Using Solaris 10 built in Kerberos support with Kerberos application

Douglas E. Engert deengert at anl.gov
Tue Aug 23 15:20:21 EDT 2005


In an attempt to use vendor provided Kerberos support where possible, we have
been able to use the Solaris 10 Kerberos and the Solaris provided kinit, pam_krb5
and ssh or any application that uses Kerberos via GSSAPI.

But we have a number of other Kerberos applications, including qpop for Kerberized
pop service, aklog with OpenAFS and kerberized CVS.

The problem is that Solaris only exposes Kerberos via GSSAPI, and does not
provide the krb5.h files or the normal Kerberos libraries.

*What I would like to ask SUN is to include the krb5.h and its friends with the
Solaris 10 base system.*

To get around this,
http:/www.opesolaris.org/source/xref/usr/src/uts/common/gsspai/mechs/krb5/include
has a krb5.h that appears to match the /usr/lib/gss/mech_krb5.so that comes
with Solaris 10.  (I actually downloaded the tarfile to get the header files.)

I have managed to get qpop-4.0.5 and OpenAFS-1.4.0-RC1 aklog to compile and run
using this krb5.h with some modification, and the MIT-1.4.1 profile.h and com_err.h.

Some problems along the way:

   o mech_krb5.so has most of the Kerberos routines and can be used as a shared
     library, but is clumsy to link as its not a "libxxx"

   o The opensolaris krb5.h is not guaranteed to match the mech_krb5.so

   o The krb5.h refers to profile.h  which is not supplied.

   o Many of the Kerberos applications also use com_err.h which is not supplied.

   o There is no com_err add_error_table.

   o Solaris does not have krb524. So aklog can not use this feature.

But so far it still looks promising to use the Solaris 10 Kerberos and we
are expecting that Sun will continue to improve the usability of their
Kerberos support.

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list