pam_krb5-3.5 on AIX / gcc: '-b' must come at the start of the command line

Russ Allbery rra at stanford.edu
Tue Jun 19 01:23:22 EDT 2007 

dosman <dosman at packetsniffers.org> writes:

> This is resolved, the Makefile requires some tailoring.
>> Markus Moeller wrote: That is a compiler option and with gcc wou 
> would need -Wl,-b.....

> So, changing this line in the Makefile resulted in a successful compile:

> LIBS            = -lpam -L/usr/local/apps/kerberos/krb5-1.6.1/lib 
> -blibpath:/usr/local/apps/kerberos/krb5-1.6.1/lib::/usr/lib:/lib -brtl
> -lkrb5 -lk5crypto -lcom_err -lpthreads
> --to this:--
> LIBS            = -lpam -L/usr/local/apps/kerberos/krb5-1.6.1/lib 
> -Wl,-blibpath:/usr/local/apps/kerberos/krb5-1.6.1/lib::/usr/lib:/lib 
> -Wl,-brtl
> -lkrb5 -lk5crypto -lcom_err -lpthreads

The flags come from krb5-config and apparently the krb5-config that you
have expects you to be using a different compiler than gcc.  In general,
everything works much better if you build Kerberos software with the same
compiler used to build Kerberos.  In this case, though, I expect that
means the AIX proprietary compiler.

Unfortunately, I'm not sure there's a good way to fix this in pam-krb5's
configure system.

> Moving on, the option "--enable-reduced-depends" causes the configure to
> not see my krb5 libraries. I was just trying to prevent having to
> maintain my own branch of kerberos libraries my boxen. This line from
> the README seems like the problem may just be with AIX with no
> workaround: "This will only work with shared Kerberos libraries and will
> only work on platforms where shared libraries properly encode their own
> dependencies (such as Linux)."

You generally don't want to use --enable-reduced-depends unless you're
maintaining packages for a Linux distribution or otherwise have reasons to
want to minimize the dependencies of the resulting binaries.  It's
essentially a workaround for the fact that krb5-config, on ELF systems,
returns a large number of unnecessary dependencies which create
unnecessary library dependencies that make library transitions in a
distribution harder.

Using it requires a dynamic linker that handles transitive closure on
library dependencies, and at least back when I last used AIX, AIX's
dynamic linker didn't do that.  That was some time ago, though.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list