LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

September 2004

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS September 2004

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: krb5/afs on SL 3.0.2 (x86_64) ?
From:	Stephan Wiesand <[log in to unmask]>
Reply To:	Stephan Wiesand <[log in to unmask]>
Date:	Wed, 8 Sep 2004 10:23:46 +0200
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (73 lines)

Hi Troy,

Patrick looked into this, and found that the following patch to krb5
makes the pam_krb5afs.so module and kinit work (give you an AFS token
in addition to K4/K5 tickets):

--- src/include/kerberosIV/des.h        1999-09-24 23:16:08.000000000 +0200
+++ ../krb5-1.2.7.new/src/include/kerberosIV/des.h      2004-09-07 14:39:51.000000000 +0200
@@ -54,7 +54,8 @@
 #define NEAR
 #endif

-#ifndef __alpha
+//#ifndef __alpha
+#if 0
 #define KRB4_32        long
 #else
 #define KRB4_32        int

What actually fails is the clock skew test in pam_krb5afs.so.

At first glance, it seems this was overlooked. But scrutiny of the
krb5.src.rpm reveals that it's much worse: There's a Patch37 with this
problem fixed and some similar ones as well, and it was backed out.
From krb5.spec:

# Reverted, per http://mailman.mit.edu/pipermail/krb5-bugs/2003-September/001735.html
# %patch37 -p1 -b .32

Hence this is broken deliberately. I guess (haven't tried yet) rebuilding
krb5 with patch37 enabled, and rebuilding anything that includes
<kerberosIV/des.h> afterwards, will make things work. But at least in
some respect, this would no longer be a "RHEL compatible" system.

One could probably build pam_krb5afs.so against a different build of krb5,
use the 32bit versions of afslog/aklog, and keep stuffing holes as they
show up, but I don't like that idea too much either.

Any ideas?

Cheers,
        Stephan

On Tue, 17 Aug 2004, Troy Dawson wrote:

> *Troy sits with a puzzled look on his face*
> I really could have sworn that this had worked for me.  Really, I tested it.
> But now it isn't.  I can only think that maybe I already had some AFS tokens
> and I was just regrabbing them.
>
> I hearby pull out my "works for me".
>
> I so far have found at least one problem.  After getting a kerberos ticket, if
>   I do just a
>   /usr/bin/aklog
> I get a
>   Segmentation fault
> So clearly  the /usr/bin/aklog isn't working as it should.
> I'm investigating.
> Troy

--

 ----------------------------------------------------
| Stephan Wiesand  |                                |
|                  |                                |
| DESY     - DV -  | phone  +49 33762 7 7370        |
| Platanenallee 6  | fax    +49 33762 7 7216        |
| 15738 Zeuthen    |                                |
| Germany          |                                |
 ----------------------------------------------------

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV