It seems that kaserver does not work correctly in heimdal-0.6.4. The server is not started when "enable-kaserver = yes" is present in [kdc] section of /etc/krb5.conf file. If I add "-K" option to kdc the kaserver port is open but "klog" gives weird messages. However when I use "kinit" afs tokens are obtained correctly. I use arla-0.39 client and openafs-1.2.10-r1 commands. Everything works correctly with heimdal-0.6.3-r1. I compile both heimdal packages with "--enable-kaserver" and "--enable-kaserver-db". Reproducible: Always Steps to Reproduce: 1. 2. 3.
some more details : with a 2.4.30 kernel a heimdal-0.6.3-r1 kaserver works correctly with arla-0.39 and openafs-1.2.10-r1 clients with openafs-1.2.10-r1 commands working for both kernel AFS clients with a 2.6.11 kernel a heimdal-0.6.3-r1 kaserver works correctly with arla-0.39 with arla commands (kalog,tokens). openafs-1.2.10-r1 commands do not work any more. with a heimdal-0.6.4 kaserver openafs-1.2.10-r1 and arla commands do not work any more for any kernel. However kinit obtains valid AFS tokens from heimdal.
Ryan, any thoughts on this?
http://www.stacken.kth.se/lists/heimdal-discuss/2005-06/msg00021.html kaserver depends on kerberos 4. Try setting krb4 within the USE variables and please report back.
well, look, I'm planning on putting a 0.7 snapshot into portage soon, anyway, so please bear with me while I get that together.
Seemant, I'm quite convinced heinmdal should be installed into standard place which is /usr/heimdal/ instead of the /usr/include/heimdal and similar mess. The reason is that many configure scripts in many 3rd party programs look for /usr/heimdal/include/ and similarly for libs. When they are not found, configure assumes heimdal is not available. In very few cases configure looks for krb5-config and figures out where the heimdal stuff is installed. But not every configure parses that correctly as the outpuit changed over time a bit. Poor support of krb4 and heimdal was always a problem for various imap and pop3 daemons as well as mozilla. There are simply no people in the world willing to fix all those configures which appear in all those many package. Instead, every developer just says - we do not support kebreros and twhat we provide is based on patches people submitted. Ask you vendor to fix the installation setup to match the standard. The standard is clear: /usr/heimdal. ;-) Similarly, kth-krb should be installed in /usr/athena/ and openafs in /usr/vice/ and /use/afs/. Per comment #1: I don't have a clear answer but I believe the situation is a direct results of packages installed in non-standard places. I think the configure of openafs-1.2.10-r1 did not detect kerberos4 libraries which are required for kaserver and therefore has disabled krb4 support even when --enable-krb4 flag was specified on the commandline. Note that use of any kerberos4 implememtation is not considered secure since some year or two, when the cross-realm exploit was published. Since then, everybody is advised to use some kerberos5 implememntation, be it heimdal or mit kerberos5. Openafs supports both, heimdal and mit-krb5 although heimdal is better supported and doesn't have the problem with aklog build etc. Please save everybody headaches and make the above packages installed into "usual" locations. Then, many application will them up. I decided to contribute more on the openafs ebuild side and testing and am in contact with Gerte Hoogewerf who also uploaded some ebuild into bugzilla.
martin, please comments on the other bugs where you've posted your manifesto. M Grundman, heimdal-0.7 has been in portage for a week or so -- have you had a chance to test?
Per comment #6: I've tried to compile manually heimdal-0.7 against krb4-1.3_rc1 which is required for heimdal-0.7, as both are able to use libcrypto to avoid libs symbol clashes ... and had to send this email to heimdal-bugs. ;) ---------------------- Hi, although deprecated I tried to build against kth-krb-1.3_rc1 on linux 2.6: $ ./configure --with-krb4=/usr/athena [cut] gcc -DHAVE_CONFIG_H -I. -I. -I../include -I../include -I../lib/roken -I../lib/roken -I/usr/athena/include -I/usr/athena/include -I./../lib/krb5 -I/usr/include/et -D_FILE_OFFSET_BITS=64 -Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -g -O2 -c 524.c 524.c: In function `encode_524_response': 524.c:234: error: `MAX_KTXT_LEN' undeclared (first use in this function) 524.c:234: error: (Each undeclared identifier is reported only once 524.c:234: error: for each function it appears in.) 524.c:234: warning: unused variable `buf' 524.c: In function `do_524': 524.c:284: error: `MAX_KTXT_LEN' undeclared (first use in this function) 524.c:284: warning: unused variable `buf' make[1]: *** [524.o] Error 1 make[1]: Leaving directory `/scratch/heimdal-0.7/kdc'
M Grundman: You should have posted those "weird messages". I do not know what was you goal, but myself I never need kaserver, even when using kth-krb4. The /usr/athena/libexec/kdc could speak as kaserver if one _really insisted_, but was not necessary. I asked once on some email list for something similar, here is a snippet of the message (probably google out the whole thread). -------------------------- > So, how am I supposed to configure heimdal whe want to use AFS? With or > without --with-krb4. How about the --enable-kaserver option. As I do not > need to convert from krb4 to krb5 type databse, I can omit > --enable-kaserver-db, right? -enable-kaserver requires krb4 libs, so for that you'll need a working krb4 are you still using a kaserver/kaserver emulation ? -enable-kaserver-db is just for dumping a kaserver krb4 database. If you are no longer running a kaserver, you don't need it. > The docs at http://www.pdc.kth.se/heimdal/heimdal.html are really > insufficient. For example, on slaves, am I supposed "kdc -s"? > It says only about hpropd. With krb4, we used to run "kerberos -s" on > slaves ...
less /usr/heimdal/man/man8/kdc.8 tells me: -K, --kaserver Enable kaserver emulation (in case it's compiled in). Are you sure krb4 support got correctly compiled in?
I tried to reproduce the problem with the following setup: heimdal-0.6.5 / heimdal-0.7 (same results with both) openafs-1.3.86 (not yet in portage, but should be equivalent to 1.3.85) (you were using 1.2.x, but as it's only a network client for the scope of this bug report, I suspect it doesn't matter, please correct me if I'm wrong) I didn't have to add a -K option to the kdc-server (I used plain /etc/init.d/heimdal-kdc), the server is listening on the right kaserver port (7004) just by specifyinc "enable-kaserver = yes". Both klog and kinit react normally (i.e., I'm able to obtain tokens). I also have never added, nor do I see the ability to add "--enable-kaserver" or "--enable-kaserver-db". It may have been removed in the latest versions. In short, everything works as I would hope, were it not that I was trying to reproduce a bug. I suggest M Grundman try the latest heimdal package from portage (0.6.5 or 0.7, as you choose), and report back on any errors?
Unable to reproduce by myself, and no reaction for over a month. Resolving as "NEEDINFO" unless new information is given that warrants reopening.