krb5.conf and 32 vs 64-bit plugins

Tomas Kuthan tomas.kuthan at
Fri Aug 14 09:48:23 EDT 2015

On 08/14/15 03:02 PM, Roland Mainz wrote:
> On 14 August 2015 at 14:43, Tomas Kuthan <tomas.kuthan at> wrote:
>> Hi team,
>> in Solaris we deliver 32-bit Kerberos libraries under /usr/lib and 64-bit
>> libraries under /usr/lib/64. The same holds for plugins, which reside in
>> /usr/lib/krb5/plugins and /usr/lib/64/krb5/plugins respectively.
>> Specifying a plugin in krb5.conf works fine when relative paths and default
>> plugin_base_dir are used. The plugin_base_dir defaults  to
>> /usr/lib/krb5/plugins on 32-bit and to /usr/lib/64/krb5/plugins on 64-bit
>> and plugins with the correct ISA are used.
>> Things start falling apart, when user would like to either specify full path
>> to the plugin or set a non-default plugin_base_dir in their krb5.conf. In
>> that case only one of the paths can be specified in krb5.conf, meaning
>> plugins would fail dlopen-ing on the other architecture.
> Note that KRB5_CONF and KRB5_KDC_PROFILE can be a (POSIX-shell style)
> $PATH, so in *theory* you could provide ISA-specifc configs that
> way... :-)

Indeed, in theory.

>> We would like to solve that by supporting $ISA place holder in the path,
>> that would translate to '/64/' on 64-bit and to '/' on 32-bit. Hence the
>> following (artificial) example would work fine for both:
>>      module = pkinit:/lib/$ISA/site/preauth/
>> Would MIT be willing to accept a patch implementing something along these
>> lines?
>> If yes, I would prepare a platform-independent fix.
>> FYI, attached is a quick unix-only patch.
> IMHO it would be better to look at the options provided by the POSIX
> standard (e.g. see $ ksh -c 'builtin uname ; uname --help #) for a
> list of keys.
> Otherwise it will be tricky from the scripting (or any POSIX API-based
> application) to figure out the correct values (remember, there isn't
> only 32bit and 64bit, for example on Solaris/SPARC you have more
> architectural choices (see $ isalist # output and the isaexec stuff))
> - unless you want to either hardcode the values for every possible
> combination OR limit the choices to 32bit vs. 64bit (not wise - see
> SPARC example).

I might be misunderstanding you here, but limiting the choices to 32bit 
vs. 64bit is exactly what I want.

In the example above, I'd like

     module = pkinit:/lib/$ISA/site/preauth/

to translate to /lib/site/preauth/ on 32-bit (i386 or sparc) 
and to translate to /lib/64/site/preauth/ on 64-bit (amd64 or 

This would allow users to specify custom plugins from outside of default 
plugin_base_dir in krb5.conf and have it work with both 32-bit and 
64-bit applications.


More information about the krbdev mailing list