Kerberos Digest, Vol 29, Issue 9

Lamar.Saxon@americredit.com Lamar.Saxon at americredit.com
Tue May 10 16:08:37 EDT 2005


Made changes and added the CFLAGS for the configure process:

CFLAGS='-D_LARGE_FILES -DLANL -DLANL_ICN'; export CFLAGS

and the compile was successful.  Looks like everything is working !
kinit now ask for my password and I have not found any issues with the
other applications.

Thanks to all for the help !  Really appreciate the time and effort you
put in to helping me.

Lamar

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of kerberos-request at mit.edu
Sent: Saturday, May 07, 2005 11:02 AM
To: kerberos at mit.edu
Subject: Kerberos Digest, Vol 29, Issue 9

Send Kerberos mailing list submissions to
	kerberos at mit.edu

To subscribe or unsubscribe via the World Wide Web, visit
	https://mailman.mit.edu/mailman/listinfo/kerberos
or, via email, send a message with subject or body 'help' to
	kerberos-request at mit.edu

You can reach the person managing the list at
	kerberos-owner at mit.edu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Kerberos digest..."


Today's Topics:

   1. RE: Kerberos Digest, Vol 29, Issue 7
   2. RE: Kerberos Digest, Vol 29, Issue 7
   3. Re: Denial of service when using Active Directory for KDC ?
       (Markus Moeller)
   4. Need LDAP help from you (umer khan)
   5. Samba / AD / MIT-KDC (Mark Hendricks)


----------------------------------------------------------------------

Date: Fri, 6 May 2005 11:03:59 -0500
From: <Lamar.Saxon at americredit.com>
To: <kerberos at mit.edu>
Subject: RE: Kerberos Digest, Vol 29, Issue 7
Message-ID:
<5C066E580F0244458087CC59AC4F74E31ED04A at srvexcharl02.acf.americredit.com
>
Content-Type: text/plain;
	charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Message: 1


Made the changes and compiling now on AIX 5.2.  Will let you know the
results shortly.

Thanks for all the help.  Really appreciate it.

Lamar

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of kerberos-request at mit.edu
Sent: Friday, May 06, 2005 5:19 AM
To: kerberos at mit.edu
Subject: Kerberos Digest, Vol 29, Issue 7

Send Kerberos mailing list submissions to
	kerberos at mit.edu

To subscribe or unsubscribe via the World Wide Web, visit
	https://mailman.mit.edu/mailman/listinfo/kerberos
or, via email, send a message with subject or body 'help' to
	kerberos-request at mit.edu

You can reach the person managing the list at
	kerberos-owner at mit.edu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Kerberos digest..."


Today's Topics:

   3. AIX 5.2 and Kerberos 1.4.1 Patches (Milton Turley)

Date: Thu, 05 May 2005 15:08:15 -0600
From: Milton Turley <mturley at lanl.gov>
To: kerberos at mit.edu
Subject: AIX 5.2 and Kerberos 1.4.1 Patches
Message-ID: <6.0.1.1.2.20050505144936.02db1c50 at cic-mail.lanl.gov>
Content-Type: text/plain; charset="us-ascii"; format=flowed
MIME-Version: 1.0
Precedence: list
Message: 3

Following are 2 patches for kerberos 1.4.1 to build on AIX 5.2.  The
patches are for the problem of not being able to resolve the address for

the kdc.
The #ifndef LANL and #ifdef LANL are locale compiler directives and will

need to be changed or specifiy -D LANL in configure process.

The patch for dsnglue.c is if "thread-support" is enabled.  The patch
adds
a 1024 byte buffer after the  _res_state structure.  IBM AIX has a
problem
where 735+- bytes are overlaid when res_ninit is called.  The 1024 bytes

pads the storage to stop res_ninit from overlaying critical storage.
Ken
Raeburn had tried a similar patch with 72 bytes.

>*** ./src/lib/krb5/os/dnsglue.c.orig    Fri Jan 14 17:10:53 2005
>--- ./src/lib/krb5/os/dnsglue.c Thu May  5 11:39:52 2005
>***************
>*** 62,68 ****
>--- 62,76 ----
>                 char *host, int nclass, int ntype)
>   {
>   #if HAVE_RES_NSEARCH
>+ #ifndef LANL
>       struct __res_state statbuf;
>+ #else   /* LANL */
>+ #ifndef _AIX
>+     struct __res_state statbuf;
>+ #else   /* _AIX */
>+     struct { struct __res_state s; char pad[1024]; } statbuf;
>+ #endif  /* AIX */
>+ #endif  /* LANL */
>   #endif
>       struct krb5int_dns_state *ds;
>       int len, ret;
The patch for locate_kdc.c is when "disable-thread-support" is set for
configure.  Again the #ifndef LANL and #ifdef LANL is a local compiler
directive.  This will need to be changed for local setting or -D LANL
set
for configure process.



>*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May  5 08:06:45 2005
>--- ./src/lib/krb5/os/locate_kdc.c      Thu May  5 11:34:27 2005
>***************
>*** 267,275 ****
>--- 267,283 ----
>       memset(&hint, 0, sizeof(hint));
>       hint.ai_family = family;
>       hint.ai_socktype = socktype;
>+ #ifndef LANL
>   #ifdef AI_NUMERICSERV
>       hint.ai_flags = AI_NUMERICSERV;
>   #endif
>+ #else   /* LANL */
>+ #ifndef _AIX
>+ #ifdef AI_NUMERICSERV
>+     hint.ai_flags = AI_NUMERICSERV;
>+ #endif
>+ #endif  /* _AIX */
>+ #endif  /* LANL */
>       sprintf(portbuf, "%d", ntohs(port));
>       sprintf(secportbuf, "%d", ntohs(secport));
>       err = getaddrinfo (hostname, portbuf, &hint, &addrs);
------------------------------

Date: Fri, 6 May 2005 11:36:59 -0500
From: <Lamar.Saxon at americredit.com>
To: <kerberos at mit.edu>
Subject: RE: Kerberos Digest, Vol 29, Issue 7
Message-ID:
<5C066E580F0244458087CC59AC4F74E35EAF6A at srvexcharl02.acf.americredit.com
>
Content-Type: text/plain;
	charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Message: 2


Made the patch changes; but the problem still exists.

I went back and reinstalled the 1.3.6 with my krb5.conf file and it
still works flawlessly.

1.4.1 still returns:

"Cannot resolve network address for KDC in requested realm while getting
initial credentials"

Thanks again and if there is anything I can do or try, please let me
know.

Lamar


-----Original Message-----
From: Saxon, Lamar
Sent: Friday, May 06, 2005 11:04 AM
To: 'kerberos at mit.edu'
Subject: RE: Kerberos Digest, Vol 29, Issue 7

Made the changes and compiling now on AIX 5.2.  Will let you know the
results shortly.

Thanks for all the help.  Really appreciate it.

Lamar

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of kerberos-request at mit.edu
Sent: Friday, May 06, 2005 5:19 AM
To: kerberos at mit.edu
Subject: Kerberos Digest, Vol 29, Issue 7

Send Kerberos mailing list submissions to
	kerberos at mit.edu

To subscribe or unsubscribe via the World Wide Web, visit
	https://mailman.mit.edu/mailman/listinfo/kerberos
or, via email, send a message with subject or body 'help' to
	kerberos-request at mit.edu

You can reach the person managing the list at
	kerberos-owner at mit.edu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Kerberos digest..."


Today's Topics:

   3. AIX 5.2 and Kerberos 1.4.1 Patches (Milton Turley)

Date: Thu, 05 May 2005 15:08:15 -0600
From: Milton Turley <mturley at lanl.gov>
To: kerberos at mit.edu
Subject: AIX 5.2 and Kerberos 1.4.1 Patches
Message-ID: <6.0.1.1.2.20050505144936.02db1c50 at cic-mail.lanl.gov>
Content-Type: text/plain; charset="us-ascii"; format=flowed
MIME-Version: 1.0
Precedence: list
Message: 3

Following are 2 patches for kerberos 1.4.1 to build on AIX 5.2.  The
patches are for the problem of not being able to resolve the address for

the kdc.
The #ifndef LANL and #ifdef LANL are locale compiler directives and will

need to be changed or specifiy -D LANL in configure process.

The patch for dsnglue.c is if "thread-support" is enabled.  The patch
adds
a 1024 byte buffer after the  _res_state structure.  IBM AIX has a
problem
where 735+- bytes are overlaid when res_ninit is called.  The 1024 bytes

pads the storage to stop res_ninit from overlaying critical storage.
Ken
Raeburn had tried a similar patch with 72 bytes.

>*** ./src/lib/krb5/os/dnsglue.c.orig    Fri Jan 14 17:10:53 2005
>--- ./src/lib/krb5/os/dnsglue.c Thu May  5 11:39:52 2005
>***************
>*** 62,68 ****
>--- 62,76 ----
>                 char *host, int nclass, int ntype)
>   {
>   #if HAVE_RES_NSEARCH
>+ #ifndef LANL
>       struct __res_state statbuf;
>+ #else   /* LANL */
>+ #ifndef _AIX
>+     struct __res_state statbuf;
>+ #else   /* _AIX */
>+     struct { struct __res_state s; char pad[1024]; } statbuf;
>+ #endif  /* AIX */
>+ #endif  /* LANL */
>   #endif
>       struct krb5int_dns_state *ds;
>       int len, ret;
The patch for locate_kdc.c is when "disable-thread-support" is set for
configure.  Again the #ifndef LANL and #ifdef LANL is a local compiler
directive.  This will need to be changed for local setting or -D LANL
set
for configure process.



>*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May  5 08:06:45 2005
>--- ./src/lib/krb5/os/locate_kdc.c      Thu May  5 11:34:27 2005
>***************
>*** 267,275 ****
>--- 267,283 ----
>       memset(&hint, 0, sizeof(hint));
>       hint.ai_family = family;
>       hint.ai_socktype = socktype;
>+ #ifndef LANL
>   #ifdef AI_NUMERICSERV
>       hint.ai_flags = AI_NUMERICSERV;
>   #endif
>+ #else   /* LANL */
>+ #ifndef _AIX
>+ #ifdef AI_NUMERICSERV
>+     hint.ai_flags = AI_NUMERICSERV;
>+ #endif
>+ #endif  /* _AIX */
>+ #endif  /* LANL */
>       sprintf(portbuf, "%d", ntohs(port));
>       sprintf(secportbuf, "%d", ntohs(secport));
>       err = getaddrinfo (hostname, portbuf, &hint, &addrs);

MarkFrom raeburn at MIT.EDU Fri May  6 17:12:54 2005
Received: from biscayne-one-station.mit.edu
(BISCAYNE-ONE-STATION.MIT.EDU
	[18.7.7.80])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j46LCseY028522
	for <kerberos at PCH.mit.edu>; Fri, 6 May 2005 17:12:54 -0400
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103])
	j46LCqSr022111;	Fri, 6 May 2005 17:12:52 -0400 (EDT)
Received: from [18.18.1.76] (KEN-WIRELESS.MIT.EDU [18.18.1.76])
	(authenticated bits=0)
        (User authenticated as raeburn at ATHENA.MIT.EDU)
	by outgoing.mit.edu (8.12.4/8.12.4) with ESMTP id j46LCOwT000698
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT);
	Fri, 6 May 2005 17:12:46 -0400 (EDT)
In-Reply-To: <6.0.1.1.2.20050505144936.02db1c50 at cic-mail.lanl.gov>
References: <6.0.1.1.2.20050505144936.02db1c50 at cic-mail.lanl.gov>
Mime-Version: 1.0 (Apple Message framework v622)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <29ff2e02d855061ab52cd848fa1983ac at mit.edu>
Content-Transfer-Encoding: 7bit
From: Ken Raeburn <raeburn at MIT.EDU>
Date: Fri, 6 May 2005 17:12:23 -0400
To: Milton Turley <mturley at lanl.gov>
X-Mailer: Apple Mail (2.622)
X-Spam-Score: -4.9
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
cc: kerberos at mit.edu
Subject: Re: AIX 5.2 and Kerberos 1.4.1 Patches
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List
<kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos at mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>

On May 5, 2005, at 17:08, Milton Turley wrote:
> Following are 2 patches for kerberos 1.4.1 to build on AIX 5.2.  The
> patches are for the problem of not being able to resolve the address
> for the kdc.

Except, apparently, not for Lamar Saxon...

> The patch for dsnglue.c is if "thread-support" is enabled.  The patch
> adds a 1024 byte buffer after the  _res_state structure.  IBM AIX has
> a problem where 735+- bytes are overlaid when res_ninit is called. 
> The 1024 bytes pads the storage to stop res_ninit from overlaying
> critical storage.  Ken Raeburn had tried a similar patch with 72
> bytes.

Actually, I suggested the patch, but can't try it out, Lamar did that.

It would be nice if someone at IBM could check into this for us and let
us know why the __res_state struct we allocate isn't enough, when the
docs we've found all seem to suggest that it should be.

Um, how does this relate to thread support?

> The patch for locate_kdc.c is when "disable-thread-support" is set for

> configure.  Again the #ifndef LANL and #ifdef LANL is a local compiler

> directive.  This will need to be changed for local setting or -D LANL
> set for configure process.

>> + #ifndef _AIX
>> + #ifdef AI_NUMERICSERV
>> +     hint.ai_flags = AI_NUMERICSERV;
>> + #endif
>> + #endif  /* _AIX */

So, are you saying that AI_NUMERICSERV doesn't work for numeric service
strings on AIX 5.2?  (And does this relate to thread support?)

Ken


Privileged and Confidential.  This e-mail, and any attachments there to, is intended only for use by the addressee(s) named herein and may contain privileged or confidential information.  If you have received this e-mail in error, please notify me immediately by a return e-mail and delete this e-mail.  You are hereby notified that any dissemination, distribution or copying of this e-mail and/or any attachments thereto, is strictly prohibited.



More information about the Kerberos mailing list