Gssapi Questions

Marcus Watts mdw at umich.edu
Thu Aug 25 21:00:48 EDT 2011 

> Date:    Thu, 25 Aug 2011 15:34:30 PDT
> To:      "'Marcus Watts'" <mdw at umich.edu>
> cc:      <kerberos at mit.edu>
> From:    "Allen McWongahey" <allenmcw at comcast.net>
> Subject: RE: Gssapi Questions
> 
> Hi Marcus,
> 
> Thanks very much. I have the Kerberos 5 package now compiling properly for
> my cross-target! :)
> 
> There is a bit of an issue when trying to recompile OpenSSH with Kerberos 5
> support enabled. I get the following:
> 
> /opt/timesys/linux/4.0/toolchains/powerpc-linux/bin/powerpc-linux-gcc -o ssh
> ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o
> sshconnect2.o -L. -Lopenbsd-compat/  -R/home/allenm/kerberos_install/lib
> -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
> -L/home/allenm/kerberos_install/sys/lib -lgssapi_krb5 -lkrb5 -lk5crypto
> -lcom_err -lresolv -ldl
> /opt/timesys/linux/4.0/toolchains/powerpc-linux/lib/gcc-lib/powerpc-linux/3.
> 2/../../../../powerpc-linux/bin/ld: warning: libkrb5support.so.0, needed by
> /home/allenm/kerberos_install/sys/lib/libgssapi_krb5.so, not found (try
> using -rpath or -rpath-link)
> /home/allenm/kerberos_install/sys/lib/libkrb5.so: undefined reference to
> `krb5int_close_plugin_dirs at krb5support_0_MIT'	
> /home/allenm/kerberos_install/sys/lib/libkrb5.so: undefined reference to
> `krb5int_gai_strerror at krb5support_0_MIT'
> /home/allenm/kerberos_install/sys/lib/libkrb5.so: undefined reference to
> `krb5int_clear_error at krb5support_0_MIT'

Why do you have -R and -L pointing to different paths?

With a recent binutils ld (for elf), there are 3 options that
you can set:
-L dir1
-rpath=dir2
-rpath-link=dir3

dir1 controls the search for for .a/.so files at link time.
dir2 controls the search for .so.X files at runtime (also link time).
dir3 controls the search for .so files referenced by .so files at link time.

Your cc -R is probably the same thing as -rpath (you can use cc -v to find out
what your compiler gave to ld).
Another common way to set this is via
	cc -Wl,-rpath,dir2
In the resulting executables, "objdump -p" will show what rpath
is recorded in an executable, shared library, or shared object.
It will also show the "needed" shared libraries, with the name
by which they'll be searched for at runtime.

Usually for cross-compilation (and sometimes for other options, such as
AFS builds, or building packages), libraries won't be in the same
place as at runtime, which is why you get these 3 options.

In this case, you've got libkrb5.so wanting to find libkrb5support.so

You've got 3 ways to do that,
/a/ modify the openssh link line to include -lkrb5support after -lk5crypto
	Then, the -L rule will apply and it "should" work.
/b/ specify -rpath-link to include a dir3 that points to (probably)
    /home/allenm/kerberos_install/sys/lib
	Then, this extra dir should resolve your problem.
	From gcc, that will probably be
	-Wl,-rpath-link,/home/allenm/kerberos_install/sys/lib
/c/ point -R to the same place as -L.
	Then, the -R rule will apply and it "should" work.

"--disable-pkinit" turns off pkinit, and turns off the need for openssl.
In your case, for openssh, you'd have to modify the link order to
put -lcrypto after all the krb5 references, to make things come out right.

"--disable-rpath" turns off recording RPATH in executables (you can
see the effect with objdump -p as noted above).  If you're only installing
your built libraries in default locations on the target (usually /lib:/usr/lib)
then this is a cheat to allow you to use -rpath in place of -rpath-link.
But you shouldn't need this.  This option doesn't affect link-time processing
at all, just what's recorded in the output to be used at runtime.

Be very very thankful you aren't using libtool.

					-Marcus Watts

More information about the Kerberos mailing list