[28929] in Kerberos
Re: pam-krb5 3.9 released (patch for AIX NAS library)
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Dec 25 12:38:21 2007
To: kerberos@mit.edu
In-Reply-To: <fkr59n$rsh$1@ger.gmane.org> (Markus Moeller's message of "Tue\,
25 Dec 2007 14\:49\:10 -0000")
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 25 Dec 2007 09:37:28 -0800
Message-ID: <87wsr24qw7.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Markus Moeller" <huaraz@moeller.plus.com> writes:
> find attached a patch which allows to compile pam-krb5 against IBM's NAS
> libraries (which are based on MIT 1.4.x) . Unfortunatly IBM doesn't seem to
> export the profile calls, so I included them into options.c. I didn't
> update configure.in yet. I only changed in configure the KRB5EXTRA statement
> - KRB5EXTRA="-lk5crypto -lcom_err"
> + KRB5EXTRA="-lk5profile -lksvc"
Is there some specific function I should look for in ksvc to see whether
or not I need that library? (What function wasn't found without it?)
> diff -w -B -r -u -N pam-krb5-3.9/api-auth.c pam-krb5-3.9-aix/api-auth.c
> --- pam-krb5-3.9/api-auth.c 2007-12-25 14:37:27.000000000 +0000
> +++ pam-krb5-3.9-aix/api-auth.c 2007-12-05 15:41:50.000000000 +0000
> @@ -27,6 +27,9 @@
> # include <pam/pam_modules.h>
> #endif
> #include <stdio.h>
> +#ifdef _AIX
> +extern int snprintf(char *__restrict__, size_t, const char *__restrict__, ...);
> +#endif
Why was this needed? Do I maybe need to add the Autoconf logic to define
_ALL_SOURCE instead so that I can get the native AIX prototype? I was
hoping AIX wouldn't need that by now.
> --- pam-krb5-3.9/options.c 2007-11-13 00:20:39.000000000 +0000
> +++ pam-krb5-3.9-aix/options.c 2007-12-13 13:34:05.000000000 +0000
[...]
> +void KRB5_CALLCONV
> +krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt)
> +{
> + opt->flags = 0;
> +}
AIX provides the functions for verifying initial creds and the struct, but
doesn't provide the initialization function?
> + if (realmstr) {
> + names[2] = realmstr;
> + names[3] = option;
> + names[4] = 0;
> + retval = profile_get_values(profile, names, &nameval);
> + if (retval == 0 && nameval && nameval[0]) {
> + *ret_value = strdup(nameval[0]);
> + goto goodbye;
> + }
> + }
Hm, the functions like profile_get_values are internal Kerberos library
functions. They're exported on AIX? I'm leery of calling them directly,
since they're supposed to be internal and could therefore disappear again.
Thank you very much for the patch and the detective work. It sounds like
that implementation of Kerberos is substantially different than MIT's. I
wonder why it varies so heavily.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
