# emerge -uN world Calculating world dependencies... done! >>> Emerging (1 of 4) x11-misc/xscreensaver-4.24 to / >>> checking ebuild checksums >>> checking auxfile checksums >>> checking miscfile checksums >>> checking distfiles checksums * * You have enabled kerberos without krb4 support. Kerberos will be * disabled unless kerberos 4 support has been compiled with your * kerberos libraries. To do that, you should abort now and do: * * USE="krb4" emerge mit-krb5 * >>> Unpacking source... I did not believe one would have to have mit-krb5 installed as I used to use xscreen-saver on OSF1 years ago with kth-krb4 support. I went to test whether kth-krb is detected in it standard location (/usr/athena, I hope krb.h will also be detected in the FHS locations forced by Gentoo): ./configure --prefix=/usr --host=i686-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --with-hackdir=/usr/lib/misc/xscreensaver --with-configdir=/usr/share/xscreensaver/config --x-libraries=/usr/lib --x-includes=/usr/include --with-mit-ext --with-dpms-ext --with-xf86vmode-ext --with-xf86gamma-ext --with-proc-interrupts --with-xpm --with-xshm-ext --with-xdbe-ext --enable-locking --with-gtk --with-xml --without-setuid-hacks --without-login-manager --without-xinerama-ext --with-pam --with-gl --with-gle --with-jpeg --enable-nls --with-kerberos=/usr/athena --build=i686-pc-linux-gnu [..] checking for Kerberos headers... /usr/athena/include checking for Kerberos libs... /usr/athena/lib checking for Kerberos 4... yes checking for Kerberos 5... no [...] # i686-pc-linux-gnu-gcc -pedantic -Wall -Wstrict-prototypes -Wnested-externs -std=c89 -U__STRICT_ANSI__ -L/usr/lib -o xscreensaver xscreensaver.o windows.o timers.o subprocs.o exec.o xset.o splash.o setuid.o stderr.o prefs.o dpms.o lock.o passwd.o passwd-kerberos.o passwd-pam.o passwd-pwent.o ../utils/fade.o ../utils/overlay.o ../utils/logo.o ../utils/yarandom.o ../utils/resources.o ../utils/usleep.o ../utils/visual.o -L/usr/athena/lib -L/usr/lib -lXmu -lXxf86vm -lXrandr -lXrender -lXxf86misc -lSM -lICE -lXt -lX11 -lXext -lpam -ldl -lkrb -ldes -lcom_err -lresolv -lcrypt /usr/lib/gcc/i686-pc-linux-gnu/3.4.6/../../../../i686-pc-linux-gnu/bin/ld: cannot find -ldes collect2: ld returned 1 exit status make[1]: *** [xscreensaver] Error 1 make[1]: Leaving directory `/var/tmp/portage/xscreensaver-4.24/work/xscreensaver-4.24/driver' fixed by: # i686-pc-linux-gnu-gcc -pedantic -Wall -Wstrict-prototypes -Wnested-externs -std=c89 -U__STRICT_ANSI__ -L/usr/lib -o xscreensaver xscreensaver.o windows.o timers.o subprocs.o exec.o xset.o splash.o setuid.o stderr.o prefs.o dpms.o lock.o passwd.o passwd-kerberos.o passwd-pam.o passwd-pwent.o ../utils/fade.o ../utils/overlay.o ../utils/logo.o ../utils/yarandom.o ../utils/resources.o ../utils/usleep.o ../utils/visual.o -L/usr/athena/lib -L/usr/lib -lXmu -lXxf86vm -lXrandr -lXrender -lXxf86misc -lSM -lICE -lXt -lX11 -lXext -lpam -ldl -lkrb -lresolv -lcrypt -lcrypto # The configure script shoull fetch the list of CFLAGS and LIBS from krb4-config actually (but I remeber them from top of my head): # /usr/athena/bin/krb4-config --libs krb4 -L/usr/athena/lib -lkrb -lcrypto -lresolv # /usr/athena/bin/krb4-config --cflags -I/usr/athena/include # Final note: please require krb4-1.3rc1 as it support openssl-0.9.7. krb4-1.2 supported only openssl-0.9.6 and there were nasty symbol clashes in libs when for example openssl and kth-krb supporte was linked into openssh. Same I guess would happen with xscreen-saver. ;-)
(In reply to comment #0) > Final note: please require krb4-1.3rc1 as it support openssl-0.9.7. krb4-1.2 > supported only openssl-0.9.6 and there were nasty symbol clashes in libs when > for example openssl and kth-krb supporte was linked into openssh. Same I guess > would happen with xscreen-saver. ;-) Well, as the only kth-krb4 version in portage is 1.2.2, I'm afraid this needs to be closed as later, until there's at least something to test against. 1.2.2 is heavily broken: http://tinyurl.com/nowah Feel free to reopen when 1.3 is available in portage. Thanks.
I know, I just went few minutes ago through all those bugreports and suggested to use 1.3rc1. If gentto wouldn't relocate to FHS paths, everything would be smooth, no file collisions with manpages, binaries, libs, headers. 'Some' developers said they will rather fix all those problems, but are ugly slow, although do I appreciate their effort. bug #103366 bug #16824 bug #100868 bug #118508 bug #132189
Uhm well, FHS or not, kth-krb not working w/ current stable openssl version is a complete showstopper here. ;)
reopening
Kerberos team, can we look into bumping kth-krb
done.
Emanuele, can you investigate this issue please?
I have just been told that both krb4 implementations are now unsupported by the respective upstream; for this reason I would like to deprecate krb4 support. This should not be a problem, since every app that supports kerberosIV supports kerberosV too, except this one. I have also noticed we are the only one to provide optional support for krb4 in xscreensaver, so I wonder about its usefulness (never used it myself). Opinions are welcome.
If you provide heimdal support instead I am fine with 'wontfix'. Don't forget people do run KDC in the v4-compatible mode to answer requestes from v4 clients, which is exactly this case. Although I think checking the output of `krb4-config --libs krb4` is rather easy and I would argue that even upstream should patch the configure to take the advantage of krb4-config.
v4 compatibility mode requires libkrb4, which I am trying to deprecate... My question was about the usefulness of krb4 support in xscreensaver.
Well, people *can* type in their kerberos or afs password instead of their local/NIS password. AFS also can use krb4 protocol. Maybe their *token* to afs is renewed when they type in the password. That should be handled by the PAM stuff though and depend on the configuration.
Well, since you can get the same functionality using one of the pam_krb5 modules I vote to prune krb4 support in xscreensaver, if you agree.
exg: feel free to do so, just after it send me the diff of ebuilds.
Have you tested the pam_krb5 modules? ;-)
I tried the pam_krb5-2.2.6-r1 ebuild and it doesn't work correctly and user providing correct kerberos password cannot get in through xscreensaver or even login on virtual teminal or ssh terminal. Interrestingly the pam module/xscreensaver attempts blindly to use the password also for principal root which doesn't seem like a good idea). For xscreensaver I cannot confirm it looks into ~/.k5login either: Jul 10 23:38:44 vrapenec kdc[17287]: TGS-REQ mmokrejs/admin@DOMA from IPv4:192.168.0.2 for kadmin/admin@DOMA Jul 10 23:38:44 vrapenec kdc[17287]: sending 582 bytes to IPv4:192.168.0.2 Jul 10 23:38:44 vrapenec kadmind[17340]: connection from IPv4:192.168.0.2 Jul 10 23:38:44 vrapenec kadmind[17378]: mmokrejs/admin@DOMA: GET default@DOMA Jul 10 23:38:55 vrapenec kadmind[17378]: mmokrejs/admin@DOMA: CREATE mmokrejs@DOMA Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: configured realm 'DOMA' Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flags: forwardable proxiable Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no ignore_afs Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: user_check Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no krb4_convert Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_convert_524 Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_use_as_req Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no use_shmem Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no external Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: warn Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: ticket lifetime: 604800 Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: renewable lifetime: 0 Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: banner: Kerberos 5 Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: ccache dir: /tmp Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: keytab: FILE:/etc/krb5.keytab Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: called to authenticate 'mmokrejs', realm 'DOMA' Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: authenticating 'mmokrejs@DOMA' Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: authentication fails for 'mmokrejs' (mmokrejs@DOMA): Authentication failure (Unknown code krb5 60) Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: pam_authenticate returning 7 (Authentication failure) Jul 10 23:39:06 vrapenec xscreensaver(pam_unix)[8051]: authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=mmokrejs Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: configured realm 'DOMA' Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flags: forwardable proxiable Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no ignore_afs Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: user_check Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no krb4_convert Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_convert_524 Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_use_as_req Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no use_shmem Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no external Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: warn Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: ticket lifetime: 604800 Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: renewable lifetime: 0 Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: banner: Kerberos 5 Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: ccache dir: /tmp Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: keytab: FILE:/etc/krb5.keytab Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: called to authenticate 'root', realm 'DOMA' Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: authenticating 'root@DOMA' Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: authentication fails for 'root' (root@DOMA): Authentication failure (Unknown code krb5 60) Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: pam_authenticate returning 7 (Authentication failure) Jul 10 23:39:09 vrapenec xscreensaver(pam_unix)[8051]: authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=root Jul 10 23:39:10 vrapenec xscreensaver[8051]: FAILED LOGIN 1 ON DISPLAY ":0.0", FOR "mmokrejs"
When I have used my local password for user mmokrejs, I have unlocked the screen successfully: Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: configured realm 'DOMA' Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flags: forwardable proxiable Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no ignore_afs Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: user_check Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no krb4_convert Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_convert_524 Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_use_as_req Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no use_shmem Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no external Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: warn Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: ticket lifetime: 604800 Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: renewable lifetime: 0 Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: banner: Kerberos 5 Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: ccache dir: /tmp Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: keytab: FILE:/etc/krb5.keytab Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: called to authenticate 'mmokrejs', realm 'DOMA' Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: authenticating 'mmokrejs@DOMA' Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: authentication fails for 'mmokrejs' (mmokrejs@DOMA): Authentication failure (Unknown code krb5 60) Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: pam_authenticate returning 7 (Authentication failure) Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: configured realm 'DOMA' Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flags: forwardable proxiable Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no ignore_afs Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: user_check Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no krb4_convert Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_convert_524 Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_use_as_req Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no use_shmem Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no external Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: warn Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: ticket lifetime: 604800 Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: renewable lifetime: 0 Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: banner: Kerberos 5 Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: ccache dir: /tmp Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: keytab: FILE:/etc/krb5.keytab Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: called to update credentials for 'mmokrejs' Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: _pam_krb5_sly_refresh returning 0 (Success) See bug #139929 for more details on the pam_krb5-2.2.6 issue.
Krzysiek, I did not understand; do you want a diff to commit it by yourself, or is it ok if I commit it?
You're free to commit it yourself, all I would like afterwards is a diff of changes. If you can could you modifiy version 5.00 too.
Created attachment 91600 [details, diff] patch to remove kerberosIV support here it is the patch against xscreensaver-5.00.ebuild, the same applies to xscreensaver-4.24.ebuild. Haven't got much time, so if you have 2 min commit it ;)
Since I have removed krb4 support in xscreensaver I am resolving this as WONTFIX.
