Linking problem with Kerberos for Windows & mod_auth_kerb.
Jeffrey Altman
jaltman at secure-endpoints.com
Tue Dec 7 11:57:56 EST 2010
On 12/7/2010 11:44 AM, Frédéric Dubois wrote:
> Jeffrey,
>
> Thank you very much for the answer.
>
> That was my conclusion but since the apache module with the same sources
> compiles perfectly on Linux I thought it was something else (like wrong
> compilation or linking options).
>
> So now I'm gonna focus on convincing my manager that Linux is a better
> option than Windows ;o)
>
> Thanks,
>
> Fred
The better question is why does mod_auth_kerb require use of
private interfaces. This is an important question to answer
because if and when the private replay cache interface is
modified as part of an upgrade, mod_auth_kerb on Linux is going to break.
There is no reason that I am aware of for an application to be calling
those functions directly. In fact, reading the source to mod_auth_kerb
5.4 it looks like the author has gone far out of his way to disable the
use of replay caches by substituting his own implementation for MIT's.
The code references MIT 1.3.3. That was a long time ago. I'm not even
sure that the hack that is in place would work in a world with dynamic
libraries on Linux.
The hack is only active when the Kerberos implementation is MIT.
Another option is to build with Heimdal.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20101207/82c14ca4/attachment.bin
More information about the krbdev
mailing list