Fw: Kerberos MIT on Solaris
Will Fiveash
will.fiveash at oracle.com
Mon Aug 23 16:32:28 EDT 2010
On Mon, Aug 23, 2010 at 03:02:08PM -0500, Douglas E. Engert wrote:
>
>
> On 8/23/2010 2:33 PM, Will Fiveash wrote:
> > On Mon, Aug 23, 2010 at 09:35:08AM -0500, Douglas E. Engert wrote:
> >>
> >> On 8/22/2010 12:33 PM, vir vir wrote:
> >>> Hi Will,
> >>>
> >>>
> >>> On Salaris 9 can't find a library libkrb5.so
> >>>
> >>> On Salaris 10 I can't find a library libgssapi_krb5.so that has
> >>> gss_krb5_ccache_name,
> >>
> >> On Solaris 10, use something like:
> >> CPPFLAGS="-I/usr/include/kerberosv5"
> >> LDFLAGS="/usr/lib/gss/mech_krb5.so -R/usr/lib/gss"
> >
> > Note that linking this way is unsupported as there are a bunch of
> > private interfaces (functions) that could be changed without violating
> > the advertised stability level. At this point Solaris offers libgss
> > (Interface Stability == Committed), libsasl (Interface Stability ==
> > Committed) and libkrb5 (Interface Stability == Volatile) as supported
> > APIs to access krb security. Doing anything else is not supported and
> > has a greater risk of breaking with updates and new releases. See the
> > Interface Stability section of the attributes.5 man page for more
> > information on this topic.
>
> Understood. But if the existing application is using Kerberos APIs,
> and can not be converted to use GSS that is one of the risks one takes.
Well, libkrb5 is supported in Solaris 10, however (as noted),
Solaris libgss != MITKC libgssapi_krb5
in regards to interfaces. Really though, the point of libgss is to
insulate a caller from the specifics of security mech used. If the
caller needs to do krb specific things then it should link with libkrb5.
--
Will Fiveash
Oracle
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
More information about the krbdev
mailing list