NIS => Kerberos/LDAP Migration

Russ Allbery rra at
Tue May 19 15:03:59 EDT 2009

Marcus Watts <mdw at> writes:

> I'm not sure I understand why
> 	Authen::Krb5::Admin
> is a problem.  I've run it with various incarnations of MIT 1.4.3 /
> 1.6.3 for a while now.  Ok, they weren't stock, but I don't remember doing
> anything special to export the necessary kadm5 functions.  The only messy
> bit is that Authen::Krb5::Admin provides its own header files for the MIT
> functions - that sucks, but that having been said, it basically works.
> Is there something special about debian's MIT kerberos libraries?

That works -- you just can't use it in a PAM module.  PAM modules
generally need to be C.  I suppose you could embed a Perl interpreter in
a PAM module, but that terrifies me.  You could also write a PAM module
that talks to something written in Perl via a local socket or something,
but now you're getting into a fair bit of coding.

> Instead of cloning the headers (like Authen::Krb5::Admin does) it
> should also be quite feasible to just get the debian source package
> for k5, configure or build as necessary, rip the desired headers out,
> modify as necessary, and use them direct.  Admittedly, this is a hack,
> and a bad idea, and all that, but for migration purposes (surely you
> don't plan on doing this long-term?) this ought to suffice.  Here's a
> mail message I posted May 2007 that describes how to do this:

Yeah, you could do this.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list