Comments on the use of plugins

Douglas E. Engert deengert at
Fri Jun 15 10:31:14 EDT 2007

While testing the PKINIT code from the svn, I ran into some issues with plugins.

   o The location of the plugin directory is absolute set from
      LIBDIR /krb5/plugins/preauth/ This can not be overridden
      from krb5.conf, a parameter or the ENV.  I had to reconfigure
      with a --prefix=/krb5m  then add a /krb5m-> /afs/

      For production, there needs to be a way to specify an
      alternate location, maybe from krb5.conf, or at least from
      a KRB5_* env variable.

    o The krb5int_open_plugin_dirs() when loading the plugin,
      managed to find the /usr/sfw/lib/ provided by
      Solaris 10. PKCS7_set0_type_other was needed and is not in 0.9.7.
      I think this is an -rpath or dlopen issue.

      I got around this and used openssl-0.9.8 by adding  a -L/path..
      and -Rpath... to the Makefile for

    o No message was produced indicating that failed to load.
      I had to use gdb to find in util/support/plugins.c:108
      where Tprintf creates a dlopen error message. Even though
      ep points at the error message, krb5init_open_plugin_dirs
      returns 0.

      The krb5_context->err still has the error message
      even after returning to kinit.c, which then tries to do
      password authentication. (I ^C'ed out of the password prompt).
      The message  is still in context->err->scratch_buff, behind a
      msg  for "can't resolve KDC for realm ANL.GOV." Neither of which
      where printed.

      There may be preauth error messages that can be ignored, and
      messages that should be printed. IMHO failure to load should
      be reported to the user. If the failure is always expected, then
      the plugin should not be installed in the plugin directory.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list