Building Krb5 1.3.6 on Mac OS X

Alexandra Ellwood lxs at MIT.EDU
Sat Jan 22 11:38:30 EST 2005 

>Thanks for the info, I greatly appreciate it.
>
>I'm guessing my choices are:
>
>1) use that configure option, and have my command-line tools not 
>work with the tickets that the GUI apps use (which means I'll have 2 
>different kinit's and kdestroy's, as well, right?  because the stock 
>ones that come with Panther do work with those same tickets)


That's correct, you'd basically have double-signon instead of 
single-signon. ;-)


>2) figure out what all of the things I to do in order to link with 
>KfM instead of static linking; which includes making copies of 
>certain BSD networking functions, and figuring out what configure 
>options go with the KfM libs (are those the default ones?)

Also correct.  You don't actually need to do anything special to 
configure because KfM provides compatibility libraries in /usr/lib 
and headers in /usr/include.  The problem basically boils down to the 
MIT Kerberos Team having defined a public API, the KfM Kerberos 
framework enforcing that API with an export list, and the appl/bsd 
tools using functions not in the public API.


>I'd rather they all use one set of tickets, but I don't know how 
>much time I have to throw at this process.

You might actually have a third option of using Heimdal 0.7 (which 
hasn't been released yet).  I believe Heimdal 0.7 will have support 
to use the in-memory credentials cache on KfM.  So if you can build 
Heimdal 0.7, its BSD tools will share tickets with KfM.  Basically it 
looks like you add "default_cc_name = API:" to the libdefaults in 
/etc/krb5.conf and applications linked against Heimdal will see the 
KfM in-memory credentials cache.

This support is discussed in this email thread:
<http://www.stacken.kth.se/lists/heimdal-discuss/2004-08/msg00073.html>

Note that KfM on Panther supports having the config file either in 
/Library/Preferences/edu.mit.Kerberos or in /etc/krb5.conf.  It looks 
like at least as of the time of the aforementioned discussion, 
Heimdal only looks at /etc/krb5.conf.  You might have to move your 
config into /etc/krb5.conf to get it to work.


Anyway, it might be worth a shot to grab a current snapshot of 
Heimdal and see if it just works.


>On Jan 21, 2005, at 14:52, Alexandra Ellwood wrote:
>
>>
>>To build stock krb5 on Mac OS X, try building with 
>>"LDFLAGS=-Wl,-search_paths_first" as an option to configure.  See 
>><http://mailman.mit.edu/pipermail/krbdev/2003/001714.html> for more 
>>information.
>>
>>Note that if you build the appl/bsd utilities statically linked 
>>against your own stock krb5 libraries, you won't be able to share 
>>tickets with Kerberos for Macintosh (the Kerberos in Mac OS X) 
>>because KfM uses an in-memory ccache to store tickets which the 
>>stock krb5 currently doesn't support.
>>
>>However, you should be able to work around the undefined symbols in 
>>the appl/bsd programs and link with KfM.  krb5_net_read/write and 
>>many of the other symbols are just simple BSD networking functions 
>>which you can copy into the sources of utilities you want to build. 
>>I'm not sure about krb5_random_confounder(), though.  You'd have to 
>>look at it.
>>
>>>John Rudd wrote:
>>>>
>>>>  When I try to build on Mac OS X (10.3.7), everything is fine until
>>>>  lib/rpc/unit-test:
>>>>
>>>>  making all in lib/rpc/unit-test...
>>>>  gcc -L../../../lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual
>>>>  -Wcast-align -Wconversion -Wshadow -Wno-comment -pedantic  -o client
>>>>  client.o rpc_test_clnt.o \
>>>>          -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
>>>>  ld: Undefined symbols:
>>>>  _krb5_gss_dbg_client_expcreds
>>>>  _gss_mech_krb5
>>>>  _gss_mech_krb5_old
>>>>
>>>>
>>>>
>>>>  But all I really want is rlogin, klogind, rsh, rcp, and krshd.  So, if I
>>>  > go to the appl/bsd dir and do a make, I get:
>>>>
>>>>  gcc -L../../lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual
>>>>  -Wcast-align -Wconversion -Wshadow -Wno-comment -pedantic  -o rsh krsh.o
>>>>  kcmd.o forward.o   -lkrb4 -ldes425 -lkrb5 -lk5crypto -lcom_err
>>>>  ld: Undefined symbols:
>>>>  _krb5_net_read
>>>  > _krb5_random_confounder
>>>>  _krb5_write_message
>>>>  _krb_net_read
>>>>
>>>>
>>>>  Anyone know what's going on and how to fix/avoid it?  I did a configure
>>>>  with "--with-krb4" as its only argument.  It's a pretty vanilla Mac OS X
>>>>  install, with the apple developer tools (which are what I'm building
>>>>  with).  If you need more information, just ask.
>>>>
>>>
>>>
>>>No one has thoughts, comments, suggestions, commiserations?
>>>________________________________________________
>>>Kerberos mailing list           Kerberos at mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>Hope this helps,
>>
>>--
>>--lxs
>>
>>Alexandra Ellwood <lxs at mit.edu>
>>MIT Kerberos Development Team
>><http://mit.edu/lxs/www/>


-- 
--lxs

Alexandra Ellwood <lxs at mit.edu>
MIT Kerberos Development Team
<http://mit.edu/lxs/www/>

More information about the Kerberos mailing list