anything special to export the necessary kadm5 functions. The only messy bit is that Authen::Krb5::Admin provides its own header files for the MIT functions - that sucks, but that having been said, it basically works. Is there something special about debian's MIT kerberos libraries? Instead of cloning the headers (like Authen::Krb5::Admin does) it should also be quite feasible to just get the debian source package for k5, configure or build as necessary, rip the desired headers out, modify as necessary, and use them direct. Admittedly, this is a hack, and a bad idea, and all that, but for migration purposes (surely you don't plan on doing this long-term?) this ought to suffice. Here's a mail message I posted May 2007 that describes how to do this: http://mailman.mit.edu/pipermail/krbdev/2007-March/005702.html The MIT folks have for other problems in the past have advocated a heavier weight process like the above: clone the MIT code (bsd license!), remove the bits that don't do the parts of kerberos that you want, rename as necessary, then package the entire result in your application. That means basically taking all the source that makes libkadm5clnt.a and its associated headers. If you do this, you probably won't need to rename anything, since there isn't any public api you'd be conflicting with. ;-) I also have java code that talks to kadm5. I wish I could say it's pure java, but it's not -- I used JNI to talk at the rpc / gssapi layer. But I did completely eliminate using libkadm5clnt.so - so down to and including xdr, I have all of the kadm5 protocol captured in java. >From rpc / gssapi down, MIT does export and support all of the necessary functions. So, that approach is feasible, albeit messy. -Marcus Watts From rra at stanford.edu Tue May 19 15:03:59 2009 From: rra at stanford.edu (Russ Allbery) Date: Tue, 19 May 2009 12:03:59 -0700 Subject: NIS => Kerberos/LDAP Migration In-Reply-To: (Marcus Watts's message of "Tue\, 19 May 2009 14\:51\:56 -0400") References: <4932A448-2381-4E40-9405-C536628B31D6@unilim.fr> <87tz3invfj.fsf@windlord.stanford.edu> <52BCDB62-B821-4329-BF6A-F51CDF22FBB5@unilim.fr> <87my99askc.fsf@windlord.stanford.edu> Message-ID: <87ws8cap9c.fsf@windlord.stanford.edu> Marcus Watts writes: > I'm not sure I understand why > Authen::Krb5::Admin > http://search.cpan.org/~korty/Authen-Krb5-Admin-0.11/Admin.pm > is a problem. I've run it with various incarnations of MIT 1.4.3 / > 1.6.3 for a while now. Ok, they weren't stock, but I don't remember doing > anything special to export the necessary kadm5 functions. The only messy > bit is that Authen::Krb5::Admin provides its own header files for the MIT > functions - that sucks, but that having been said, it basically works. > Is there something special about debian's MIT kerberos libraries? That works -- you just can't use it in a PAM module. PAM modules generally need to be C. I suppose you could embed a Perl interpreter in a PAM module, but that terrifies me. You could also write a PAM module that talks to something written in Perl via a local socket or something, but now you're getting into a fair bit of coding. > Instead of cloning the headers (like Authen::Krb5::Admin does) it > should also be quite feasible to just get the debian source package > for k5, configure or build as necessary, rip the desired headers out, > modify as necessary, and use them direct. Admittedly, this is a hack, > and a bad idea, and all that, but for migration purposes (surely you > don't plan on doing this long-term?) this ought to suffice. Here's a > mail message I posted May 2007 that describes how to do this: > http://mailman.mit.edu/pipermail/krbdev/2007-March/005702.html Yeah, you could do this. -- Russ Allbery (rra at stanford.edu) From jawashin at illinois.edu Tue May 19 14:14:32 2009 From: jawashin at illinois.edu (John Washington) Date: Tue, 19 May 2009 13:14:32 -0500 Subject: Sudo w/Ticket Support In-Reply-To: <42710EB12789487A8095FA98CB01F1DE@CDCHOME> References: <42710EB12789487A8095FA98CB01F1DE@CDCHOME> Message-ID: <20090519181432.GG12900@kyoto.cites.uiuc.edu> * Christopher D. Clausen [2009-05-07 16:43]: > petesea at bigfoot.com wrote: > > Main reason for not setting NOPASSWD is because I don't have control > > over the sudoers file on most of the systems I have access to. And > > the SA's are very reluctant to use "NOPASSWD". > > Do you know about the ksu command? > > Or using a ~root/.k5login and ssh -o "GssapiAuthentication yes" > root@`hostname` ? > > > I believe they just want that extra layer of protection in case a > > workstation is left unattended. > > > People who leave workstations unattended should not have sudo access. > Also, if unattended and the tickets are still valid, someone can still > use them. > > > I do see what you mean though. From a security standpoint, if sudo > > was capable of using an existing TGT, that doesn't seem like it would > > be too much different then using NOPASSWD in the sudoers file. > > Yes, exactly. Except it will stop working once the tickets expire, so > there is some trivial level of safety. My primary comment would be that there are additional concerns with sudo access. I cannot speak to the exact setup, but I will envision a hypothetical scenario like the following: I acquire credentials locally and then ssh with gssapi to my account elsewhere. I then do some work. I notice that a package is missing/misconfigured, so I elevate my privileges with sudo and make a change. In this case the potential concerns are: 1. The credentials are stale. Sudo enforces a short cache time while Kerberos credentials are valid for an extended period. This is a defense mechanism to help ensure that an accidentally unlocked workstation (your boss stops by with an important question and you forget to lock your screen). 2. There is potentially additional reasons to require the sudo such as two factor authentication or a different password for root access. I will admit that it doesn't seem like it from the description. I would describe the solution tree like this: If this is local, I would consider the following: 1. Does this happen often? Once a day isn't a problem, but if you need to sudo every 1/2 hour then there should be some better way to tune the sudoers file to whitelist activity. 2. You could (functionally) achieve the same results by extending the timeout on sudo, while retaining the need for real authentication. If this is remote: 1. Why not use a .k5login to get to root directly? From jawashin at illinois.edu Tue May 19 14:18:43 2009 From: jawashin at illinois.edu (John Washington) Date: Tue, 19 May 2009 13:18:43 -0500 Subject: Sudo w/Ticket Support In-Reply-To: <200905121504.n4CF4Bt9002178@wind.enjellic.com> References: <200905121504.n4CF4Bt9002178@wind.enjellic.com> Message-ID: <20090519181843.GH12900@kyoto.cites.uiuc.edu> * greg at enjellic.com [2009-05-12 10:18]: > The user uses the ~S command to initiate the sequence. The user is > prompted for a password which is used to obtain a TGT which is then > used to obtain a service ticket which is sent over the channel for > authentication. By enforcing a very short ticket lifetime parameter > user immediacy can be enforced. I find myself impressed with this as a potential solution. I wish you luck in implementing it, as it is a clean solution to a potentially clouded issue. From mdw at umich.edu Tue May 19 19:01:18 2009 From: mdw at umich.edu (Marcus Watts) Date: Tue, 19 May 2009 19:01:18 -0400 Subject: NIS => Kerberos/LDAP Migration In-Reply-To: <87ws8cap9c.fsf@windlord.stanford.edu> References: <4932A448-2381-4E40-9405-C536628B31D6@unilim.fr> <87tz3invfj.fsf@windlord.stanford.edu> <52BCDB62-B821-4329-BF6A-F51CDF22FBB5@unilim.fr> <87my99askc.fsf@windlord.stanford.edu> <87ws8cap9c.fsf@windlord.stanford.edu> Message-ID: > Date: Tue, 19 May 2009 12:03:59 PDT > To: kerberos at mit.edu > From: Russ Allbery > Subject: Re: NIS => Kerberos/LDAP Migration > > Marcus Watts writes: > > > I'm not sure I understand why > > Authen::Krb5::Admin > > http://search.cpan.org/~korty/Authen-Krb5-Admin-0.11/Admin.pm > > is a problem. I've run it with various incarnations of MIT 1.4.3 / > > 1.6.3 for a while now. Ok, they weren't stock, but I don't remember doing > > anything special to export the necessary kadm5 functions. The only messy > > bit is that Authen::Krb5::Admin provides its own header files for the MIT > > functions - that sucks, but that having been said, it basically works. > > Is there something special about debian's MIT kerberos libraries? > > That works -- you just can't use it in a PAM module. PAM modules > generally need to be C. I suppose you could embed a Perl interpreter in > a PAM module, but that terrifies me. You could also write a PAM module > that talks to something written in Perl via a local socket or something, > but now you're getting into a fair bit of coding. Perl would certainly have a startup cost, so yes, not ideal. There are pam modules that exec programs -- pam_exec, and pam_unix + unix_chkpwd. Neither of them is quite right for this, and exec'ing a program is ugly, but perhaps possible (depending on which application(s) need to use this.) Using c/remctl in pam, then invoking a perl script would be relatively trivial - although running perl like that is still going to incur the startup cost. Running perl once and not on each authentication attempt is going to need some form of ipc, be it local sockets or whatever. To do the local socket thing in perl, this perl module is useful: Socket::MsgHdr http://search.cpan.org/~mjp/Socket-MsgHdr-0.01/MsgHdr.pm It's quite possible to write servers or clients in perl that use local (unix domain) sockets. In some existing code, I seem to have used about 350 lines of perl (and the above module) to do most of the socket management and argument packing/unpacking. ... For a completely different solution: if you were willing to modify the kdc/kadmin as well as the client, and really weren't at all afraid of coding, you could add a "crypt salt" type, and simply import your nis password database directly into your kerberos database. I did this at one point (with an experimental crypto system based on cast-5); it took me approximately 360 extra lines in just 5 files to handle this. Of course, the devil is in the details, and this was *not* a stock kerberos code base. Personally, if I was going for the simplest least code approach, I'd use the "steal the headers" approach and just call kadm5 from inside the pam module. I might set up a special service principal that is acl'd to only be able to invoke "ank". If I was going for "most secure", I'd have a separate daemon that validated the password matched the crypt string from nis, then created a kerberos principal that matched. perl5 might actually be ok for the separate daemon. -Marcus Watts From akshar.kerberos at gmail.com Wed May 20 09:19:57 2009 From: akshar.kerberos at gmail.com (akshar kanak) Date: Wed, 20 May 2009 18:49:57 +0530 Subject: compatibility with windows 2008 server Message-ID: <5ff84dca0905200619o4eebeb4eja6eeafc624c7698b@mail.gmail.com> Dear team Is PKINIT code in the MIT kerberos release 1.6.3 compatible with Windows server 2008 Domain controller ? I am able to send AS_REQ and i am also receving AS_REP , but while processing preauthnetication data in function cms_signeddata_verify , the api d2i_PKCS7 is failing with error message "cms_signeddata_verify: failed to decode message: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag" Thanks in Advance Thanks and REgards Akshar From vilas.tadoori.ext at siemens.com Thu May 21 08:50:47 2009 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Thu, 21 May 2009 08:50:47 -0400 Subject: Issues starting kadmin on suse linux In-Reply-To: References: Message-ID: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> Dear All, I have downloaded the following version krb5-1.6.3-signed.tar from the consortium and was able to configure , make and install as per the install guide provided as per the steps below ./configure make make install It installed fine, when I went to the /usr/local/sbin and started the ./kadmind I get the following message kadmind: No such file or directory while initializing, aborting The version of suse linux is as follows SUSE LINUX Enterprise Server 9 (x86_64) - Kernel 2.6.5-7.244-default(2) I have earlier installed it on SUSE LINUX Enterprise Server 9 (i586) - Kernel 2.6.5-7.97-smp (1). And it is working fine.... I would be greatful if anyone would help me in resolving this issue. Thanks Vilas From jbardin at bu.edu Thu May 21 10:11:04 2009 From: jbardin at bu.edu (james bardin) Date: Thu, 21 May 2009 10:11:04 -0400 Subject: Kerberos, DNS and AAAA records Message-ID: Hello, I've seen this mentioned in a couple of posts in the archives, but I didn't see any consensus as to whether this is correct, or correctable. Basically, every kerberos call on a linux machine results in multiple dns lookups for each server in krb5.conf. Doing a kinit on my box, just ran 73 dns queries! If there's a problem effecting dns, this severely impacts some systems. Also, a large bulk of these are AAAA queries, with the domain name appended twice. The first AAAA query is sent with the trailing '.', so I'm not sure why there is a second attempt for domain.domain. Why does every kerberos call need to lookup every kdc in the config file, and not just the server which is going to be queried, and is this configurable? Why do we see AAAA lookups for server.domain.domain? Our current config has 6 kdc lines for our domain. I'm testing with Centos 5, so our krb5 libs are version 1.6.1 Thanks, -jim -- James Bardin Systems Analyst / Administrator Boston University From raeburn at MIT.EDU Thu May 21 10:43:05 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 21 May 2009 10:43:05 -0400 Subject: Kerberos, DNS and AAAA records In-Reply-To: References: Message-ID: <05159044-BB50-4480-9F53-4D7131ED00BD@mit.edu> On May 21, 2009, at 10:11, james bardin wrote: > Doing a kinit on my box, just ran 73 dns queries! If there's a problem > effecting dns, this severely impacts some systems. Also, a large bulk > of these are AAAA queries, with the domain name appended twice. The > first AAAA query is sent with the trailing '.', so I'm not sure why > there is a second attempt for domain.domain. This is probably a result of specifying KDC names in krb5.conf without the trailing ".", the standard notation for indicating a fully- qualified name. If the trailing dot isn't included, typically the DNS library software will follow the DNS search path (which in the typical case just involves appending the local domain, but more than one domain can be given) trying to "complete" the name and find the first one that exists. So sometimes you can see queries for "host.foo.com.foo.com" resulting from having "host.foo.com" (no trailing dot) given. If you add the trailing dot in the config files, that should fix that problem. If you use DNS SRV records instead of config file entries, the hostnames there are defined to be fully- qualified, so again this problem should go away -- though you've added back some DNS queries for the SRV records. There have also been bugs in some of the getaddrinfo() library implementations where the searches for A and AAAA records are done completely independently, and each search is done until some name returns data. Which means maybe "host.foo.com" has an A record, so the search for A records stops, but "host.foo.com" doesn't have a AAAA record, so "host.foo.com.foo.com" (and maybe "host.foo.com,searchdomain2.com" and "host.foo.com.searchdomain3.com") may also get looked up. It *should* stop at the first name that returns *either* an A or AAAA record (in the cases where both address types are wanted, which is the case in most but not all of the MIT krb5 code). If that's not the behavior you're seeing, you might want to file a bug report, in addition to adding the trailing dot in the config file or switching to SRV records. There are probably also cases where we look up names more times than is necessary, because of the current structure of the code. In many system configurations a local name service cache makes this reasonably efficient anyways. But we should try to eliminate some of that redundancy. We do have an in-library cache for some DNS data in case there's no local cache, but I think it's currently only enabled for some platforms, and I don't think it caches negative responses. > Why does every kerberos call need to lookup every kdc in the config > file, and not just the server which is going to be queried, and is > this configurable? It's not going to only talk to one of them; it'll go through the list repeatedly, trying each until it gets an answer, or times out. Again, it's a matter of the structure of the code -- we get a list of addresses and then loop over the list. We could restructure it to look up the address when first needed, i.e., the first time we try to reach each server, but that'll add complexity to already complicated routines. (We juggle multiple file descriptors, so if we don't get a response back promptly from the first server address and decide to go try the next one, we still keep listening for a response from the first in case it's just slow and not actually unreachable. But that means we're eventually managing up to one file descriptor per server address, some UDP, some TCP.) There are also asynchronous name-lookup techniques, but I think the most portable versions require multithreading support and creation of threads, which capabilities we're not requiring of the OS and application at present. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From ravi.channavajhala at dciera.com Thu May 21 10:58:49 2009 From: ravi.channavajhala at dciera.com (Ravi Channavajhala) Date: Thu, 21 May 2009 20:28:49 +0530 Subject: Kerberos, DNS and AAAA records In-Reply-To: References: Message-ID: <73739dc10905210758m421f4ce6y7e3687e1ac12da80@mail.gmail.com> On Thu, May 21, 2009 at 7:41 PM, james bardin wrote: > Hello, > > I've seen this mentioned in a couple of posts in the archives, but I > didn't see any consensus as to whether this is correct, or > correctable. > > Basically, every kerberos call on a linux machine results in multiple > dns lookups for each server in krb5.conf. > > Doing a kinit on my box, just ran 73 dns queries! If there's a problem > effecting dns, this severely impacts some systems. Also, a large bulk > of these are AAAA queries, with the domain name appended twice. The > first AAAA query is sent with the trailing '.', so I'm not sure why > there is a second attempt for domain.domain. It is always to terminate the KDC definition with an absolute domain name such as a.example.com. (put a dot at the end). > > Why does every kerberos call need to lookup every kdc in the config > file, and not just the server which is going to be queried, and is > this configurable? > > Why do we see AAAA lookups for server.domain.domain? > > > Our current config has 6 kdc lines for our domain. > I'm testing with Centos 5, so our krb5 libs are version 1.6.1 > > Thanks, > -jim > > -- > James Bardin > Systems Analyst / Administrator > Boston University > ________________________________________________ > Kerberos mailing list ? ? ? ? ? Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From luke.scharf at clusterbee.net Thu May 21 11:00:32 2009 From: luke.scharf at clusterbee.net (Luke Scharf) Date: Thu, 21 May 2009 10:00:32 -0500 Subject: Issues starting kadmin on suse linux In-Reply-To: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> Message-ID: <4A156C90.2090603@clusterbee.net> You could run it with strace, and see which files it's trying to open: $ strace /usr/loca/sbin/kadmind If you shell happens to be bash and you want to get fancy, you can filter the output like so: $ strace /usr/local/sbin/kadmin 2>&1 | egrep 'stat|open' | less Picking through the output should tell you for real which file isn't being found. -Luke Tadoori (EXT), Vilas wrote: > Dear All, > > I have downloaded the following version > > krb5-1.6.3-signed.tar from the consortium and was able to configure , make and install as per the install guide provided as per the steps below > > ./configure > make > make install > > It installed fine, when I went to the /usr/local/sbin and started the ./kadmind > > I get the following message > kadmind: No such file or directory while initializing, aborting > > The version of suse linux is as follows > > SUSE LINUX Enterprise Server 9 (x86_64) - Kernel 2.6.5-7.244-default(2) > > > I have earlier installed it on > > SUSE LINUX Enterprise Server 9 (i586) - Kernel 2.6.5-7.97-smp (1). > > And it is working fine.... > > I would be greatful if anyone would help me in resolving this issue. > > Thanks > Vilas > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From raeburn at MIT.EDU Thu May 21 11:13:44 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 21 May 2009 11:13:44 -0400 Subject: Issues starting kadmin on suse linux In-Reply-To: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> Message-ID: <7B20C3B9-E0E9-4478-924C-C61E064E651B@mit.edu> On May 21, 2009, at 08:50, Tadoori (EXT), Vilas wrote: > Dear All, > > I have downloaded the following version > > krb5-1.6.3-signed.tar from the consortium and was able to > configure , make and install as per the install guide provided as > per the steps below > > ./configure > make > make install > > It installed fine, when I went to the /usr/local/sbin and started > the ./kadmind > > I get the following message > kadmind: No such file or directory while initializing, aborting Ugh. We still have too many error messages that don't provide enough information. The simple and quick way, if a bit ugly for non- developers, is probably as Luke Scharf suggests, to just run it under strace and see what it's doing. Then, please file a bug report (email to krb5-bugs at mit) and let us know which missing file is reported in such a vague and useless manner. From your description, it's not clear to me: Was this machine already set up as a KDC with an earlier version of the code? If not, then there's probably no existing database on the machine, and that might be what kadmind is complaining about. Other things I'd check would be the locations of the config files krb5.conf and kdc.conf vs what the program is looking for. (We made kdc.conf optional at one point -- all the info could go into krb5.conf if you wanted -- and I *think* that was part of the 1.6 code base, but couldn't swear to it, and haven't time to check at the moment, sorry...) -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From jbardin at bu.edu Thu May 21 11:55:29 2009 From: jbardin at bu.edu (james bardin) Date: Thu, 21 May 2009 11:55:29 -0400 Subject: Kerberos, DNS and AAAA records In-Reply-To: <05159044-BB50-4480-9F53-4D7131ED00BD@mit.edu> References: <05159044-BB50-4480-9F53-4D7131ED00BD@mit.edu> Message-ID: On Thu, May 21, 2009 at 10:43 AM, Ken Raeburn wrote: > > This is probably a result of specifying KDC names in krb5.conf without the > trailing ".", the standard notation for indicating a fully-qualified name. > ?If the trailing dot isn't included, typically the DNS library software will > follow the DNS search path (which in the typical case just involves > appending the local domain, but more than one domain can be given) trying to > "complete" the name and find the first one that exists. ?So sometimes you > can see queries for "host.foo.com.foo.com" resulting from having > "host.foo.com" (no trailing dot) given. ?If you add the trailing dot in the > config files, that should fix that problem. ?If you use DNS SRV records > instead of config file entries, the hostnames there are defined to be > fully-qualified, so again this problem should go away -- though you've added > back some DNS queries for the SRV records. > That is exactly what I needed to know. I didn't think to try adding the trailing dot in the config file, because it's not in any MIT kerberos documentation (that I found). Upon testing, this resolves the excessive AAAA lookups. > There have also been bugs in some of the getaddrinfo() library > implementations where the searches for A and AAAA records are done > completely independently, and each search is done until some name returns > data. I think we're OK here. We simply don't have AAAA records in place yet, and they are checked first by default. I've also seen some bugs mentioned about getaddrinfo(), so I may look into it a bit more later. > There are probably also cases where we look up names more times than is > necessary, because of the current structure of the code. ?In many system > configurations a local name service cache makes this reasonably efficient > anyways. ?But we should try to eliminate some of that redundancy. ?We do > have an in-library cache for some DNS data in case there's no local cache, > but I think it's currently only enabled for some platforms, and I don't > think it caches negative responses. > >> Why does every kerberos call need to lookup every kdc in the config >> file, and not just the server which is going to be queried, and is >> this configurable? > > It's not going to only talk to one of them; it'll go through the list > repeatedly, trying each until it gets an answer, or times out. ?Again, it's > a matter of the structure of the code -- we get a list of addresses and then > loop over the list. ?We could restructure it to look up the address when > first needed, i.e., the first time we try to reach each server, but that'll > add complexity to already complicated routines. ?(We juggle multiple file > descriptors, so if we don't get a response back promptly from the first > server address and decide to go try the next one, we still keep listening > for a response from the first in case it's just slow and not actually > unreachable. ?But that means we're eventually managing up to one file > descriptor per server address, some UDP, some TCP.) ?There are also > asynchronous name-lookup techniques, but I think the most portable versions > require multithreading support and creation of threads, which capabilities > we're not requiring of the OS and application at present. > This is what I suspected. Thanks for all the info! -jim -- James Bardin Systems Analyst / Administrator Boston University From ravi.channavajhala at dciera.com Thu May 21 13:25:47 2009 From: ravi.channavajhala at dciera.com (Ravi Channavajhala) Date: Thu, 21 May 2009 22:55:47 +0530 Subject: Kerberos, DNS and AAAA records In-Reply-To: <05159044-BB50-4480-9F53-4D7131ED00BD@mit.edu> References: <05159044-BB50-4480-9F53-4D7131ED00BD@mit.edu> Message-ID: <73739dc10905211025w30aa9379hced4df198c63de29@mail.gmail.com> On Thu, May 21, 2009 at 8:13 PM, Ken Raeburn wrote: >> Why does every kerberos call need to lookup every kdc in the config >> file, and not just the server which is going to be queried, and is >> this configurable? > > It's not going to only talk to one of them; it'll go through the list > repeatedly, trying each until it gets an answer, or times out. ?Again, > it's a matter of the structure of the code -- we get a list of > addresses and then loop over the list. ?We could restructure it to > look up the address when first needed, i.e., the first time we try to > reach each server, but that'll add complexity to already complicated > routines I maintain a rather large site, where there are more than a dozen KDCs across different locations. Recently, I configured Windows 2003-R2/AD as the central source of authentication for lot of Linux and Unix servers. The issue I'm facing here is the user logons are really slow. Capturing network traffic and looking at it, reveals the above behavior. Now, can you please help me understand what you mean by "going through list repeatedly"? Does this mean the querying is done simultaneously to several KDCs in parallel? Also, we dont use SRV/TXT for kdc/realm identification in DNS and I dont explicitly specify the dns_lookup in the krb5.conf. In this context the dns_fallback automatically gets enabled, I'm thinking. What is the consequence of dns_fallback defaulting to yes? Excellent information BTW... From mvalites at buffalo.edu Thu May 21 13:30:19 2009 From: mvalites at buffalo.edu (Mark T. Valites) Date: Thu, 21 May 2009 13:30:19 -0400 (EDT) Subject: 2009-002-patch.txt fails 'make check' in 'tests/asn.1' for krb-1.5.4 Message-ID: I recently tried to update our MIT krb5-1.5.4 install with the patches for the last two security advisories. The 2009-001-patch.txt & 2009-002-patch.txt patches apply cleanly against the krb5-1.5.4 source & compile, but fail for 'make test'. The errors appear to be coming from 'tests/asn.1' & contain some of the content within the 2009-002-patch.txt patch. The tail end of the 'make test' output is below. Has anyone else had luck patching 1.5.4 or have any suggestions for addressing this? -Mark making check in tests/asn.1... KRB5_CONFIG=./../../config-files/krb5.conf ; \ export KRB5_CONFIG ;\ LD_LIBRARY_PATH=`echo -L../../lib | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; ./krb5_decode_test OK: authenticator OK: authenticator(80 -> seq-number 0xffffff80) OK: authenticator(FF -> seq-number 0xffffffff) OK: authenticator(00FF -> seq-number 0xff) OK: authenticator(00FFFFFFFF -> seq-number 0xffffffff) OK: authenticator(7FFFFFFF -> seq-number 0x7fffffff) OK: authenticator(FFFFFFFF -> seq-number 0xffffffff) OK: authenticator(optionals empty) OK: authenticator(optionals NULL) OK: ticket OK: ticket(+ trailing [4] INTEGER OK: ticket(indefinite lengths) OK: ticket(indefinite lengths + trailing [4] INTEGER) OK: encryption_key OK: encryption_key(+ trailing [2] INTEGER) OK: encryption_key(+ trailing [2] SEQUENCE {[0] INTEGER}) OK: encryption_key(indefinite lengths) OK: encryption_key(indefinite lengths + trailing [2] INTEGER) OK: encryption_key(indefinite lengths + trailing [2] SEQUENCE {[0] INTEGER}) OK: encryption_key(indefinite lengths + trailing SEQUENCE {[0] INTEGER}) OK: encryption_key(enctype = -1) OK: encryption_key(enctype = -255) OK: encryption_key(enctype = 255) OK: encryption_key(enctype = -2147483648) OK: encryption_key(enctype = 2147483647) OK: enc_tkt_part OK: enc_tkt_part(optionals NULL) OK: enc_tkt_part(optionals NULL + bitstring enlarged to 38 bits) OK: enc_tkt_part(optionals NULL + bitstring enlarged to 40 bits) OK: enc_tkt_part(optionals NULL + bitstring reduced to 29 bits) OK: enc_tkt_part(optionals NULL + bitstring reduced to 24 bits) OK: enc_kdc_rep_part(compat_lr_type) OK: enc_kdc_rep_part OK: enc_kdc_rep_part(optionals NULL)(compat lr_type) OK: enc_kdc_rep_part(optionals NULL) OK: as_rep OK: as_rep(indefinite lengths) OK: as_rep(optionals NULL) OK: tgs_rep OK: tgs_rep(optionals NULL) OK: ap_req OK: ap_rep OK: ap_rep_enc_part OK: ap_rep_enc_part(optionals NULL) OK: ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp) *** Error code 139 make: Fatal error: Command failed for target `check' Current working directory /opt/src/krb5-1.5.4/src/tests/asn.1 *** Error code 1 make: Fatal error: Command failed for target `check-recurse' Current working directory /opt/src/krb5-1.5.4/src/tests *** Error code 1 make: Fatal error: Command failed for target `check-recurse' -- Mark T. Valites Senior Systems Administrator Enterprise Infrastructure Services University at Buffalo From raeburn at MIT.EDU Thu May 21 15:28:27 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 21 May 2009 15:28:27 -0400 Subject: Kerberos, DNS and AAAA records In-Reply-To: <73739dc10905211025w30aa9379hced4df198c63de29@mail.gmail.com> References: <05159044-BB50-4480-9F53-4D7131ED00BD@mit.edu> <73739dc10905211025w30aa9379hced4df198c63de29@mail.gmail.com> Message-ID: On May 21, 2009, at 13:25, Ravi Channavajhala wrote: > I maintain a rather large site, where there are more than a dozen KDCs > across different locations. Recently, I configured Windows 2003-R2/AD > as the central source of authentication for lot of Linux and Unix > servers. The issue I'm facing here is the user logons are really > slow. Capturing network traffic and looking at it, reveals the above > behavior. Now, can you please help me understand what you mean by > "going through list repeatedly"? Does this mean the querying is done > simultaneously to several KDCs in parallel? The simple version is, we fire off a UDP message to one KDC, and after one second if we haven't heard back we assume the KDC is probably unreachable or offline and send a message to the next KDC, and so on. However, in case the KDC is just being slow, we keep listening for responses even after we've moved on to the next KDC, unless we get back some kind of "port unreachable" indication. In case we're having connectivity or packet-loss problems, we make a total of three passes through the list, with a little delay in between passes, resending UDP messages each time through. For TCP, it's a little different -- we tell the kernel to start a connection in non-blocking mode, and if it connects, we start sending data, but the "quit" condition for getting out of the loop is successfully sending all of the data and getting a complete response back. In the passes after the first, we don't do anything new for TCP, just keep trying to send and receive data. Once the name resolution is done, the worst-case timeout for the overall operation (if there are no responses including no host- unreachable errors back) should be according to the comment in src/lib/ krb5/os/sendto_kdc.c: * Per UDP server, 1s per pass. * Per TCP server, 1s. * Backoff delay, 2**(P+1) - 2, where P is total number of passes. * * Total = 2**(P+1) + U*P + T - 2. * * If P=3, Total = 3*U + T + 14. Of course, if getting the DNS data takes us a long time, that may dominate, and we haven't done much to improve that, though I've thought about some of these issues before. It's a somewhat clunky mechanism that hasn't really been tuned using real network data, but most of the time it seems to do okay. We have had complaints that we should be able to impose an overall total timeout. And occasionally doing the serialized DNS queries before any of the connection attempts is a problem at some sites. Like I said earlier, we can look at integrating the DNS lookups and the contact loops so each host address is looked up when we first want to contact it, but only if the extra complexity is really going to help. Doing DNS queries asynchronously does not seem to be something we can do portably at the moment. We don't want to actually fire off all the queries at the same time, because usually a nearby KDC *will* respond quickly. Sending off all the queries at once will make all the KDCs do the same work each time, even though only one response is needed, and eliminating any load- sharing benefit. If SRV records are used, hosts listed with equal priority are used in random order, as per the spec, since the Kerberos library has no additional information for sorting them by proximity. We also have no hooks at the moment for figuring out and recording how responsive any given KDC is, to optimize later queries. (A patch to allow some simple optimizations might be acceptable to MIT. Some possible heuristics: Scan the local network interfaces and put anything on a directly-attached network ahead of anything further away. Check an entry in the config file for network blocks listed in priority order, e.g., "18.0.0.0/8 2001:4830:2446::/48", so the local site can be described. Or, you can try using the service-location plugin interface in the library to provide code to order things however you like, and maybe experiment with some heuristics without having to recompile the krb5 libraries.) You could set up the config files differently at each location, putting the nearby KDCs at the top of the list, and maybe only listing some of the others. You could define a DNS name that maps to multiple addresses for several KDCs and list that as a lower-priority KDC to use as a fallback; that'll reduce the number of DNS queries needed, but if you've got local name servers at each site, caching should make the name lookups reasonably efficient. You could also play games with anycast addresses to find the nearest KDC out of a set (either all your KDCs, or broken into two or three subsets if there are a lot), though that's probably serious overkill. > Also, we dont use SRV/TXT for kdc/realm identification in DNS and I > dont explicitly specify the dns_lookup in the krb5.conf. In this > context the dns_fallback automatically gets enabled, I'm thinking. > What is the consequence of dns_fallback defaulting to yes? If you don't explicitly specify KDCs for a realm, then DNS SRV records will be looked up. If you do specify the KDCs, then SRV records won't be used; only those KDCs will be used, and they'll be tried in the order you indicate in the file. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From petesea at bigfoot.com Thu May 21 22:33:12 2009 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Thu, 21 May 2009 19:33:12 -0700 (PDT) Subject: No principal in keytab matches desired name Message-ID: I have 4 - Mac 10.4 (tiger) systems that stopped accepting gssapi-keyex authentication via ssh. Running sshd in debug mode shows: No principal in keytab matches desired name /etc/krb5.keytab is correct and contains only one principal (2 encryption types) which corresponds to the canonical name of the host. DNS shows both forward and reverse lookups are correct and match what's in the keytab. The KVNO listed in the keytab matches the KVNO for the service principal returned by running "kvno ". /etc/hosts does not have any name matching this host... in fact it only contains the basic localhost/broadcast host entries. /etc/krb5.conf is correct and exactly the same as the /etc/krb5.conf on several other macs (10.3 and 10.5). I even tried starting sshd with KRB5_CONFIG set to a specific krb5.conf containing a default_keytab_name entry... just to make sure the keytab was actually getting used. I can't find any relevant messages in /var/log/system.log or /var/log/secure.log. I've tried ssh'ing from multiple client hosts (include the same host as the server) but all fail with the same error. I'm pretty sure the 10.4 systems stopped working right after a Software Update (to 10.4.11). Unfortunately, I didn't perform the update, so I'm not sure what level they were at before or exactly what was updated. Any idea what's going on and/or anywhere else to look for the problem? From pgnet.dev+krb at gmail.com Thu May 21 23:42:42 2009 From: pgnet.dev+krb at gmail.com (PGNet Dev) Date: Thu, 21 May 2009 20:42:42 -0700 Subject: kerberos.schema for openDS on openSUSE? Message-ID: <94f2e81e0905212042o46e3132eo475df3ca0dc42429@mail.gmail.com> i'm attempting to load opensuse's mit-kerberos schema (/usr/share/doc/packages/krb5/kerberos.schema) into an openDS -- not openLDAP -- server. currently, it's 'having issues' @ load ... who actually 'owns' the creation/maintenance of that file? novell? openDS project? this project? it appears here, http://src.mit.edu/fisheye/browse/krb5/branches/ldap-integ/src/lib/kdb_ldap/kerberos.schema so i'm guesing -- this project. true? if so, is this the right place to start the discussion about getting the schema 'right' for use with openDS, or is it an openDS project issue? thanks! From bjorn.sund at it.uib.no Fri May 22 05:04:57 2009 From: bjorn.sund at it.uib.no (Bjoern Tore Sund) Date: Fri, 22 May 2009 11:04:57 +0200 Subject: UDP/TCP problem in cross-realm authentication Message-ID: <4A166AB9.2040903@it.uib.no> We have linux clients in an MIT Kerberos realm (1.6.3), Windows XP SP3 clients in AD and two-way trust configured. Accessing AD resources from Linux clients work perfectly. Accessing resources in the MIT Kerberos realm from Windows fails more often than not. Lots of packet sniffing shows fragmented UDP packets which the unix server isn't able to reassemble. So, in accordance with http://support.microsoft.com/kb/244474 we've set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters\MaxPacketSize to 1 on the XP clients. Still no go, they never try TCP (again sniffing both on the XP client and the unix kerberos server) but go straight for TCP. TCP is working on the unix kerberos server, the linux clients are happily using it. Have anyone seen MaxPacketSize fail to have effect before? Any ideas on how to trace this further? -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. From miguel.sanders at arcelormittal.com Fri May 22 05:09:59 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Fri, 22 May 2009 11:09:59 +0200 Subject: UDP/TCP problem in cross-realm authentication In-Reply-To: <4A166AB9.2040903@it.uib.no> References: <4A166AB9.2040903@it.uib.no> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BDC94C@GEN-MXB-V04.msad.arcelor.net> Have you rebooted after setting MaxPacketSize? (It's Windows you know...) :-) Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Bjoern Tore Sund Verzonden: vrijdag 22 mei 2009 11:05 Aan: kerberos at mit.edu Onderwerp: UDP/TCP problem in cross-realm authentication We have linux clients in an MIT Kerberos realm (1.6.3), Windows XP SP3 clients in AD and two-way trust configured. Accessing AD resources from Linux clients work perfectly. Accessing resources in the MIT Kerberos realm from Windows fails more often than not. Lots of packet sniffing shows fragmented UDP packets which the unix server isn't able to reassemble. So, in accordance with http://support.microsoft.com/kb/244474 we've set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters\MaxPacketSize to 1 on the XP clients. Still no go, they never try TCP (again sniffing both on the XP client and the unix kerberos server) but go straight for TCP. TCP is working on the unix kerberos server, the linux clients are happily using it. Have anyone seen MaxPacketSize fail to have effect before? Any ideas on how to trace this further? -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From miguel.sanders at arcelormittal.com Fri May 22 05:14:01 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Fri, 22 May 2009 11:14:01 +0200 Subject: UDP/TCP problem in cross-realm authentication In-Reply-To: <4A166AB9.2040903@it.uib.no> References: <4A166AB9.2040903@it.uib.no> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206BDC94D@GEN-MXB-V04.msad.arcelor.net> Moreover, do you even see the KRB5KRB_ERR_RESPONSE_TOO_BIG reply from the KDC? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Bjoern Tore Sund Verzonden: vrijdag 22 mei 2009 11:05 Aan: kerberos at mit.edu Onderwerp: UDP/TCP problem in cross-realm authentication We have linux clients in an MIT Kerberos realm (1.6.3), Windows XP SP3 clients in AD and two-way trust configured. Accessing AD resources from Linux clients work perfectly. Accessing resources in the MIT Kerberos realm from Windows fails more often than not. Lots of packet sniffing shows fragmented UDP packets which the unix server isn't able to reassemble. So, in accordance with http://support.microsoft.com/kb/244474 we've set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters\MaxPacketSize to 1 on the XP clients. Still no go, they never try TCP (again sniffing both on the XP client and the unix kerberos server) but go straight for TCP. TCP is working on the unix kerberos server, the linux clients are happily using it. Have anyone seen MaxPacketSize fail to have effect before? Any ideas on how to trace this further? -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From bjorn.sund at it.uib.no Fri May 22 05:43:40 2009 From: bjorn.sund at it.uib.no (Bjoern Tore Sund) Date: Fri, 22 May 2009 11:43:40 +0200 Subject: UDP/TCP problem in cross-realm authentication In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206BDC94D@GEN-MXB-V04.msad.arcelor.net> References: <4A166AB9.2040903@it.uib.no> <7DF29B50FFF41848BB2281EC2E71A206BDC94D@GEN-MXB-V04.msad.arcelor.net> Message-ID: <4A1673CC.7000105@it.uib.no> miguel.sanders at arcelormittal.com wrote: > Moreover, do you even see the KRB5KRB_ERR_RESPONSE_TOO_BIG reply from the KDC? The MIT KDC doesn't seem to see the fragmented UDP packets at all, only when the occasional non-fragmented packet arrives does anything happen. From the client side the connection (I'm testing with a web page on apache) just seems to hang for 20-30 seconds before the connection falls back to username/password authentication. -BT > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E miguel.sanders at arcelormittal.com > www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Bjoern Tore Sund > Verzonden: vrijdag 22 mei 2009 11:05 > Aan: kerberos at mit.edu > Onderwerp: UDP/TCP problem in cross-realm authentication > > > We have linux clients in an MIT Kerberos realm (1.6.3), Windows XP SP3 clients in AD and two-way trust configured. Accessing AD resources from Linux clients work perfectly. > > Accessing resources in the MIT Kerberos realm from Windows fails more often than not. Lots of packet sniffing shows fragmented UDP packets which the unix server isn't able to reassemble. So, in accordance with > http://support.microsoft.com/kb/244474 we've set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ > Kerberos\Parameters\MaxPacketSize to 1 on the XP clients. Still no go, they never try TCP (again sniffing both on the XP client and the unix kerberos server) but go straight for TCP. TCP is working on the unix kerberos server, the linux clients are happily using it. Have anyone seen MaxPacketSize fail to have effect before? Any ideas on how to trace this further? > > -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. From vilas.tadoori.ext at siemens.com Fri May 22 10:29:13 2009 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Fri, 22 May 2009 10:29:13 -0400 Subject: Issues starting kadmin on suse linux In-Reply-To: <4A156C90.2090603@clusterbee.net> References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> <4A156C90.2090603@clusterbee.net> Message-ID: <6344D3A1F3677A429F994D643E17F84F145A2DAB02@USCIMMBX001.net.plm.eds.com> Hi Luke, Thanks for the reply. The O/S that I am using is a suse linux 64 bit version. That one that it is working fine is a suse linux 32 bit o/s and both of them are diff machines. When I have executed the command on the 64 bit o/s it gave the output as attached. $ strace /usr/local/sbin/kadmind 2>&1 | egrep 'stat|open' | less I have also done the output on the working machine which is a 32 bit and the output is also similar and there were quite a few so files that are missing and are identical to that in the 64 bit. I am not understanding how is it working in the 32 bit and not in the 64 bit. Is there anything that is not compatible with the 64 bit suselinux. My krb5.conf file is on /etc and it contains the correct entries. Am I missing anything in my investigation to solve the issue...please help. Thanks Vilas -----Original Message----- From: Luke Scharf [mailto:luke.scharf at clusterbee.net] Sent: Thursday, May 21, 2009 8:31 PM To: Tadoori (EXT), Vilas Cc: kerberos at mit.edu Subject: Re: Issues starting kadmin on suse linux You could run it with strace, and see which files it's trying to open: $ strace /usr/loca/sbin/kadmind If you shell happens to be bash and you want to get fancy, you can filter the output like so: $ strace /usr/local/sbin/kadmin 2>&1 | egrep 'stat|open' | less Picking through the output should tell you for real which file isn't being found. -Luke Tadoori (EXT), Vilas wrote: > Dear All, > > I have downloaded the following version > > krb5-1.6.3-signed.tar from the consortium and was able to configure , make and install as per the install guide provided as per the steps below > > ./configure > make > make install > > It installed fine, when I went to the /usr/local/sbin and started the ./kadmind > > I get the following message > kadmind: No such file or directory while initializing, aborting > > The version of suse linux is as follows > > SUSE LINUX Enterprise Server 9 (x86_64) - Kernel 2.6.5-7.244-default(2) > > > I have earlier installed it on > > SUSE LINUX Enterprise Server 9 (i586) - Kernel 2.6.5-7.97-smp (1). > > And it is working fine.... > > I would be greatful if anyone would help me in resolving this issue. > > Thanks > Vilas > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: test.txt Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20090522/249c5d2e/test.txt From vilas.tadoori.ext at siemens.com Fri May 22 10:30:39 2009 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Fri, 22 May 2009 10:30:39 -0400 Subject: Issues starting kadmin on suse linux References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> <4A156C90.2090603@clusterbee.net> Message-ID: <6344D3A1F3677A429F994D643E17F84F145A2DAB07@USCIMMBX001.net.plm.eds.com> I am using a 1.63 code base -----Original Message----- From: Tadoori (EXT), Vilas Sent: Friday, May 22, 2009 7:59 PM To: 'Luke Scharf' Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Hi Luke, Thanks for the reply. The O/S that I am using is a suse linux 64 bit version. That one that it is working fine is a suse linux 32 bit o/s and both of them are diff machines. When I have executed the command on the 64 bit o/s it gave the output as attached. $ strace /usr/local/sbin/kadmind 2>&1 | egrep 'stat|open' | less I have also done the output on the working machine which is a 32 bit and the output is also similar and there were quite a few so files that are missing and are identical to that in the 64 bit. I am not understanding how is it working in the 32 bit and not in the 64 bit. Is there anything that is not compatible with the 64 bit suselinux. My krb5.conf file is on /etc and it contains the correct entries. Am I missing anything in my investigation to solve the issue...please help. Thanks Vilas -----Original Message----- From: Luke Scharf [mailto:luke.scharf at clusterbee.net] Sent: Thursday, May 21, 2009 8:31 PM To: Tadoori (EXT), Vilas Cc: kerberos at mit.edu Subject: Re: Issues starting kadmin on suse linux You could run it with strace, and see which files it's trying to open: $ strace /usr/loca/sbin/kadmind If you shell happens to be bash and you want to get fancy, you can filter the output like so: $ strace /usr/local/sbin/kadmin 2>&1 | egrep 'stat|open' | less Picking through the output should tell you for real which file isn't being found. -Luke Tadoori (EXT), Vilas wrote: > Dear All, > > I have downloaded the following version > > krb5-1.6.3-signed.tar from the consortium and was able to configure , make and install as per the install guide provided as per the steps below > > ./configure > make > make install > > It installed fine, when I went to the /usr/local/sbin and started the ./kadmind > > I get the following message > kadmind: No such file or directory while initializing, aborting > > The version of suse linux is as follows > > SUSE LINUX Enterprise Server 9 (x86_64) - Kernel 2.6.5-7.244-default(2) > > > I have earlier installed it on > > SUSE LINUX Enterprise Server 9 (i586) - Kernel 2.6.5-7.97-smp (1). > > And it is working fine.... > > I would be greatful if anyone would help me in resolving this issue. > > Thanks > Vilas > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From rwilper at stanford.edu Fri May 22 11:12:47 2009 From: rwilper at stanford.edu (Wilper, Ross A) Date: Fri, 22 May 2009 08:12:47 -0700 Subject: UDP/TCP problem in cross-realm authentication In-Reply-To: <4A1673CC.7000105@it.uib.no> References: <4A166AB9.2040903@it.uib.no><7DF29B50FFF41848BB2281EC2E71A206BDC94D@GEN-MXB-V04.msad.arcelor.net> <4A1673CC.7000105@it.uib.no> Message-ID: Have you tried setting this on the client Windows machine? HKLM\CurrentControlSet\Control\LSA\Kerberos\Domains\YOUR.REALM RealmFlags = Reg_DWORD = 2 (USE_TCP) The default behavior for a cross-realm trust is to assume that only UDP is supported. -Ross -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Bjoern Tore Sund Sent: Friday, May 22, 2009 2:44 AM To: miguel.sanders at arcelormittal.com Cc: kerberos at mit.edu Subject: Re: UDP/TCP problem in cross-realm authentication miguel.sanders at arcelormittal.com wrote: > Moreover, do you even see the KRB5KRB_ERR_RESPONSE_TOO_BIG reply from the KDC? The MIT KDC doesn't seem to see the fragmented UDP packets at all, only when the occasional non-fragmented packet arrives does anything happen. From the client side the connection (I'm testing with a web page on apache) just seems to hang for 20-30 seconds before the connection falls back to username/password authentication. -BT > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E miguel.sanders at arcelormittal.com > www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Bjoern Tore Sund > Verzonden: vrijdag 22 mei 2009 11:05 > Aan: kerberos at mit.edu > Onderwerp: UDP/TCP problem in cross-realm authentication > > > We have linux clients in an MIT Kerberos realm (1.6.3), Windows XP SP3 clients in AD and two-way trust configured. Accessing AD resources from Linux clients work perfectly. > > Accessing resources in the MIT Kerberos realm from Windows fails more often than not. Lots of packet sniffing shows fragmented UDP packets which the unix server isn't able to reassemble. So, in accordance with > http://support.microsoft.com/kb/244474 we've set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ > Kerberos\Parameters\MaxPacketSize to 1 on the XP clients. Still no go, they never try TCP (again sniffing both on the XP client and the unix kerberos server) but go straight for TCP. TCP is working on the unix kerberos server, the linux clients are happily using it. Have anyone seen MaxPacketSize fail to have effect before? Any ideas on how to trace this further? > > -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From luke.scharf at clusterbee.net Fri May 22 11:37:44 2009 From: luke.scharf at clusterbee.net (Luke Scharf) Date: Fri, 22 May 2009 10:37:44 -0500 Subject: Issues starting kadmin on suse linux In-Reply-To: <6344D3A1F3677A429F994D643E17F84F145A2DAB02@USCIMMBX001.net.plm.eds.com> References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> <4A156C90.2090603@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DAB02@USCIMMBX001.net.plm.eds.com> Message-ID: <4A16C6C8.9090209@clusterbee.net> It looks like it's finding /etc/krb5.conf. At least it stats krb5.conf, opens it, gets a return code of 3 (is that the filehandle, or an error?) and then it proceeds to look for /usr/local/etc/krb5.conf. What do the permissions (from ls -l) look like on /etc/krb5.conf? I don't know if this affects Kerberos but it is a general issue.... If I copy a config file around enough, it will sometimes be converted to the Windows/DOS text-file format. You can check this by opening /etc/ktb5.conf in vi -- is there's a [dos] next to where it shows the name of the file at the bottom of the screen, this is the issue. The strace output doesn't suggest that this is a problem, but I've spent hours banging my head against the wall only to discover that my config-file (or Makefile or whatever) wasn't being interpreted properly because of this one. :-) Thanks, -Luke Tadoori (EXT), Vilas wrote: > Hi Luke, > > Thanks for the reply. > > The O/S that I am using is a suse linux 64 bit version. > > That one that it is working fine is a suse linux 32 bit o/s and both of them are diff machines. > > When I have executed the command on the 64 bit o/s it gave the output as attached. > $ strace /usr/local/sbin/kadmind 2>&1 | egrep 'stat|open' | less > > > I have also done the output on the working machine which is a 32 bit and the output is also similar and there were quite a few so files that are missing and are identical to that in the 64 bit. > > I am not understanding how is it working in the 32 bit and not in the 64 bit. Is there anything that is not compatible with the 64 bit suselinux. > > > My krb5.conf file is on /etc and it contains the correct entries. > > > Am I missing anything in my investigation to solve the issue...please help. > > > Thanks > Vilas > > > > > -----Original Message----- > From: Luke Scharf [mailto:luke.scharf at clusterbee.net] > Sent: Thursday, May 21, 2009 8:31 PM > To: Tadoori (EXT), Vilas > Cc: kerberos at mit.edu > Subject: Re: Issues starting kadmin on suse linux > > You could run it with strace, and see which files it's trying to open: > $ strace /usr/loca/sbin/kadmind > > If you shell happens to be bash and you want to get fancy, you can > filter the output like so: > $ strace /usr/local/sbin/kadmin 2>&1 | egrep 'stat|open' | less > > Picking through the output should tell you for real which file isn't > being found. > > -Luke > > > Tadoori (EXT), Vilas wrote: > >> Dear All, >> >> I have downloaded the following version >> >> krb5-1.6.3-signed.tar from the consortium and was able to configure , make and install as per the install guide provided as per the steps below >> >> ./configure >> make >> make install >> >> It installed fine, when I went to the /usr/local/sbin and started the ./kadmind >> >> I get the following message >> kadmind: No such file or directory while initializing, aborting >> >> The version of suse linux is as follows >> >> SUSE LINUX Enterprise Server 9 (x86_64) - Kernel 2.6.5-7.244-default(2) >> >> >> I have earlier installed it on >> >> SUSE LINUX Enterprise Server 9 (i586) - Kernel 2.6.5-7.97-smp (1). >> >> And it is working fine.... >> >> I would be greatful if anyone would help me in resolving this issue. >> >> Thanks >> Vilas >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > From michael at stroeder.com Fri May 22 05:44:37 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 22 May 2009 11:44:37 +0200 Subject: kerberos.schema for openDS on openSUSE? In-Reply-To: References: Message-ID: <5p8ie6-9uu.ln1@nb2.stroeder.com> PGNet Dev wrote: > i'm attempting to load opensuse's mit-kerberos schema > (/usr/share/doc/packages/krb5/kerberos.schema) into an openDS -- not > openLDAP -- server. Why don't you use /usr/share/doc/packages/krb5/kerberos.ldif since OpenDS reads schema information from LDIF file? Not sure whether it really works. It might need some tweaking. Ciao, Michael. From ghudson at MIT.EDU Fri May 22 13:21:39 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Fri, 22 May 2009 13:21:39 -0400 Subject: kerberos.schema for openDS on openSUSE? In-Reply-To: <94f2e81e0905212042o46e3132eo475df3ca0dc42429@mail.gmail.com> References: <94f2e81e0905212042o46e3132eo475df3ca0dc42429@mail.gmail.com> Message-ID: <1243012899.4146.102.camel@ray> On Thu, 2009-05-21 at 20:42 -0700, PGNet Dev wrote: > who actually 'owns' the creation/maintenance of that file? novell? > openDS project? this project? The MIT krb5 project owns the maintenance of the file (which was contributed by Novell). > if so, is this the right place to start the discussion about getting > the schema 'right' for use with openDS, or is it an openDS project > issue? It's a reasonable place. As Michael mentioned, you may want to try the LDIF version of the schema instead. From bjorn.sund at it.uib.no Fri May 22 15:00:22 2009 From: bjorn.sund at it.uib.no (=?ISO-8859-1?Q?Bj=F8rn_Tore_Sund?=) Date: Fri, 22 May 2009 21:00:22 +0200 Subject: UDP/TCP problem in cross-realm authentication In-Reply-To: References: <4A166AB9.2040903@it.uib.no><7DF29B50FFF41848BB2281EC2E71A206BDC94D@GEN-MXB-V04.msad.arcelor.net> <4A1673CC.7000105@it.uib.no> Message-ID: <4A16F646.1020607@it.uib.no> No, that setting I hadn't found - and it solved the issue. Thank you very much. Good to have a place to ask when Google fails me. :) -BT Wilper, Ross A wrote: > Have you tried setting this on the client Windows machine? > > HKLM\CurrentControlSet\Control\LSA\Kerberos\Domains\YOUR.REALM > RealmFlags = Reg_DWORD = 2 (USE_TCP) > > The default behavior for a cross-realm trust is to assume that only UDP is supported. > > -Ross > > -----Original Message----- > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Bjoern Tore Sund > Sent: Friday, May 22, 2009 2:44 AM > To: miguel.sanders at arcelormittal.com > Cc: kerberos at mit.edu > Subject: Re: UDP/TCP problem in cross-realm authentication > > miguel.sanders at arcelormittal.com wrote: >> Moreover, do you even see the KRB5KRB_ERR_RESPONSE_TOO_BIG reply from the KDC? > > The MIT KDC doesn't seem to see the fragmented UDP packets at all, only > when the occasional non-fragmented packet arrives does anything happen. > From the client side the connection (I'm testing with a web page on > apache) just seems to hang for 20-30 seconds before the connection falls > back to username/password authentication. > > -BT > >> >> Met vriendelijke groet >> Best regards >> Bien ? vous >> >> Miguel SANDERS >> ArcelorMittal Gent >> >> UNIX Systems & Storage >> IT Supply Western Europe | John Kennedylaan 51 >> B-9042 Gent >> >> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 >> E miguel.sanders at arcelormittal.com >> www.arcelormittal.com/gent >> >> -----Oorspronkelijk bericht----- >> Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Bjoern Tore Sund >> Verzonden: vrijdag 22 mei 2009 11:05 >> Aan: kerberos at mit.edu >> Onderwerp: UDP/TCP problem in cross-realm authentication >> >> >> We have linux clients in an MIT Kerberos realm (1.6.3), Windows XP SP3 clients in AD and two-way trust configured. Accessing AD resources from Linux clients work perfectly. >> >> Accessing resources in the MIT Kerberos realm from Windows fails more often than not. Lots of packet sniffing shows fragmented UDP packets which the unix server isn't able to reassemble. So, in accordance with >> http://support.microsoft.com/kb/244474 we've set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ >> Kerberos\Parameters\MaxPacketSize to 1 on the XP clients. Still no go, they never try TCP (again sniffing both on the XP client and the unix kerberos server) but go straight for TCP. TCP is working on the unix kerberos server, the linux clients are happily using it. Have anyone seen MaxPacketSize fail to have effect before? Any ideas on how to trace this further? >> >> -BT > > -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. From pgnet.dev+krb at gmail.com Fri May 22 17:50:59 2009 From: pgnet.dev+krb at gmail.com (PGNet Dev) Date: Fri, 22 May 2009 14:50:59 -0700 Subject: kerberos.schema for openDS on openSUSE? In-Reply-To: <1243012899.4146.102.camel@ray> References: <94f2e81e0905212042o46e3132eo475df3ca0dc42429@mail.gmail.com> <1243012899.4146.102.camel@ray> Message-ID: <94f2e81e0905221450q2ce7d9f4l5ac6268510e9d0e6@mail.gmail.com> 2009/5/22 Michael Str?der : > Why don't you use /usr/share/doc/packages/krb5/kerberos.ldif since > OpenDS reads schema information from LDIF file? > Not sure whether it really works. It might need some tweaking. the reason for using the drop-in schema is, simply, that that's the 'closest' to the instructions @ mit-kerberos' docs, though for openldap. it turns out that there there _are_ some problems with the openDS parser -- filed as a bug, and being worked on -- that cause _both to choke. that, of course, needs to be fixed 1st. you're correct in that either/both _should_ work. On Fri, May 22, 2009 at 10:21 AM, Greg Hudson wrote: > The MIT krb5 project owns the maintenance of the file (which was > contributed by Novell). > It's a reasonable place. ?As Michael mentioned, you may want to try the > LDIF version of the schema instead. thanks for clarifying. the openDS parse fix may smooth things out. if not, i'll follow up here. in either case, i'll drop a note back here just fyi ... thanks again. From rra at stanford.edu Fri May 22 19:40:17 2009 From: rra at stanford.edu (Russ Allbery) Date: Fri, 22 May 2009 16:40:17 -0700 Subject: remctl 2.14 released Message-ID: <873aawg10e.fsf@windlord.stanford.edu> I'm pleased to announce release 2.14 of remctl. remctl is a client/server application that supports remote execution of specific commands, using Kerberos v5 GSS-API for authentication. Authorization is controlled by a configuration file and ACL files and can be set separately for each command, unlike with rsh. remctl is like a Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh and sudo without most of the features and complexity of either. Changes from previous release: The remctld configuration file may now specify that one argument to a command is passed on standard input instead of on the command line using the stdin= option. This option allows passing data to commands that's too long to fit into a command-line argument or that contains nul characters. remctld logging of commands or arguments now replaces unprintable characters (characters between ASCII 0 and 31 and ASCII 127) with periods rather than assuming syslog will cope with them correctly. Use command and subcommand as the names for the first two parameters to the remctl client and the first two strings in a remctl command instead of the unintuitive "type" and "service" terminology borrowed from sysctl. This only changes documentation and some internal variable names; no external APIs should be affected. Declare message_fatal_cleanup extern in util.h. Fixes compilation problems on Mac OS X and probably elsewhere. Diagnose and explicitly reject on the server nul characters in command arguments that don't support them rather than truncating the argument silently. Plug several memory leaks in the remctld server. (These would have little practical effect unless a client stayed connected and issued multiple commands.) The protocol now permits commands with no arguments. remctld currently doesn't support them, but now returns ERROR_UNKNOWN_COMMAND instead of ERROR_BAD_COMMAND when receiving one. Add documentation on extending remctl in docs/extending. Add initial protocol version three draft in docs/protocol-v3. Better check logmask options when parsing the server configuration file and report errors instead of silently ignoring them. Masking the command is also no longer supported (it previously worked by accident). Support building against Solaris 10's native generic GSS-API libraries. Thanks, Peter Eriksson. Update to rra-c-util 1.0: * Fix open call parameters in daemon portability test. * Fix AI_ADDRCONFIG portability on BSD/OS systems. * Split die into a separate object to not link it in shared libraries. * Don't break if the user clobbers CPPFLAGS at build time. * Correctly set -L options with --with-gssapi-lib, not -I. * Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf. * Update portable and util test suite for C TAP Harness 1.0. * Use native Kerberos instead of forking kinit in test suite. Update to C TAP Harness 1.0: * Rewrite of all test cases to use the new TAP library support. * Much improved and simplified builddir != srcdir test suite support. * Support running a single test with tests/runtests -o. * Correctly handle completely skipped tests, like client/pod. * Better reporting of fatal errors in the test suite. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Debian packages have been uploaded to Debian unstable. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From thomas at skora.net Sat May 23 15:28:03 2009 From: thomas at skora.net (Thomas Skora) Date: Sat, 23 May 2009 19:28:03 -0000 (UTC) Subject: Kerberos with LDAP backend Message-ID: <6387.41.178.0.232.1243106883.squirrel@webmail.skora.net> Hello all, I've set up MIT Kerberos with OpenLDAP from Debian lenny packages according to the instructions in the documentation. From the functionality everything looks fine. The realm subtrees were created in the directory, the KDC is interacting with the LDAP server, but now I'm stuck at a (as it seems for me) chicken-egg-problem: to add principals I need a principal with appropriate permissions. I tried already to create such entries in LDAP by hand but all tries to use it ended up with the following log lines: May 23 20:04:28 dc krb5kdc[3287](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.1: NEEDED_PREAUTH: tskora/admin at SSOTEST.SECUNET.COM for kadmin/changepw at SSOTEST.SECUNET.COM, Additional pre-authentication required May 23 20:04:34 dc krb5kdc[3287](info): preauth (timestamp) verify failure: No matching key in entry May 23 20:04:34 dc krb5kdc[3287](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.1: PREAUTH_FAILED: tskora/admin at SSOTEST.SECUNET.COM for kadmin/changepw at SSOTEST.SECUNET.COM, Preauthentication failed Seems as if the needed data is hidden between those binary attributes which are visible in the default principals, is this correct? Now my question is if I have overseen something? Is there something from where I can bootstrap a first principal with administrative rights? Is somewhere a working tool available which could create them? Thanks in advance, Thomas From raeburn at MIT.EDU Sat May 23 15:38:08 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Sat, 23 May 2009 15:38:08 -0400 Subject: Kerberos with LDAP backend In-Reply-To: <6387.41.178.0.232.1243106883.squirrel@webmail.skora.net> References: <6387.41.178.0.232.1243106883.squirrel@webmail.skora.net> Message-ID: On May 23, 2009, at 15:28, Thomas Skora wrote: > I've set up MIT Kerberos with OpenLDAP from Debian lenny packages > according to the instructions in the documentation. From the > functionality > everything looks fine. The realm subtrees were created in the > directory, > the KDC is interacting with the LDAP server, but now I'm stuck at a > (as it > seems for me) chicken-egg-problem: to add principals I need a > principal > with appropriate permissions. I tried already to create such entries > in > LDAP by hand but all tries to use it ended up with the following log > lines: You should be able to use kadmin.local to create them. It'll go through the KDC database layer and contact the LDAP server directly, and should (like kadmind) be set up to have write access to the appropriate LDAP data. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From thomas at skora.net Sun May 24 17:25:11 2009 From: thomas at skora.net (Thomas Skora) Date: Sun, 24 May 2009 21:25:11 -0000 (UTC) Subject: Kerberos with LDAP backend In-Reply-To: References: <6387.41.178.0.232.1243106883.squirrel@webmail.skora.net> Message-ID: <9529.41.178.0.244.1243200311.squirrel@webmail.skora.net> Ken Raeburn wrote: > You should be able to use kadmin.local to create them. It'll go > through the KDC database layer and contact the LDAP server directly, > and should (like kadmind) be set up to have write access to the > appropriate LDAP data. That's what I needed! Thanks! :-) Best regards, Thomas From vilas.tadoori.ext at siemens.com Mon May 25 08:36:08 2009 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Mon, 25 May 2009 08:36:08 -0400 Subject: Issues starting kadmin on suse linux In-Reply-To: <4A16C6C8.9090209@clusterbee.net> References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> <4A156C90.2090603@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DAB02@USCIMMBX001.net.plm.eds.com> <4A16C6C8.9090209@clusterbee.net> Message-ID: <6344D3A1F3677A429F994D643E17F84F145A2DB503@USCIMMBX001.net.plm.eds.com> Hi Luke, I am able to resolve that issue. It was because I did not create the database and when I created the database kdb5_util create -s My deamons started working. Now I am getting a new error svlv6017:/usr/local/sbin # ./kadmin Authenticating as principal admroot/admin at NET.PLM.EDS.COM with password. kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface Any idea how do I get over this? Thanks Vilas -----Original Message----- From: Luke Scharf [mailto:luke.scharf at clusterbee.net] Sent: Friday, May 22, 2009 9:08 PM To: Tadoori (EXT), Vilas Cc: kerberos at mit.edu Subject: Re: Issues starting kadmin on suse linux It looks like it's finding /etc/krb5.conf. At least it stats krb5.conf, opens it, gets a return code of 3 (is that the filehandle, or an error?) and then it proceeds to look for /usr/local/etc/krb5.conf. What do the permissions (from ls -l) look like on /etc/krb5.conf? I don't know if this affects Kerberos but it is a general issue.... If I copy a config file around enough, it will sometimes be converted to the Windows/DOS text-file format. You can check this by opening /etc/ktb5.conf in vi -- is there's a [dos] next to where it shows the name of the file at the bottom of the screen, this is the issue. The strace output doesn't suggest that this is a problem, but I've spent hours banging my head against the wall only to discover that my config-file (or Makefile or whatever) wasn't being interpreted properly because of this one. :-) Thanks, -Luke Tadoori (EXT), Vilas wrote: > Hi Luke, > > Thanks for the reply. > > The O/S that I am using is a suse linux 64 bit version. > > That one that it is working fine is a suse linux 32 bit o/s and both of them are diff machines. > > When I have executed the command on the 64 bit o/s it gave the output as attached. > $ strace /usr/local/sbin/kadmind 2>&1 | egrep 'stat|open' | less > > > I have also done the output on the working machine which is a 32 bit and the output is also similar and there were quite a few so files that are missing and are identical to that in the 64 bit. > > I am not understanding how is it working in the 32 bit and not in the 64 bit. Is there anything that is not compatible with the 64 bit suselinux. > > > My krb5.conf file is on /etc and it contains the correct entries. > > > Am I missing anything in my investigation to solve the issue...please help. > > > Thanks > Vilas > > > > > -----Original Message----- > From: Luke Scharf [mailto:luke.scharf at clusterbee.net] > Sent: Thursday, May 21, 2009 8:31 PM > To: Tadoori (EXT), Vilas > Cc: kerberos at mit.edu > Subject: Re: Issues starting kadmin on suse linux > > You could run it with strace, and see which files it's trying to open: > $ strace /usr/loca/sbin/kadmind > > If you shell happens to be bash and you want to get fancy, you can > filter the output like so: > $ strace /usr/local/sbin/kadmin 2>&1 | egrep 'stat|open' | less > > Picking through the output should tell you for real which file isn't > being found. > > -Luke > > > Tadoori (EXT), Vilas wrote: > >> Dear All, >> >> I have downloaded the following version >> >> krb5-1.6.3-signed.tar from the consortium and was able to configure , make and install as per the install guide provided as per the steps below >> >> ./configure >> make >> make install >> >> It installed fine, when I went to the /usr/local/sbin and started the ./kadmind >> >> I get the following message >> kadmind: No such file or directory while initializing, aborting >> >> The version of suse linux is as follows >> >> SUSE LINUX Enterprise Server 9 (x86_64) - Kernel 2.6.5-7.244-default(2) >> >> >> I have earlier installed it on >> >> SUSE LINUX Enterprise Server 9 (i586) - Kernel 2.6.5-7.97-smp (1). >> >> And it is working fine.... >> >> I would be greatful if anyone would help me in resolving this issue. >> >> Thanks >> Vilas >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > From raeburn at MIT.EDU Mon May 25 13:40:05 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 25 May 2009 13:40:05 -0400 Subject: Issues starting kadmin on suse linux In-Reply-To: <6344D3A1F3677A429F994D643E17F84F145A2DB503@USCIMMBX001.net.plm.eds.com> References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> <4A156C90.2090603@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DAB02@USCIMMBX001.net.plm.eds.com> <4A16C6C8.9090209@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DB503@USCIMMBX001.net.plm.eds.com> Message-ID: <9381379B-6262-4023-949F-1AA9F26938C2@mit.edu> On May 25, 2009, at 08:36, Tadoori (EXT), Vilas wrote: > Hi Luke, > > I am able to resolve that issue. It was because I did not create the > database and when I created the database kdb5_util create -s > My deamons started working. > > Now I am getting a new error > > svlv6017:/usr/local/sbin # ./kadmin > Authenticating as principal admroot/admin at NET.PLM.EDS.COM with > password. > kadmin: Cannot contact any KDC for requested realm while > initializing kadmin interface > > Any idea how do I get over this? It looks like either you don't have a KDC (krb5kdc) process running, or krb5.conf or DNS doesn't tell you where to reach it. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From anandhm_psg at yahoo.com Mon May 25 22:59:23 2009 From: anandhm_psg at yahoo.com (Anandan) Date: Mon, 25 May 2009 19:59:23 -0700 (PDT) Subject: Racoon ipsec configuration with GSSAPI/kerberos In-Reply-To: <04c8e6-o7j.ln1@echo.disfinite.org> References: <23538533.post@talk.nabble.com> <04c8e6-o7j.ln1@echo.disfinite.org> Message-ID: <23716179.post@talk.nabble.com> T. M. Pederson-5 wrote: > > In article , > Anandan writes: >> >> Hi, >> I have been trying to configure ipsec between two machines with >> kerberos..I >> have one Windows 2003 server which has active directory configured... >> these >> two linux machines are connected to that Windows machine... >> I am not able to get any proper documentation on how to use kerberos with >> racoon.. >> Any help would be appreciated.. > > Racoon works with Kerberos through GSSAPI, and only for Phase 1. I've > been working with some Racoon/Heimdal installations on *BSD and the > occasional Linux box, where the configuration (racoon.conf) has generally > had the phase 1 section as: > -------- > # No address lookup by name in this implementation, so this file needs > # a remote inherit section for EACH OTHER ADDRESS a host has. > > remote { > exchange_mode main; > > lifetime time 24 hour; > > proposal { > encryption_algorithm 3des; > hash_algorithm sha1; > authentication_method gssapi_krb; > # For compatibility, use the GSS-API ID "host/fqdn", > # where fqdn is the output of the hostname(1) > # command. You probably want this to match your system's > # host principal. ktutil(8)'s "list" command will list > # the principals in your system's keytab. If you need > # to, you can change the GSS-API ID here. > # Older implementations used "ike/fqdn" > gss_id "host/fqdn"; > > dh_group 1; > } > > # Used by client hosts (initiators). Should be off for servers. > generate_policy on; > } > > -------- > > Note that you could instead use the usual "anonymous" instead of an > address if you're going with the same phase 1 between all machines. > > Also, depending on implementation, encyrption_algorithm may be 3des > or aes (I've been working with both). > > The rest of the Racoon configuration (phase 2, etc.) is independent > of Kerberos and is covered by the standard documentation. > > Just had a jump from Heimdal 0.x to 1.1 and it looks like racoon > needs to adjust for an API change to work with the new Heimdal. Still > tracking down what's going on with that combo. Otherwise, Racoon > w/Heimdal 0.6 and 0.7 has been working just fine. I have no experience > with Racoon interacting with MIT or MS Kerberos implementations. > -- > T. M. Pederson > GPG key fingerprint = FFAF D056 F12B E03F 7084 1288 EF8B E1FE 1693 21EB > +Accept: text/plain; charset=ISO-8859-*,UTF-* > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > Thanks for the information. I think this case will work between two linux machines. Is it possible to configure racoon with kerberos between a linux machine and a windows machine?? Thanks, Anandan -- View this message in context: http://www.nabble.com/Racoon-ipsec-configuration-with-GSSAPI-kerberos-tp23538533p23716179.html Sent from the Kerberos - General mailing list archive at Nabble.com. From vilas.tadoori.ext at siemens.com Tue May 26 07:31:15 2009 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Tue, 26 May 2009 07:31:15 -0400 Subject: Issues starting kadmin on suse linux In-Reply-To: <9381379B-6262-4023-949F-1AA9F26938C2@mit.edu> References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> <4A156C90.2090603@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DAB02@USCIMMBX001.net.plm.eds.com> <4A16C6C8.9090209@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DB503@USCIMMBX001.net.plm.eds.com> <9381379B-6262-4023-949F-1AA9F26938C2@mit.edu> Message-ID: <6344D3A1F3677A429F994D643E17F84F145A2DB980@USCIMMBX001.net.plm.eds.com> I have the KDC process running as below and the krb5.conf is also there in the /etc svlv6017:/ # ps -ef | grep krb5kdc root 25769 1 0 May25 ? 00:00:00 ./krb5kdc root 4950 20257 0 06:29 pts/0 00:00:00 grep krb5kdc How can I check the DNS issue? Thanks Vilas -----Original Message----- From: Ken Raeburn [mailto:raeburn at MIT.EDU] Sent: Monday, May 25, 2009 11:10 PM To: Tadoori (EXT), Vilas Cc: Luke Scharf; kerberos at mit.edu Subject: Re: Issues starting kadmin on suse linux On May 25, 2009, at 08:36, Tadoori (EXT), Vilas wrote: > Hi Luke, > > I am able to resolve that issue. It was because I did not create the > database and when I created the database kdb5_util create -s > My deamons started working. > > Now I am getting a new error > > svlv6017:/usr/local/sbin # ./kadmin > Authenticating as principal admroot/admin at NET.PLM.EDS.COM with > password. > kadmin: Cannot contact any KDC for requested realm while > initializing kadmin interface > > Any idea how do I get over this? It looks like either you don't have a KDC (krb5kdc) process running, or krb5.conf or DNS doesn't tell you where to reach it. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From Shahezad_Mirkar at bmc.com Tue May 26 07:35:48 2009 From: Shahezad_Mirkar at bmc.com (Mirkar, Shahezad) Date: Tue, 26 May 2009 17:05:48 +0530 Subject: Issues starting kadmin on suse linux In-Reply-To: <6344D3A1F3677A429F994D643E17F84F145A2DB980@USCIMMBX001.net.plm.eds.com> References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> <4A156C90.2090603@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DAB02@USCIMMBX001.net.plm.eds.com> <4A16C6C8.9090209@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DB503@USCIMMBX001.net.plm.eds.com> <9381379B-6262-4023-949F-1AA9F26938C2@mit.edu> <6344D3A1F3677A429F994D643E17F84F145A2DB980@USCIMMBX001.net.plm.eds.com> Message-ID: Can u send us krb5.conf file details? Would be help us to debug the issue -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Tadoori (EXT), Vilas Sent: Tuesday, May 26, 2009 5:01 PM To: Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux I have the KDC process running as below and the krb5.conf is also there in the /etc svlv6017:/ # ps -ef | grep krb5kdc root 25769 1 0 May25 ? 00:00:00 ./krb5kdc root 4950 20257 0 06:29 pts/0 00:00:00 grep krb5kdc How can I check the DNS issue? Thanks Vilas -----Original Message----- From: Ken Raeburn [mailto:raeburn at MIT.EDU] Sent: Monday, May 25, 2009 11:10 PM To: Tadoori (EXT), Vilas Cc: Luke Scharf; kerberos at mit.edu Subject: Re: Issues starting kadmin on suse linux On May 25, 2009, at 08:36, Tadoori (EXT), Vilas wrote: > Hi Luke, > > I am able to resolve that issue. It was because I did not create the > database and when I created the database kdb5_util create -s > My deamons started working. > > Now I am getting a new error > > svlv6017:/usr/local/sbin # ./kadmin > Authenticating as principal admroot/admin at NET.PLM.EDS.COM with > password. > kadmin: Cannot contact any KDC for requested realm while > initializing kadmin interface > > Any idea how do I get over this? It looks like either you don't have a KDC (krb5kdc) process running, or krb5.conf or DNS doesn't tell you where to reach it. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From vilas.tadoori.ext at siemens.com Tue May 26 07:42:51 2009 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Tue, 26 May 2009 07:42:51 -0400 Subject: Issues starting kadmin on suse linux In-Reply-To: References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> <4A156C90.2090603@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DAB02@USCIMMBX001.net.plm.eds.com> <4A16C6C8.9090209@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DB503@USCIMMBX001.net.plm.eds.com> <9381379B-6262-4023-949F-1AA9F26938C2@mit.edu> <6344D3A1F3677A429F994D643E17F84F145A2DB980@USCIMMBX001.net.plm.eds.com> Message-ID: <6344D3A1F3677A429F994D643E17F84F145A2DB990@USCIMMBX001.net.plm.eds.com> Please find the attached krb5.conf file Thanks Vilas -----Original Message----- From: Mirkar, Shahezad [mailto:Shahezad_Mirkar at bmc.com] Sent: Tuesday, May 26, 2009 5:06 PM To: Tadoori (EXT), Vilas; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Can u send us krb5.conf file details? Would be help us to debug the issue -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Tadoori (EXT), Vilas Sent: Tuesday, May 26, 2009 5:01 PM To: Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux I have the KDC process running as below and the krb5.conf is also there in the /etc svlv6017:/ # ps -ef | grep krb5kdc root 25769 1 0 May25 ? 00:00:00 ./krb5kdc root 4950 20257 0 06:29 pts/0 00:00:00 grep krb5kdc How can I check the DNS issue? Thanks Vilas -----Original Message----- From: Ken Raeburn [mailto:raeburn at MIT.EDU] Sent: Monday, May 25, 2009 11:10 PM To: Tadoori (EXT), Vilas Cc: Luke Scharf; kerberos at mit.edu Subject: Re: Issues starting kadmin on suse linux On May 25, 2009, at 08:36, Tadoori (EXT), Vilas wrote: > Hi Luke, > > I am able to resolve that issue. It was because I did not create the > database and when I created the database kdb5_util create -s > My deamons started working. > > Now I am getting a new error > > svlv6017:/usr/local/sbin # ./kadmin > Authenticating as principal admroot/admin at NET.PLM.EDS.COM with > password. > kadmin: Cannot contact any KDC for requested realm while > initializing kadmin interface > > Any idea how do I get over this? It looks like either you don't have a KDC (krb5kdc) process running, or krb5.conf or DNS doesn't tell you where to reach it. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From Shahezad_Mirkar at bmc.com Tue May 26 07:54:26 2009 From: Shahezad_Mirkar at bmc.com (Mirkar, Shahezad) Date: Tue, 26 May 2009 17:24:26 +0530 Subject: Issues starting kadmin on suse linux In-Reply-To: <6344D3A1F3677A429F994D643E17F84F145A2DB990@USCIMMBX001.net.plm.eds.com> References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> <4A156C90.2090603@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DAB02@USCIMMBX001.net.plm.eds.com> <4A16C6C8.9090209@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DB503@USCIMMBX001.net.plm.eds.com> <9381379B-6262-4023-949F-1AA9F26938C2@mit.edu> <6344D3A1F3677A429F994D643E17F84F145A2DB980@USCIMMBX001.net.plm.eds.com> <6344D3A1F3677A429F994D643E17F84F145A2DB990@USCIMMBX001.net.plm.eds.com> Message-ID: Also need kdc.conf output -----Original Message----- From: Tadoori (EXT), Vilas [mailto:vilas.tadoori.ext at siemens.com] Sent: Tuesday, May 26, 2009 5:13 PM To: Mirkar, Shahezad; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Please find the attached krb5.conf file Thanks Vilas -----Original Message----- From: Mirkar, Shahezad [mailto:Shahezad_Mirkar at bmc.com] Sent: Tuesday, May 26, 2009 5:06 PM To: Tadoori (EXT), Vilas; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Can u send us krb5.conf file details? Would be help us to debug the issue -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Tadoori (EXT), Vilas Sent: Tuesday, May 26, 2009 5:01 PM To: Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux I have the KDC process running as below and the krb5.conf is also there in the /etc svlv6017:/ # ps -ef | grep krb5kdc root 25769 1 0 May25 ? 00:00:00 ./krb5kdc root 4950 20257 0 06:29 pts/0 00:00:00 grep krb5kdc How can I check the DNS issue? Thanks Vilas -----Original Message----- From: Ken Raeburn [mailto:raeburn at MIT.EDU] Sent: Monday, May 25, 2009 11:10 PM To: Tadoori (EXT), Vilas Cc: Luke Scharf; kerberos at mit.edu Subject: Re: Issues starting kadmin on suse linux On May 25, 2009, at 08:36, Tadoori (EXT), Vilas wrote: > Hi Luke, > > I am able to resolve that issue. It was because I did not create the > database and when I created the database kdb5_util create -s > My deamons started working. > > Now I am getting a new error > > svlv6017:/usr/local/sbin # ./kadmin > Authenticating as principal admroot/admin at NET.PLM.EDS.COM with > password. > kadmin: Cannot contact any KDC for requested realm while > initializing kadmin interface > > Any idea how do I get over this? It looks like either you don't have a KDC (krb5kdc) process running, or krb5.conf or DNS doesn't tell you where to reach it. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From vilas.tadoori.ext at siemens.com Tue May 26 07:57:26 2009 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Tue, 26 May 2009 07:57:26 -0400 Subject: Issues starting kadmin on suse linux In-Reply-To: References: <6344D3A1F3677A429F994D643E17F84F145A20049E@USCIMMBX001.net.plm.eds.com> <4A156C90.2090603@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DAB02@USCIMMBX001.net.plm.eds.com> <4A16C6C8.9090209@clusterbee.net> <6344D3A1F3677A429F994D643E17F84F145A2DB503@USCIMMBX001.net.plm.eds.com> <9381379B-6262-4023-949F-1AA9F26938C2@mit.edu> <6344D3A1F3677A429F994D643E17F84F145A2DB980@USCIMMBX001.net.plm.eds.com> <6344D3A1F3677A429F994D643E17F84F145A2DB990@USCIMMBX001.net.plm.eds.com> Message-ID: <6344D3A1F3677A429F994D643E17F84F145A2DB9BB@USCIMMBX001.net.plm.eds.com> Here is my kdc.conf -----Original Message----- From: Mirkar, Shahezad [mailto:Shahezad_Mirkar at bmc.com] Sent: Tuesday, May 26, 2009 5:24 PM To: Tadoori (EXT), Vilas; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Also need kdc.conf output -----Original Message----- From: Tadoori (EXT), Vilas [mailto:vilas.tadoori.ext at siemens.com] Sent: Tuesday, May 26, 2009 5:13 PM To: Mirkar, Shahezad; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Please find the attached krb5.conf file Thanks Vilas -----Original Message----- From: Mirkar, Shahezad [mailto:Shahezad_Mirkar at bmc.com] Sent: Tuesday, May 26, 2009 5:06 PM To: Tadoori (EXT), Vilas; Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux Can u send us krb5.conf file details? Would be help us to debug the issue -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Tadoori (EXT), Vilas Sent: Tuesday, May 26, 2009 5:01 PM To: Ken Raeburn Cc: kerberos at mit.edu Subject: RE: Issues starting kadmin on suse linux I have the KDC process running as below and the krb5.conf is also there in the /etc svlv6017:/ # ps -ef | grep krb5kdc root 25769 1 0 May25 ? 00:00:00 ./krb5kdc root 4950 20257 0 06:29 pts/0 00:00:00 grep krb5kdc How can I check the DNS issue? Thanks Vilas -----Original Message----- From: Ken Raeburn [mailto:raeburn at MIT.EDU] Sent: Monday, May 25, 2009 11:10 PM To: Tadoori (EXT), Vilas Cc: Luke Scharf; kerberos at mit.edu Subject: Re: Issues starting kadmin on suse linux On May 25, 2009, at 08:36, Tadoori (EXT), Vilas wrote: > Hi Luke, > > I am able to resolve that issue. It was because I did not create the > database and when I created the database kdb5_util create -s > My deamons started working. > > Now I am getting a new error > > svlv6017:/usr/local/sbin # ./kadmin > Authenticating as principal admroot/admin at NET.PLM.EDS.COM with > password. > kadmin: Cannot contact any KDC for requested realm while > initializing kadmin interface > > Any idea how do I get over this? It looks like either you don't have a KDC (krb5kdc) process running, or krb5.conf or DNS doesn't tell you where to reach it. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From ravi.channavajhala at dciera.com Tue May 26 14:14:54 2009 From: ravi.channavajhala at dciera.com (Ravi Channavajhala) Date: Tue, 26 May 2009 23:44:54 +0530 Subject: Kerberos, DNS and AAAA records In-Reply-To: References: <05159044-BB50-4480-9F53-4D7131ED00BD@mit.edu> <73739dc10905211025w30aa9379hced4df198c63de29@mail.gmail.com> Message-ID: <73739dc10905261114n13f97d14g69cc5453162e02c2@mail.gmail.com> On Fri, May 22, 2009 at 12:58 AM, Ken Raeburn wrote: > > The simple version is, we fire off a UDP message to one KDC, and after one > second if we haven't heard back we assume the KDC is probably unreachable or > offline and send a message to the next KDC, and so on. ?However, in case the > KDC is just being slow, we keep listening for responses even after we've > moved on to the next KDC, unless we get back some kind of "port unreachable" > indication. ?In case we're having connectivity or packet-loss problems, we > make a total of three passes through the list, with a little delay in > between passes, resending UDP messages each time through. ?For TCP, it's a > little different -- we tell the kernel to start a connection in non-blocking > mode, and if it connects, we start sending data, but the "quit" condition > for getting out of the loop is successfully sending all of the data and > getting a complete response back. ?In the passes after the first, we don't > do anything new for TCP, just keep trying to send and receive data. > > Once the name resolution is done, the worst-case timeout for the overall > operation (if there are no responses including no host-unreachable errors > back) should be according to the comment in src/lib/krb5/os/sendto_kdc.c: > > ?* Per UDP server, 1s per pass. > ?* Per TCP server, 1s. > ?* Backoff delay, 2**(P+1) - 2, where P is total number of passes. > ?* > ?* Total = 2**(P+1) + U*P + T - 2. > ?* > ?* If P=3, Total = 3*U + T + 14. > > Of course, if getting the DNS data takes us a long time, that may dominate, > and we haven't done much to improve that, though I've thought about some of > these issues before. I was piqued by this and did some more extensive testing as how the best possible KDC candidate is determined out of a list. I placed the nearest KDC on the top of the list but for some strange reason a KDC located quite some distance away (alright in another continent) is the chosen one. Ran the typical network diagnostics such as traceroute, ping etc to determine the round trip time and nearest KDC is really the quickest to respond to these type of test. But, I cant generalize this for kerberos services or dont know the inner workings well, kerberos may have its unique way of determining the appropriate KDC not just predicated on round trip time or the number of hops. So still not quite sure whats happening here. FWIW, I'm using Solaris-10 natively packaged Kerberos. The slowness gets further aggravated when trying to change a passwd despite the explicit mention of admin_server and kpasswd_protocol is specified with SET_CHANGE to take care of non SEAMlessness of Windows/AD. I cant really seem to get around slow logins etc. I will be glad to use any ideas here. > It's a somewhat clunky mechanism that hasn't really been tuned using real > network data, but most of the time it seems to do okay. ?We have had > complaints that we should be able to impose an overall total timeout. ?And > occasionally doing the serialized DNS queries before any of the connection > attempts is a problem at some sites. ?Like I said earlier, we can look at > integrating the DNS lookups and the contact loops so each host address is > looked up when we first want to contact it, but only if the extra complexity > is really going to help. ?Doing DNS queries asynchronously does not seem to > be something we can do portably at the moment. > > We don't want to actually fire off all the queries at the same time, because > usually a nearby KDC *will* respond quickly. ?Sending off all the queries at > once will make all the KDCs do the same work each time, even though only one > response is needed, and eliminating any load-sharing benefit. > > > If SRV records are used, hosts listed with equal priority are used in random > order, as per the spec, since the Kerberos library has no additional > information for sorting them by proximity. ?We also have no hooks at the > moment for figuring out and recording how responsive any given KDC is, to > optimize later queries. ?(A patch to allow some simple optimizations might > be acceptable to MIT. ?Some possible heuristics: Scan the local network > interfaces and put anything on a directly-attached network ahead of anything > further away. ?Check an entry in the config file for network blocks listed > in priority order, e.g., "18.0.0.0/8 2001:4830:2446::/48", so the local site > can be described. ?Or, you can try using the service-location plugin > interface in the library to provide code to order things however you like, > and maybe experiment with some heuristics without having to recompile the > krb5 libraries.) > > You could set up the config files differently at each location, putting the > nearby KDCs at the top of the list, and maybe only listing some of the > others. ?You could define a DNS name that maps to multiple addresses for > several KDCs and list that as a lower-priority KDC to use as a fallback; > that'll reduce the number of DNS queries needed, but if you've got local > name servers at each site, caching should make the name lookups reasonably > efficient. ?You could also play games with anycast addresses to find the > nearest KDC out of a set (either all your KDCs, or broken into two or three > subsets if there are a lot), though that's probably serious overkill. From raeburn at MIT.EDU Tue May 26 14:45:16 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 26 May 2009 14:45:16 -0400 Subject: Kerberos, DNS and AAAA records In-Reply-To: <73739dc10905261114n13f97d14g69cc5453162e02c2@mail.gmail.com> References: <05159044-BB50-4480-9F53-4D7131ED00BD@mit.edu> <73739dc10905211025w30aa9379hced4df198c63de29@mail.gmail.com> <73739dc10905261114n13f97d14g69cc5453162e02c2@mail.gmail.com> Message-ID: <48FA6522-80E6-44DE-841E-6B249C9792C6@mit.edu> On May 26, 2009, at 14:14, Ravi Channavajhala wrote: > I was piqued by this and did some more extensive testing as how the > best possible KDC candidate is determined out of a list. In the MIT code, the answer is simple: It isn't. Servers listed in the config file should be tried in order. Servers listed in DNS SRV records should be tried in priority order, and randomly among servers with equal priority. From your earlier messages, I understand you're listing fully- qualified names with trailing dots in the config file now? Then it should definitely try the first-listed server first. Note that KRB5_CONFIG may provide a colon-separated list of config files, and the default set in the MIT code uses /etc/krb5.conf and then $sysconfdir/krb5.conf (where $sysconfdir is normally $prefix/etc but can be overridden at configure time). Sun's changes may cause it to use something like /etc/krb5/krb5.conf instead. So if you're experimenting with a test config file, make sure you're pointing the software at only that config file, and not accidentally including two versions of your config files and thus getting some hosts twice and in an unexpected order. > I placed the > nearest KDC on the top of the list but for some strange reason a KDC > located quite some distance away (alright in another continent) is the > chosen one. Sounds like something's amiss. Run tcpdump or equivalent while this is happening; truss may help too. If I recall correctly, name lookups are done in the order the names are seen in the config file too, so if they're showing up in a different order than you expect, that could be the source of the later problems. (Local caching may make this hard to check.) Try also listing just one KDC and see what that does. If it still contacts the remote KDC instead, then for some reason the config file data just isn't being used. (Realm case mismatch? Wrong environment variable name for pointing to the test config file? Bogus entries in / etc/hosts? Check for simple mistakes like that.) > Ran the typical network diagnostics such as traceroute, > ping etc to determine the round trip time and nearest KDC is really > the quickest to respond to these type of test. But, I cant generalize > this for kerberos services or dont know the inner workings well, > kerberos may have its unique way of determining the appropriate KDC > not just predicated on round trip time or the number of hops. So > still not quite sure whats happening here. FWIW, I'm using Solaris-10 > natively packaged Kerberos. I know Sun has some local changes to the MIT code, but offhand I don't know if any of them would affect these areas. > The slowness gets further aggravated when trying to change a passwd > despite the explicit mention of admin_server and kpasswd_protocol is > specified with SET_CHANGE to take care of non SEAMlessness of > Windows/AD. > > I cant really seem to get around slow logins etc. I will be glad to > use any ideas here. Getting it to pay attention to the config file is the first step.... -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From tmp+rnpc at echo.disfinite.org Tue May 26 06:55:44 2009 From: tmp+rnpc at echo.disfinite.org (T. M. Pederson) Date: Tue, 26 May 2009 05:55:44 -0500 Subject: Racoon ipsec configuration with GSSAPI/kerberos References: <23538533.post@talk.nabble.com> <04c8e6-o7j.ln1@echo.disfinite.org> Message-ID: In article , Anandan writes: [...] > Thanks for the information. I think this case will work between two linux > machines. > Is it possible to configure racoon with kerberos between a linux machine and > a windows machine?? According to the documentation it's certainly possible. I don't have access to any MS-Windows machines to offer much of any tips. I will note, however, that while Racoon is capable of two gssapi id encodings, MS-Windows can only handle one. Racoon is supposed to default to using the same one that MS-Windows does, but if for some reason it doesn't, explicitly set it in the general section of your racoon.conf: gss_id_enc utf-16le; -- T. M. Pederson GPG key fingerprint = FFAF D056 F12B E03F 7084 1288 EF8B E1FE 1693 21EB +Accept: text/plain; charset=ISO-8859-*,UTF-* From Guillaume.Rousse at inria.fr Wed May 27 09:50:18 2009 From: Guillaume.Rousse at inria.fr (Guillaume Rousse) Date: Wed, 27 May 2009 15:50:18 +0200 Subject: question about apache mod_auth_kerb Message-ID: <4A1D451A.70509@inria.fr> Hello list. We use mod_auth_kerb 5.4 to protect nagios access. This application automatically refresh the screen every 30s. By looking at the logs, we just discovered each refresh lead to multiple connections to the KDC, for forwarding tickets: 2009-05-27T15:34:18 TGS-REQ stefanes at SACLAY.INRIA.FR from IPv4:195.83.212.212 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR [forwarded] 2009-05-27T15:34:18 Request to forward non-forwardable ticket 2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212 2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212 2009-05-27T15:34:18 TGS-REQ stefanes at SACLAY.INRIA.FR from IPv4:195.83.212.212 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR [forwarded] 2009-05-27T15:34:18 Request to forward non-forwardable ticket 2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212 2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212 Using a forwardable TGT, this changes to: 2009-05-27T15:34:42 TGS-REQ rousse at SACLAY.INRIA.FR from IPv4:195.83.212.49 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR [proxiable, forwarded, forwardable] 2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime: 2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset 2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49 2009-05-27T15:34:42 TGS-REQ rousse at SACLAY.INRIA.FR from IPv4:195.83.212.49 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR [proxiable, forwarded, forwardable] 2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime: 2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset 2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49 The multiple attempts seems to result from the multiple resources fetched each time (html page, CSS stylesheets, icons...). However, why does the client (firefox here) apparently attempt to forward its ticket, or to renew it each time it attempts to reconnect ? Here is apache configuration: AuthType Kerberos AuthName "Kerberos autentication required" KrbAuthRealm SACLAY.INRIA.FR Krb5Keytab /etc/krb5.keytab KrbMethodK5Passwd on KrbMethodNegotiate on KrbLocalUserMapping on Require valid-user -- Guillaume Rousse Service des Moyens Informatiques INRIA Saclay - ?le-de-France Parc Orsay Universit?, 4 rue J. Monod 91893 Orsay Cedex France Tel: 01 69 35 69 62 From deengert at anl.gov Wed May 27 10:44:07 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 27 May 2009 09:44:07 -0500 Subject: question about apache mod_auth_kerb In-Reply-To: <4A1D451A.70509@inria.fr> References: <4A1D451A.70509@inria.fr> Message-ID: <4A1D51B7.5070407@anl.gov> Guillaume Rousse wrote: > Hello list. > > We use mod_auth_kerb 5.4 to protect nagios access. This application > automatically refresh the screen every 30s. > > By looking at the logs, we just discovered each refresh lead to multiple > connections to the KDC, for forwarding tickets: > 2009-05-27T15:34:18 TGS-REQ stefanes at SACLAY.INRIA.FR from > IPv4:195.83.212.212 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR [forwarded] > 2009-05-27T15:34:18 Request to forward non-forwardable ticket > 2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212 > 2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212 > 2009-05-27T15:34:18 TGS-REQ stefanes at SACLAY.INRIA.FR from > IPv4:195.83.212.212 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR [forwarded] > 2009-05-27T15:34:18 Request to forward non-forwardable ticket > 2009-05-27T15:34:18 Failed building TGS-REP to IPv4:195.83.212.212 > 2009-05-27T15:34:18 sending 107 bytes to IPv4:195.83.212.212 > > Using a forwardable TGT, this changes to: > 2009-05-27T15:34:42 TGS-REQ rousse at SACLAY.INRIA.FR from > IPv4:195.83.212.49 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR > [proxiable, forwarded, forwardable] > 2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime: > 2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset > 2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49 > 2009-05-27T15:34:42 TGS-REQ rousse at SACLAY.INRIA.FR from > IPv4:195.83.212.49 for krbtgt/SACLAY.INRIA.FR at SACLAY.INRIA.FR > [proxiable, forwarded, forwardable] > 2009-05-27T15:34:42 TGS-REQ authtime: 2009-05-27T15:17:09 starttime: > 2009-05-27T15:34:42 endtime: 2009-05-27T21:57:20 renew till: unset > 2009-05-27T15:34:42 sending 673 bytes to IPv4:195.83.212.49 > > The multiple attempts seems to result from the multiple resources > fetched each time (html page, CSS stylesheets, icons...). However, why > does the client (firefox here) apparently attempt to forward its ticket, > or to renew it each time it attempts to reconnect ? You may have told FireFox to do this. Enter about:config and look for the network.negotiate-auth.delegation-uris user set string https://inria.fr This would sat to try and delegate to any website in inria.fr > > Here is apache configuration: > > AuthType Kerberos > AuthName "Kerberos autentication required" > KrbAuthRealm SACLAY.INRIA.FR > Krb5Keytab /etc/krb5.keytab > KrbMethodK5Passwd on > KrbMethodNegotiate on > KrbLocalUserMapping on > Require valid-user > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From Guillaume.Rousse at inria.fr Thu May 28 03:43:54 2009 From: Guillaume.Rousse at inria.fr (Guillaume Rousse) Date: Thu, 28 May 2009 09:43:54 +0200 Subject: question about apache mod_auth_kerb In-Reply-To: <4A1D51B7.5070407@anl.gov> References: <4A1D451A.70509@inria.fr> <4A1D51B7.5070407@anl.gov> Message-ID: <4A1E40BA.3030309@inria.fr> Douglas E. Engert a ?crit : >> The multiple attempts seems to result from the multiple resources >> fetched each time (html page, CSS stylesheets, icons...). However, why >> does the client (firefox here) apparently attempt to forward its >> ticket, or to renew it each time it attempts to reconnect ? > > You may have told FireFox to do this. Enter about:config and look for the > > network.negotiate-auth.delegation-uris user set string > https://inria.fr > > This would sat to try and delegate to any website in inria.fr Indeed, I just followed blindly explanations found on the web without enquiring further about exact meaning of those configuration directives :( Thanks for your help. -- Guillaume Rousse Service des Moyens Informatiques INRIA Saclay - ?le-de-France Parc Orsay Universit?, 4 rue J. Monod 91893 Orsay Cedex France Tel: 01 69 35 69 62 From tlyu at MIT.EDU Thu May 28 03:44:26 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Thu, 28 May 2009 03:44:26 -0400 Subject: 2009-002-patch.txt fails 'make check' in 'tests/asn.1' for krb-1.5.4 In-Reply-To: (Mark T. Valites's message of "Thu, 21 May 2009 13:30:19 -0400 (EDT)") References: Message-ID: "Mark T. Valites" writes: > I recently tried to update our MIT krb5-1.5.4 install with the patches for > the last two security advisories. > > The 2009-001-patch.txt & 2009-002-patch.txt patches apply cleanly against > the krb5-1.5.4 source & compile, but fail for 'make test'. The errors > appear to be coming from 'tests/asn.1' & contain some of the content > within the 2009-002-patch.txt patch. The tail end of the 'make test' > output is below. > > Has anyone else had luck patching 1.5.4 or have any suggestions for > addressing this? There was a bug in the test case due to a change in the behavior of the "free" functions. I have updated the patch. diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c index aa4be32..5f7461d 100644 --- a/src/lib/krb5/asn.1/asn1_decode.c +++ b/src/lib/krb5/asn.1/asn1_decode.c @@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val) if(length != 15) return ASN1_BAD_LENGTH; retval = asn1buf_remove_charstring(buf,15,&s); + if (retval) return retval; /* Time encoding: YYYYMMDDhhmmssZ */ if(s[14] != 'Z') { free(s); diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c index 0ff9343..04ea287 100644 --- a/src/tests/asn.1/krb5_decode_test.c +++ b/src/tests/asn.1/krb5_decode_test.c @@ -485,6 +485,22 @@ int main(argc, argv) ktest_destroy_keyblock(&(ref.subkey)); ref.seq_number = 0; decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); + + retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); + if (retval) { + com_err("krb5_decode_test", retval, "while parsing"); + exit(1); + } + retval = decode_krb5_ap_rep_enc_part(&code, &var); + if (retval != ASN1_OVERRUN) { + printf("ERROR: "); + } else { + printf("OK: "); + } + printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); + krb5_free_data_contents(test_context, &code); + if (!retval) krb5_free_ap_rep_enc_part(test_context, var); + ktest_empty_ap_rep_enc_part(&ref); } From bjorn.sund at it.uib.no Thu May 28 10:46:22 2009 From: bjorn.sund at it.uib.no (Bjoern Tore Sund) Date: Thu, 28 May 2009 16:46:22 +0200 Subject: cross-realm authentication problem Message-ID: <4A1EA3BE.1000403@it.uib.no> I am trying to get cross-realm authentication to work between AD and our MIT Kerberos realm. Windows client are in KLIENT.UIB.NO, Windows user accounts are in UIB.NO, Unix/Linux machines and accounts are in UNIX.UIB.NO. User names in UIB.NO and UNIX.UIB.NO are the same. KLIENT.UIB.NO and UIB.NO trust each other, UIB.NO and UNIX.UIB.NO have two-way trust enabled, transitive. I have one web server running RHEL4, apache 2.0.52 and Kerberos 1.3.4 as provided by Redhat, self-compiled mod_auth_kerb 5.4, and another running RHEL5, apache 2.2.3 and Kerberos 1.6.1 as provided by Redhat, self-compiled mod_auth_kerb 5.4. krb5.conf, .htaccess etc are identical on the two web servers, both have principals in UNIX.UIB.NO. From Unix/Linux machines with user authenticated in UNIX.UIB.NO Kerberos negotiation works fine. After choosing UNIX.UIB.NO as authentication domain on a Windows machine Kerberos negotiation works fine. After authenticating against UIB.NO on a Linux machine (which have UNIX.UIB.NO as primary realm in krb5.conf) cross-realm authentication works fine. But using a Windows machine where the user is authenticated in UIB.NO I get cross-realm authentication only to the web server running RHEL4, not the one running RHEL5, I never even get a ticket for UNIX.UIB.NO from AD when trying to access the RHEL5 server web page. The only difference between the RHEL4 and RHEL5 server should be the Kerberos and Apache versions. krb5.conf on the server looks like this: === [libdefaults] default_realm = UNIX.UIB.NO ticket_lifetime = 144h forwardable = yes proxiable = yes permitted_enctypes = des3-hmac-sha1 des-cbc-crc rc4-hmac des-cbc-md5 default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc dns_lookup_realm = true dns_lookup_kdc = true udp_preference_limit = 1 [realms] UNIX.UIB.NO = { auth_to_local = RULE:[1:$1@$0](.*@.*UIB.NO)s/@.*// } [domain_realm] .uib.no = UNIX.UIB.NO uib.no = UNIX.UIB.NO [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [capaths] UIB.NO = { UNIX.UIB.NO = . } UNIX.UIB.NO = { UIB.NO = . } [appdefaults] pam = { debug = false ticket_lifetime = 650000 renew_lifetime = 650000 forwardable = true proxiable = true krb4_convert = false } === I have spent a lot of time fiddling with capaths, to no avail. My .htaccess on both servers looks like this: === AuthType Kerberos AuthName "Kerberos Login " KrbMethodNegotiate on KrbMethodK5Passwd off KrbAuthRealms UNIX.UIB.NO KrbServiceName "HTTP" Krb5Keytab /etc/httpd/conf/radisson_http.keytab KrbLocalUserMapping on Require valid-user === Any ideas where I need to look to figure this one out? It looks as if the RHEL5 server somehow fails to inform the windows client that it needs to get a TGT for UNIX.UIB.NO, but why then does the RHEL4 server provide this information? -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. From cclausen at acm.org Thu May 28 11:07:52 2009 From: cclausen at acm.org (Christopher D. Clausen) Date: Thu, 28 May 2009 10:07:52 -0500 Subject: cross-realm authentication problem References: <4A1EA3BE.1000403@it.uib.no> Message-ID: <264A4119D558441E9520FA586032D1B1@CDCHOME> Bjoern Tore Sund wrote: > Any ideas where I need to look to figure this one out? It looks as if > the RHEL5 server somehow fails to inform the windows client that it > needs to get a TGT for UNIX.UIB.NO, but why then does the RHEL4 > server provide this information? Kerberos works the other way. The CLIENT needs to know what realm the server is in. The server doesn't really inform the client of its realm. Windows doesn't have a krb5.conf file for SSPI creds. You probably want to look into trying to use the netdom.exe trust command (possibly with /addTLN or AddTLNEX) to add the domain to realm mappings for Windows clients to use. Your KDC may need to support referrals for this to work. What are the URLs / hostnames of the two different web servers? It is possible that mappings exist for one name and not the other domain? Or, can you downgrade to the older krb5 libs on your RHEL5 web server to see if that gets things working? ----- I'd consider why you have multiple realms in the first place. It would be much easier to just use Active Directory as one single realm. < References: <4A1EA3BE.1000403@it.uib.no> Message-ID: <4A1EB16D.1010609@anl.gov> Bjoern Tore Sund wrote: > I am trying to get cross-realm authentication to work between AD and our > MIT Kerberos realm. Windows client are in KLIENT.UIB.NO, Windows user > accounts are in UIB.NO, Unix/Linux machines and accounts are in > UNIX.UIB.NO. User names in UIB.NO and UNIX.UIB.NO are the same. > So KLIENT.UIB.NO and UIB.NO are AD and UNIX.UIB.NO is MIT? What version? > KLIENT.UIB.NO and UIB.NO trust each other, UIB.NO and UNIX.UIB.NO have > two-way trust enabled, transitive. > > I have one web server running RHEL4, apache 2.0.52 and Kerberos 1.3.4 as > provided by Redhat, self-compiled mod_auth_kerb 5.4, and another running > RHEL5, apache 2.2.3 and Kerberos 1.6.1 as provided by Redhat, > self-compiled mod_auth_kerb 5.4. krb5.conf, .htaccess etc are identical > on the two web servers, both have principals in UNIX.UIB.NO. > > From Unix/Linux machines with user authenticated in UNIX.UIB.NO Kerberos > negotiation works fine. After choosing UNIX.UIB.NO as authentication > domain on a Windows machine Kerberos negotiation works fine. After > authenticating against UIB.NO on a Linux machine (which have UNIX.UIB.NO > as primary realm in krb5.conf) cross-realm authentication works fine. > But using a Windows machine where the user is authenticated in UIB.NO I > get cross-realm authentication only to the web server running RHEL4, not > the one running RHEL5, I never even get a ticket for UNIX.UIB.NO from AD > when trying to access the RHEL5 server web page. The only difference > between the RHEL4 and RHEL5 server should be the Kerberos and Apache > versions. > > > krb5.conf on the server looks like this: > === > [libdefaults] > default_realm = UNIX.UIB.NO > ticket_lifetime = 144h > forwardable = yes > proxiable = yes > permitted_enctypes = des3-hmac-sha1 des-cbc-crc rc4-hmac des-cbc-md5 > default_tgs_enctypes = des-cbc-crc > default_tkt_enctypes = des-cbc-crc > dns_lookup_realm = true > dns_lookup_kdc = true > udp_preference_limit = 1 > > [realms] > UNIX.UIB.NO = { > auth_to_local = RULE:[1:$1@$0](.*@.*UIB.NO)s/@.*// > } > > [domain_realm] > .uib.no = UNIX.UIB.NO > uib.no = UNIX.UIB.NO > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > [capaths] > UIB.NO = { > UNIX.UIB.NO = . > } > > UNIX.UIB.NO = { > UIB.NO = . > } > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 650000 > renew_lifetime = 650000 > forwardable = true > proxiable = true > krb4_convert = false > } > === > I have spent a lot of time fiddling with capaths, to no avail. You should not need the capaths as the default it to assume a hierarchical realm tree, which you have. My > .htaccess on both servers looks like this: > === > AuthType Kerberos > AuthName "Kerberos Login " > KrbMethodNegotiate on > KrbMethodK5Passwd off > KrbAuthRealms UNIX.UIB.NO > KrbServiceName "HTTP" > Krb5Keytab /etc/httpd/conf/radisson_http.keytab > KrbLocalUserMapping on > Require valid-user > === > > Any ideas where I need to look to figure this one out? It looks as if > the RHEL5 server somehow fails to inform the windows client that it needs > to get a TGT for UNIX.UIB.NO, but why then does the RHEL4 server provide > this information? The server does not inform the client. The client figures out it needs to do cross realm, and the KDC figures out what enctype to use for the server. With Windows, the Microsoft client code asks its KDC for a a referral. But you said both the web servers are in the same realm, and lod one works and the new one does not. krb5-1.6.1 supports RC4 and DES (plus others). Windows 2003 only supports RC4 and DES. krb5-1.3.1 only supports DES. So there might be some enctype issue were RC4 is being used. Does the keytab file for the RHEL have a RC4 and/or DES key? Wireshark on the client can be very helpful, as you can see all the Krb5 requests and responses including enctypes. The KDC may be sending some error messages or sending a key with an enctype that is not in the keytab. http://www.wireshark.org/ > > -BT -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From Guillaume.Rousse at inria.fr Thu May 28 11:58:42 2009 From: Guillaume.Rousse at inria.fr (Guillaume Rousse) Date: Thu, 28 May 2009 17:58:42 +0200 Subject: cross-realm authentication problem In-Reply-To: <4A1EB16D.1010609@anl.gov> References: <4A1EA3BE.1000403@it.uib.no> <4A1EB16D.1010609@anl.gov> Message-ID: <4A1EB4B2.8060706@inria.fr> Douglas E. Engert a ?crit : > krb5-1.6.1 supports RC4 and DES (plus others). > Windows 2003 only supports RC4 and DES. > krb5-1.3.1 only supports DES. Windows 2003 support RC4 starting from SP2 only, and still uses DES for cross-realm relationship by default. You have to install the Windows 2003 Resource kit*service pack2* to change this setting, using ktpass command: ktpass /MITRealmName DOMAINE.UNIX /TrustEncryp RC4 -- BOFH excuse #85: Windows 95 undocumented "feature" From ahamberger at unitec.ac.nz Thu May 28 19:43:27 2009 From: ahamberger at unitec.ac.nz (Andreas Hamberger) Date: Fri, 29 May 2009 11:43:27 +1200 Subject: --with-edirectory compile error Message-ID: <4A1FCA5F020000540001E26C@gwia1.unitec.ac.nz> Hello There I am trying to compile 1.6.3 with edirectory support as Novell has told us that this is now all in MIT kerberos and supported there. I get the following compile error, which I also get using the latest trunk. Any help is appreciated. kdb5_ldap_services.c: In function ?rem_service_entry_from_file?: kdb5_ldap_services.c:1143: warning: ignoring return value of ?link?, declared with attribute warn_unused_result kdb5_ldap_services.c: In function ?generate_random_password?: kdb5_ldap_services.c:1500: warning: comparison between signed and unsigned kdb5_ldap_services.c: In function ?kdb5_ldap_set_service_password?: kdb5_ldap_services.c:1728: error: ?struct data? has no member named ?data? kdb5_ldap_services.c:1853: warning: ignoring return value of ?link?, declared with attribute warn_unused_result make[2]: *** [kdb5_ldap_services.o] Error 1 make[2]: Leaving directory `/usr/src/packages/BUILD/trunk/src/plugins/kdb/ldap/ldap_util' make[1]: *** [all-recurse] Error 1 make[1]: Leaving directory `/usr/src/packages/BUILD/trunk/src/plugins/kdb/ldap' make: *** [all-recurse] Error 1 Regards Andreas Hamberger Mobile: +64 21 2840435 Unitec Design Team From bjorn.sund at it.uib.no Fri May 29 09:19:28 2009 From: bjorn.sund at it.uib.no (Bjoern Tore Sund) Date: Fri, 29 May 2009 15:19:28 +0200 Subject: cross-realm authentication problem In-Reply-To: <4A1EB16D.1010609@anl.gov> References: <4A1EA3BE.1000403@it.uib.no> <4A1EB16D.1010609@anl.gov> Message-ID: <4A1FE0E0.6050501@it.uib.no> Douglas E. Engert wrote: > > > Bjoern Tore Sund wrote: >> I am trying to get cross-realm authentication to work between AD and >> our MIT Kerberos realm. Windows client are in KLIENT.UIB.NO, Windows >> user accounts are in UIB.NO, Unix/Linux machines and accounts are in >> UNIX.UIB.NO. User names in UIB.NO and UNIX.UIB.NO are the same. >> > > So KLIENT.UIB.NO and UIB.NO are AD and UNIX.UIB.NO is MIT? What version? Correct. Windows 2003 SP2 and MIT Kerberos 1.6.3. >> KLIENT.UIB.NO and UIB.NO trust each other, UIB.NO and UNIX.UIB.NO have >> two-way trust enabled, transitive. >> >> I have one web server running RHEL4, apache 2.0.52 and Kerberos 1.3.4 >> as provided by Redhat, self-compiled mod_auth_kerb 5.4, and another >> running RHEL5, apache 2.2.3 and Kerberos 1.6.1 as provided by Redhat, >> self-compiled mod_auth_kerb 5.4. krb5.conf, .htaccess etc are >> identical on the two web servers, both have principals in UNIX.UIB.NO. >> >> From Unix/Linux machines with user authenticated in UNIX.UIB.NO >> Kerberos negotiation works fine. After choosing UNIX.UIB.NO as >> authentication domain on a Windows machine Kerberos negotiation works >> fine. After authenticating against UIB.NO on a Linux machine (which >> have UNIX.UIB.NO as primary realm in krb5.conf) cross-realm >> authentication works fine. But using a Windows machine where the user >> is authenticated in UIB.NO I get cross-realm authentication only to >> the web server running RHEL4, not the one running RHEL5, I never even >> get a ticket for UNIX.UIB.NO from AD when trying to access the RHEL5 >> server web page. The only difference between the RHEL4 and RHEL5 >> server should be the Kerberos and Apache versions. >> default_realm = UNIX.UIB.NO >> ticket_lifetime = 144h >> forwardable = yes >> proxiable = yes >> permitted_enctypes = des3-hmac-sha1 des-cbc-crc rc4-hmac des-cbc-md5 >> default_tgs_enctypes = des-cbc-crc >> default_tkt_enctypes = des-cbc-crc >> dns_lookup_realm = true >> dns_lookup_kdc = true >> udp_preference_limit = 1 > > You should not need the capaths as the default it to assume > a hierarchical realm tree, which you have. Ok. Didn't help to remove the whole capaths section either. :( >> === >> AuthType Kerberos >> AuthName "Kerberos Login " >> KrbMethodNegotiate on >> KrbMethodK5Passwd off >> KrbAuthRealms UNIX.UIB.NO >> KrbServiceName "HTTP" >> Krb5Keytab /etc/httpd/conf/radisson_http.keytab >> KrbLocalUserMapping on >> Require valid-user >> === >> >> Any ideas where I need to look to figure this one out? It looks as if >> the RHEL5 server somehow fails to inform the windows client that it >> needs to get a TGT for UNIX.UIB.NO, but why then does the RHEL4 server >> provide this information? > > The server does not inform the client. The client figures out it needs > to do cross realm, and the KDC figures out what enctype to use for the > server. With Windows, the Microsoft client code asks its KDC for a > a referral. But you said both the web servers are in the same realm, > and lod one works and the new one does not. I thought the web server was supposed to use the www-authenticate: header not only to say that it supports Negotiate authentication but also which realm to negotiate with. That was defined in HTTP 1.0 but I haven't found it for 1.1. And indeed, neither of the two web servers use this field for that. In fact, the http headers are identical except for the apache version: HTTP/1.1 401 Authorization Required Date: Fri, 29 May 2009 12:12:53 GMT Server: Apache/2.0.52 (Red Hat) WWW-Authenticate: Negotiate WWW-Authenticate: Basic realm="Kerberos Login" Content-Length: 401 Content-Type: text/html; charset=iso-8859-1 The first www.authenticate is added by KrbMethodnegotiate being on, the second by krbmethodk5passwd being on. I can't figure out how the client figures out which realm to get a TGT for and then request a service ticket from without the HTTP header specifying this. On the linux clients and servers I set a specific mapping from dns domain .uib.no to realm UNIX.UIB.NO, is there a way to do this on Windows? > krb5-1.6.1 supports RC4 and DES (plus others). > Windows 2003 only supports RC4 and DES. > krb5-1.3.1 only supports DES. > > So there might be some enctype issue were RC4 is being used. > Does the keytab file for the RHEL have a RC4 and/or DES key? Entry for principal HTTP/radisson.uib.no with kvno 4, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/tmp/radisson_http.keytab. Entry for principal HTTP/radisson.uib.no with kvno 4, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/radisson_http.keytab. Entry for principal HTTP/radisson.uib.no with kvno 4, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/tmp/radisson_http.keytab. I'd understand that if it was the RHEL4 machine I couldn't talk to. > Wireshark on the client can be very helpful, as you can see > all the Krb5 requests and responses including enctypes. > The KDC may be sending some error messages or sending a key > with an enctype that is not in the keytab. > > http://www.wireshark.org/ When trying to retrieve the web page from the RHEL5 server there is no attempt to contact a KDC at all. -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. From tlyu at MIT.EDU Fri May 29 09:57:25 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Fri, 29 May 2009 09:57:25 -0400 Subject: --with-edirectory compile error In-Reply-To: <4A1FCA5F020000540001E26C@gwia1.unitec.ac.nz> (Andreas Hamberger's message of "Fri, 29 May 2009 11:43:27 +1200") References: <4A1FCA5F020000540001E26C@gwia1.unitec.ac.nz> Message-ID: "Andreas Hamberger" writes: > Hello There > > I am trying to compile 1.6.3 with edirectory support as Novell has told > us that this is now all in MIT kerberos and supported there. I get the > following compile error, which I also get using the latest trunk. Any > help is appreciated. > > > kdb5_ldap_services.c: In function ?rem_service_entry_from_file?: > kdb5_ldap_services.c:1143: warning: ignoring return value of ?link?, > declared with attribute warn_unused_result > kdb5_ldap_services.c: In function ?generate_random_password?: > kdb5_ldap_services.c:1500: warning: comparison between signed and > unsigned > kdb5_ldap_services.c: In function ?kdb5_ldap_set_service_password?: > kdb5_ldap_services.c:1728: error: ?struct data? has no member named > ?data? > kdb5_ldap_services.c:1853: warning: ignoring return value of ?link?, > declared with attribute warn_unused_result > make[2]: *** [kdb5_ldap_services.o] Error 1 > make[2]: Leaving directory > `/usr/src/packages/BUILD/trunk/src/plugins/kdb/ldap/ldap_util' > make[1]: *** [all-recurse] Error 1 > make[1]: Leaving directory > `/usr/src/packages/BUILD/trunk/src/plugins/kdb/ldap' > make: *** [all-recurse] Error 1 The above looks like it comes from compiling on the trunk. That particular compilation error does not occur on the krb5-1.6 branch. What error were you getting when compiling 1.6.3? From mvalites at buffalo.edu Fri May 29 13:50:11 2009 From: mvalites at buffalo.edu (Mark T. Valites) Date: Fri, 29 May 2009 13:50:11 -0400 (EDT) Subject: 2009-002-patch.txt fails 'make check' in 'tests/asn.1' for krb-1.5.4 In-Reply-To: References: Message-ID: On Thu, 28 May 2009, Tom Yu wrote: > "Mark T. Valites" writes: > >> I recently tried to update our MIT krb5-1.5.4 install with the patches >> for the last two security advisories. >> >> The 2009-001-patch.txt & 2009-002-patch.txt patches apply cleanly >> against the krb5-1.5.4 source & compile, but fail for 'make test'. The >> errors appear to be coming from 'tests/asn.1' & contain some of the >> content within the 2009-002-patch.txt patch. The tail end of the 'make >> test' output is below. >> >> Has anyone else had luck patching 1.5.4 or have any suggestions for >> addressing this? > > There was a bug in the test case due to a change in the behavior of the > "free" functions. I have updated the patch. Thank you Tom. The updated patch works as expected in my environment. -Mark From bjorn.sund at it.uib.no Fri May 29 16:03:32 2009 From: bjorn.sund at it.uib.no (=?ISO-8859-1?Q?Bj=F8rn_Tore_Sund?=) Date: Fri, 29 May 2009 22:03:32 +0200 Subject: cross-realm authentication problem In-Reply-To: <4A1FE0E0.6050501@it.uib.no> References: <4A1EA3BE.1000403@it.uib.no> <4A1EB16D.1010609@anl.gov> <4A1FE0E0.6050501@it.uib.no> Message-ID: <4A203F94.1040609@it.uib.no> I'd like to thank Douglas Engert, Christopher Clausen and Guillaume Rosse for the help with this matter. Netdom.exe was indeed the answer, and as I was pestering our main AD honcho on the matter he started to remember (I still don't...) that I'd pulled up that command to him before - and the RHEL4 server where everything was working had indeed at some vague past point in time been added as a trusted server in AD. I'll go sit in a corner and feel embarassed now. -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. From cclausen at acm.org Fri May 29 18:00:21 2009 From: cclausen at acm.org (Christopher D. Clausen) Date: Fri, 29 May 2009 17:00:21 -0500 Subject: cross-realm authentication problem References: <4A1EA3BE.1000403@it.uib.no> <4A1EB16D.1010609@anl.gov><4A1FE0E0.6050501@it.uib.no> <4A203F94.1040609@it.uib.no> Message-ID: <3D5587AF530A4D9988E743A1472EC005@CDCHOME> Bj?rn Tore Sund wrote: > I'd like to thank Douglas Engert, Christopher Clausen and Guillaume > Rosse for the help with this matter. Netdom.exe was indeed the > answer, and as I was pestering our main AD honcho on the matter he > started to remember (I still don't...) that I'd pulled up that > command to him before - and the RHEL4 server where everything was > working had indeed at some vague past point in time been added as a > trusted server in AD. Can you let us know what exact command you actually ran that worked? < References: <4A1EA3BE.1000403@it.uib.no> <4A1EB16D.1010609@anl.gov><4A1FE0E0.6050501@it.uib.no> <4A203F94.1040609@it.uib.no> <3D5587AF530A4D9988E743A1472EC005@CDCHOME> Message-ID: <4A21B45E.8050804@it.uib.no> Christopher D. Clausen wrote: > Bj?rn Tore Sund wrote: >> I'd like to thank Douglas Engert, Christopher Clausen and Guillaume >> Rosse for the help with this matter. Netdom.exe was indeed the >> answer, and as I was pestering our main AD honcho on the matter he >> started to remember (I still don't...) that I'd pulled up that >> command to him before - and the RHEL4 server where everything was >> working had indeed at some vague past point in time been added as a >> trusted server in AD. > > Can you let us know what exact command you actually ran that worked? Since we don't have a separate dns domain for different OSes, only different Kerberos realms, we need to map each server separately: netdom.exe trust UIB.NO /domain:UNIX.UIB.NO /addtln:servername.fqdn Knowing what to google for helps, this question has appeared again and again over the years on this mailing list. http://mailman.mit.edu/pipermail/kerberos/2005-September/008497.html is detailed and gives a good run-through. -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. From zhangweiwu at realss.com Sun May 31 01:51:43 2009 From: zhangweiwu at realss.com (Zhang Weiwu) Date: Sun, 31 May 2009 13:51:43 +0800 Subject: can I wrap ordinary tcp service to use kerberos (including server and the client)? Message-ID: <78ek7kF1kl99bU1@mid.individual.net> Hello. This is indeed a stupid question not obviously search-able from Google. I run unison services (a file synchronize protocol) and want to include it in the existing kerberos realm. I heard I can configure the service in /etc/inetd.conf and configure host.allow to use a wrapper for kerberos (I got this information from a 12-years old post titled "tcp wrappers and kerberos" on this group). If that is possible, how can I wrap a kerberos-unaware client to access this service? Is there a guide or document for this? Best regards From zhangweiwu at realss.com Sun May 31 02:08:44 2009 From: zhangweiwu at realss.com (Zhang Weiwu) Date: Sun, 31 May 2009 14:08:44 +0800 Subject: tcp wrappers and kerberos In-Reply-To: <858275200.12303@dejanews.com>#1/1 References: <858275200.12303@dejanews.com>#1/1 Message-ID: <78el7fF1m5pl0U1@mid.individual.net> On Mar 13 1997, 4:00 pm, matsu... at rtt.colorado.edu wrote: > I haveKerberos5-1.0 installed and working on several machines here. I > am currently trying to use tcpwrapper with kerberos > [snip] > I changed the line in inetd.conf: > klogin stream tcp nowait root/usr/local/sbin/klogind klogind -k -c > > to: > klogin stream tcp nowait root /usr/etc/tcpd klogind -k -c > > And I added the Kerberos daemons to the hosts.allow file. Now I cannot > use thekerberos rlogin. > May I know how or what you add the kerberos daemons to the hosts.allow file, or where can I find a guide on how to do so? I want to wrap existing no-authentication service (unison) in kerberos.