krb5_init_ets on Mac OS X?

Alexandra Ellwood lxs at MIT.EDU
Fri Jun 14 10:10:01 EDT 2002

>I eventually got it to build, with one exception.  In
>auth-krb5.c there is the section:
>         if (authctxt->krb5_ctx == NULL) {
>                 problem = krb5_init_context(&authctxt->krb5_ctx);
>                 if (problem)
>                         return (problem);
>                 krb5_init_ets(authctxt->krb5_ctx);
>         }
>But at link time I get:
>gcc -o sshd sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o
>auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o
>auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o
>sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o
>groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
>gss-serv.o -L. -Lopenbsd-compat/ -L/sw/lib -L/usr/lib  -L/usr/lib
>-lssh -lopenbsd-compat   -lz  -lcrypto  -lkrb5 -lk5crypto -lcom_err
>/usr/bin/ld: Undefined symbols:

Kerberos for Macintosh performs error table initialization when the 
library loads.  As a result, you don't need to call krb5_init_ets 
from your application.  Commenting out this line will produce the 
correct error table behavior.

>Any ideas why this isn't defined on OS X?  If I comment out this line,
>I get an error trying to log in:
>debug1: Kerberos password authentication failed: Unknown credential cache type

This problem is unrelated to krb5_init_ets.  Kerberos for Macintosh 
(and Kerberos for Windows) use an in-memory ticket cache instead of 
the Unix-style file in /tmp.  Perhaps OpenSSH is trying to manipulate 
the ticket cache and doesn't expect the in-memory cache.

At this point I'll defer to one of the other people on this list who 
is more familiar with OpenSSH Kerberos patches.

Hope this helps,

Alexandra Ellwood                                               <lxs at>
MIT Information Systems                     

More information about the krbdev mailing list