pam-krb5 3.9 released (patch for AIX NAS library)

Russ Allbery rra at stanford.edu
Tue Dec 25 12:37:28 EST 2007 

"Markus Moeller" <huaraz at moeller.plus.com> writes:

> find attached a patch which allows to compile pam-krb5 against IBM's NAS 
> libraries (which are based on MIT 1.4.x) . Unfortunatly IBM doesn't seem to 
> export  the profile calls, so I included them into options.c. I didn't 
> update configure.in yet. I only changed in configure the KRB5EXTRA statement
> -  KRB5EXTRA="-lk5crypto -lcom_err"
> +  KRB5EXTRA="-lk5profile -lksvc"

Is there some specific function I should look for in ksvc to see whether
or not I need that library?  (What function wasn't found without it?)

> diff -w -B -r -u -N pam-krb5-3.9/api-auth.c pam-krb5-3.9-aix/api-auth.c
> --- pam-krb5-3.9/api-auth.c	2007-12-25 14:37:27.000000000 +0000
> +++ pam-krb5-3.9-aix/api-auth.c	2007-12-05 15:41:50.000000000 +0000
> @@ -27,6 +27,9 @@
>  # include <pam/pam_modules.h>
>  #endif
>  #include <stdio.h>
> +#ifdef _AIX
> +extern int snprintf(char *__restrict__, size_t, const char *__restrict__, ...);
> +#endif

Why was this needed?  Do I maybe need to add the Autoconf logic to define
_ALL_SOURCE instead so that I can get the native AIX prototype?  I was
hoping AIX wouldn't need that by now.

> --- pam-krb5-3.9/options.c	2007-11-13 00:20:39.000000000 +0000
> +++ pam-krb5-3.9-aix/options.c	2007-12-13 13:34:05.000000000 +0000

[...]

> +void KRB5_CALLCONV
> +krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt)
> +{
> +   opt->flags = 0;
> +}

AIX provides the functions for verifying initial creds and the struct, but
doesn't provide the initialization function?

> +        if (realmstr) {
> +                names[2] = realmstr;
> +                names[3] = option;
> +                names[4] = 0;
> +                retval = profile_get_values(profile, names, &nameval);
> +                if (retval == 0 && nameval && nameval[0]) {
> +                        *ret_value = strdup(nameval[0]);
> +                        goto goodbye;
> +                }
> +        }

Hm, the functions like profile_get_values are internal Kerberos library
functions.  They're exported on AIX?  I'm leery of calling them directly,
since they're supposed to be internal and could therefore disappear again.

Thank you very much for the patch and the detective work.  It sounds like
that implementation of Kerberos is substantially different than MIT's.  I
wonder why it varies so heavily.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list