pam_krb5-3.5 on AIX / gcc: '-b' must come at the start of the command line

dosman dosman at packetsniffers.org
Tue Jun 19 09:43:35 EDT 2007 

Russ Allbery wrote:

>dosman <dosman at packetsniffers.org> writes:
>
>  
>
>>This is resolved, the Makefile requires some tailoring.
>>    
>>
>>>Markus Moeller wrote: That is a compiler option and with gcc wou 
>>>      
>>>
>>would need -Wl,-b.....
>>    
>>
>
>  
>
>>So, changing this line in the Makefile resulted in a successful compile:
>>    
>>
>
>  
>
>>LIBS            = -lpam -L/usr/local/apps/kerberos/krb5-1.6.1/lib 
>>-blibpath:/usr/local/apps/kerberos/krb5-1.6.1/lib::/usr/lib:/lib -brtl
>>-lkrb5 -lk5crypto -lcom_err -lpthreads
>>--to this:--
>>LIBS            = -lpam -L/usr/local/apps/kerberos/krb5-1.6.1/lib 
>>-Wl,-blibpath:/usr/local/apps/kerberos/krb5-1.6.1/lib::/usr/lib:/lib 
>>-Wl,-brtl
>>-lkrb5 -lk5crypto -lcom_err -lpthreads
>>    
>>
>
>The flags come from krb5-config and apparently the krb5-config that you
>have expects you to be using a different compiler than gcc.  In general,
>everything works much better if you build Kerberos software with the same
>compiler used to build Kerberos.  In this case, though, I expect that
>means the AIX proprietary compiler.
>
>Unfortunately, I'm not sure there's a good way to fix this in pam-krb5's
>configure system.
>  
>
Yes, I built kerberos with IBM C and used gcc for the pam_krb5 module. 
I'm unclear on how the pam-krb5 package picks up my compile options for 
kerberos though. I tried to build pam-krb5 with the IBM C but between 
that failing and the dire warning in the notes that pam-krb5 would only 
build on gcc I opted to struggle through the build using gcc. I suppose 
my other option would be to build kerberos using gcc, but getting it to 
build on AIX period was painfull enough to warant leaving a sleeping dog 
lying.

>>Moving on, the option "--enable-reduced-depends" causes the configure to
>>not see my krb5 libraries. I was just trying to prevent having to
>>maintain my own branch of kerberos libraries my boxen. This line from
>>the README seems like the problem may just be with AIX with no
>>workaround: "This will only work with shared Kerberos libraries and will
>>only work on platforms where shared libraries properly encode their own
>>dependencies (such as Linux)."
>>    
>>
>
>You generally don't want to use --enable-reduced-depends unless you're
>maintaining packages for a Linux distribution or otherwise have reasons to
>want to minimize the dependencies of the resulting binaries.  It's
>essentially a workaround for the fact that krb5-config, on ELF systems,
>returns a large number of unnecessary dependencies which create
>unnecessary library dependencies that make library transitions in a
>distribution harder.
>
>Using it requires a dynamic linker that handles transitive closure on
>library dependencies, and at least back when I last used AIX, AIX's
>dynamic linker didn't do that.  That was some time ago, though.
>  
>

My goal was to relieve myself of maintaining 2+ versions of kerberos on 
my AIX boxes, it would be benefitial to have staticly linked libraries 
in my case. It's interesting that when building pam-krb5 with this older 
kerberos on my systems (purpose for being there unknown, installed 
before my time) that ldd shows pam_krb5.so has no kerberos dependancies 
and the binary is about 700Kb larger. When building with kerberos 1.6 we 
now have dependancies and a 700Kb reduction in size.

-r-xr-xr-x   1 root     security     277039 Jun 18 15:47 pam_krb5.so  
<-- kerberos 1.6
-r-xr-xr-x   1 root     security     918180 Jun 18 09:22 
pam_krb5.so.old  <--kerberos ~2003, version unknown

# ldd pam_krb5.so.old
pam_krb5.so.old needs:
         /usr/lib/libc.a(shr.o)
         /usr/lib/libpam.a(shr.o)
         /unix
         /usr/lib/libcrypt.a(shr.o)

# ldd pam_krb5.so   
pam_krb5.so needs:
         /usr/lib/libpam.a(shr.o)
         /usr/local/krb5-1.6.1/lib/libkrb5.so
         /usr/local/krb5-1.6.1/lib/libk5crypto.so
         /usr/local/krb5-1.6.1/lib/libcom_err.so
         /usr/lib/libc.a(shr.o)
         /usr/lib/librtl.a(shr.o)
         /usr/local/krb5-1.6.1/lib/libkrb5support.so
         /usr/lib/libpthreads.a(shr_xpg5.o)
         /unix
         /usr/lib/libcrypt.a(shr.o)
         /usr/lib/libpthreads.a(shr_comm.o)


It appears that it's possible to staticly link in the dependancies, if 
only I knew how to induce it. The only difference between the builds for 
both modules was the Makefile edit to allow gcc to handle the parms 
correctly when using kerberos 1.6 to build against. I did not use 
"--enable-reduced-depends" for either build.

More information about the Kerberos mailing list