Hi Stephan,
First off, my apologies for replying so late, it's not that I don't think this
is important, I just haven't had any clear plan on which direction to go.
Second off, my thanks to Patrick. I was having a hard time in tracking this
down, mainly because everytime I started something came up with higher priority.
So what to do?
Well, I guess the first thing is to check and see if it indeed does fix the
problem. I am compiling right now as I write this.
What I really love is that above where they comment it out, it has the web
page reference to why they did it.
http://mailman.mit.edu/pipermail/krb5-bugs/2003-September/001735.html
Evidently, this is a "feature" and not a "bug" because it is
"the behavior people seem to expect"
So, it seems this is the second "feature" that RedHat has put into their
kerberos that has just made me want to scream.
So what to do?
Well ... I'm thinking at least for starters, we have something in the contrib
area that people can install that works. But then we have to see how many
people actually want this feature.
Troy
Stephan Wiesand wrote:
> Hi Troy,
>
> Patrick looked into this, and found that the following patch to krb5
> makes the pam_krb5afs.so module and kinit work (give you an AFS token
> in addition to K4/K5 tickets):
>
> --- src/include/kerberosIV/des.h 1999-09-24 23:16:08.000000000 +0200
> +++ ../krb5-1.2.7.new/src/include/kerberosIV/des.h 2004-09-07 14:39:51.000000000 +0200
> @@ -54,7 +54,8 @@
> #define NEAR
> #endif
>
> -#ifndef __alpha
> +//#ifndef __alpha
> +#if 0
> #define KRB4_32 long
> #else
> #define KRB4_32 int
>
> What actually fails is the clock skew test in pam_krb5afs.so.
>
> At first glance, it seems this was overlooked. But scrutiny of the
> krb5.src.rpm reveals that it's much worse: There's a Patch37 with this
> problem fixed and some similar ones as well, and it was backed out.
> From krb5.spec:
>
> # Reverted, per http://mailman.mit.edu/pipermail/krb5-bugs/2003-September/001735.html
> # %patch37 -p1 -b .32
>
> Hence this is broken deliberately. I guess (haven't tried yet) rebuilding
> krb5 with patch37 enabled, and rebuilding anything that includes
> <kerberosIV/des.h> afterwards, will make things work. But at least in
> some respect, this would no longer be a "RHEL compatible" system.
>
> One could probably build pam_krb5afs.so against a different build of krb5,
> use the 32bit versions of afslog/aklog, and keep stuffing holes as they
> show up, but I don't like that idea too much either.
>
> Any ideas?
>
> Cheers,
> Stephan
>
>
> On Tue, 17 Aug 2004, Troy Dawson wrote:
>
>
>>*Troy sits with a puzzled look on his face*
>>I really could have sworn that this had worked for me. Really, I tested it.
>>But now it isn't. I can only think that maybe I already had some AFS tokens
>>and I was just regrabbing them.
>>
>>I hearby pull out my "works for me".
>>
>>I so far have found at least one problem. After getting a kerberos ticket, if
>> I do just a
>> /usr/bin/aklog
>>I get a
>> Segmentation fault
>>So clearly the /usr/bin/aklog isn't working as it should.
>>I'm investigating.
>>Troy
>
>
> --
>
> ----------------------------------------------------
> | Stephan Wiesand | |
> | | |
> | DESY - DV - | phone +49 33762 7 7370 |
> | Platanenallee 6 | fax +49 33762 7 7216 |
> | 15738 Zeuthen | |
> | Germany | |
> ----------------------------------------------------
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/CSS CSI Group
__________________________________________________
|