Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 132224

Summary: x11-misc/xscreensaver-4.24: kth-krb-1.3 is also sufficient as krb4
Product: Gentoo Linux Reporter: Martin Mokrejš <mmokrejs>
Component: Current packagesAssignee: Gentoo Kerberos Maintainers <kerberos>
Status: RESOLVED WONTFIX    
Severity: enhancement CC: desktop-misc
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: patch to remove kerberosIV support

Description Martin Mokrejš 2006-05-04 03:58:03 UTC 
# emerge -uN world
Calculating world dependencies... done!
>>> Emerging (1 of 4) x11-misc/xscreensaver-4.24 to /
>>> checking ebuild checksums
>>> checking auxfile checksums
>>> checking miscfile checksums
>>> checking distfiles checksums
 * 
 * You have enabled kerberos without krb4 support. Kerberos will be
 * disabled unless kerberos 4 support has been compiled with your
 * kerberos libraries. To do that, you should abort now and do:
 * 
 *  USE="krb4" emerge mit-krb5
 * 
>>> Unpacking source...


I did not believe one would have to have mit-krb5 installed as I used to use xscreen-saver on OSF1 years ago with kth-krb4 support. I went to test whether kth-krb is detected in it standard location (/usr/athena, I hope krb.h will also be detected in the FHS locations forced by Gentoo):

./configure --prefix=/usr --host=i686-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --with-hackdir=/usr/lib/misc/xscreensaver --with-configdir=/usr/share/xscreensaver/config --x-libraries=/usr/lib --x-includes=/usr/include --with-mit-ext --with-dpms-ext --with-xf86vmode-ext --with-xf86gamma-ext --with-proc-interrupts --with-xpm --with-xshm-ext --with-xdbe-ext --enable-locking --with-gtk --with-xml --without-setuid-hacks --without-login-manager --without-xinerama-ext --with-pam --with-gl --with-gle --with-jpeg --enable-nls --with-kerberos=/usr/athena --build=i686-pc-linux-gnu
[..]
checking for Kerberos headers... /usr/athena/include
checking for Kerberos libs... /usr/athena/lib
checking for Kerberos 4... yes
checking for Kerberos 5... no
[...]


# i686-pc-linux-gnu-gcc -pedantic -Wall -Wstrict-prototypes -Wnested-externs -std=c89 -U__STRICT_ANSI__ -L/usr/lib -o xscreensaver xscreensaver.o windows.o timers.o subprocs.o exec.o xset.o splash.o setuid.o stderr.o prefs.o dpms.o lock.o passwd.o passwd-kerberos.o passwd-pam.o passwd-pwent.o ../utils/fade.o ../utils/overlay.o ../utils/logo.o ../utils/yarandom.o ../utils/resources.o ../utils/usleep.o ../utils/visual.o    -L/usr/athena/lib  -L/usr/lib -lXmu  -lXxf86vm -lXrandr -lXrender -lXxf86misc    -lSM -lICE -lXt -lX11 -lXext  -lpam -ldl -lkrb -ldes -lcom_err -lresolv -lcrypt
/usr/lib/gcc/i686-pc-linux-gnu/3.4.6/../../../../i686-pc-linux-gnu/bin/ld: cannot find -ldes
collect2: ld returned 1 exit status
make[1]: *** [xscreensaver] Error 1
make[1]: Leaving directory `/var/tmp/portage/xscreensaver-4.24/work/xscreensaver-4.24/driver'


fixed by:

# i686-pc-linux-gnu-gcc -pedantic -Wall -Wstrict-prototypes -Wnested-externs -std=c89 -U__STRICT_ANSI__ -L/usr/lib -o xscreensaver xscreensaver.o windows.o timers.o subprocs.o exec.o xset.o splash.o setuid.o stderr.o prefs.o dpms.o lock.o passwd.o passwd-kerberos.o passwd-pam.o passwd-pwent.o ../utils/fade.o ../utils/overlay.o ../utils/logo.o ../utils/yarandom.o ../utils/resources.o ../utils/usleep.o ../utils/visual.o    -L/usr/athena/lib  -L/usr/lib -lXmu  -lXxf86vm -lXrandr -lXrender -lXxf86misc    -lSM -lICE -lXt -lX11 -lXext  -lpam -ldl -lkrb -lresolv -lcrypt -lcrypto
#


The configure script shoull fetch the list of CFLAGS and LIBS from krb4-config actually (but I remeber them from top of my head):

# /usr/athena/bin/krb4-config --libs krb4
-L/usr/athena/lib -lkrb -lcrypto -lresolv
# /usr/athena/bin/krb4-config --cflags
-I/usr/athena/include 
#


Final note: please require krb4-1.3rc1 as it support openssl-0.9.7. krb4-1.2 supported only openssl-0.9.6 and there were nasty symbol clashes in libs when for example openssl and kth-krb supporte was linked into openssh. Same I guess would happen with xscreen-saver. ;-)
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-05-04 04:09:03 UTC 
(In reply to comment #0)
> Final note: please require krb4-1.3rc1 as it support openssl-0.9.7. krb4-1.2
> supported only openssl-0.9.6 and there were nasty symbol clashes in libs when
> for example openssl and kth-krb supporte was linked into openssh. Same I guess
> would happen with xscreen-saver. ;-)

Well, as the only kth-krb4 version in portage is 1.2.2, I'm afraid this needs to be closed as later, until there's at least something to test against. 1.2.2 is heavily broken:

http://tinyurl.com/nowah

Feel free to reopen when 1.3 is available in portage. Thanks.
Comment 2 Martin Mokrejš 2006-05-04 06:07:30 UTC 
I know, I just went few minutes ago through all those bugreports and suggested to use 1.3rc1. If gentto wouldn't relocate to FHS paths, everything would be smooth, no file collisions with manpages, binaries, libs, headers. 'Some' developers said they will rather fix all those problems, but are ugly slow, although do I appreciate their effort.

bug #103366
bug #16824
bug #100868
bug #118508
bug #132189
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-05-04 06:14:39 UTC 
Uhm well, FHS or not, kth-krb not working w/ current stable openssl version is a complete showstopper here. ;)
Comment 4 Seemant Kulleen (RETIRED) gentoo-dev 2006-05-04 06:55:09 UTC 
reopening
Comment 5 Seemant Kulleen (RETIRED) gentoo-dev 2006-05-04 06:56:05 UTC 
Kerberos team, can we look into bumping kth-krb
Comment 6 Emanuele Giaquinta (RETIRED) gentoo-dev 2006-05-04 21:25:07 UTC 
done.
Comment 7 Seemant Kulleen (RETIRED) gentoo-dev 2006-05-21 14:21:09 UTC 
Emanuele, can you investigate this issue please?
Comment 8 Emanuele Giaquinta (RETIRED) gentoo-dev 2006-07-03 05:17:47 UTC 
I have just been told that both krb4 implementations are now unsupported by the respective upstream; for this reason I would like to deprecate krb4 support. This should not be a problem, since every app that supports kerberosIV supports kerberosV too, except this one. I have also noticed we are the only one to provide optional support for krb4 in xscreensaver, so I wonder about its usefulness (never used it myself). Opinions are welcome.
Comment 9 Martin Mokrejš 2006-07-04 01:02:41 UTC 
If you provide heimdal support instead I am fine with 'wontfix'. Don't forget people do run KDC in the v4-compatible mode to answer requestes from v4 clients, which is exactly this case.

Although I think checking the output of `krb4-config --libs krb4` is rather easy and I would argue that even upstream should patch the configure to take the advantage of krb4-config.
Comment 10 Emanuele Giaquinta (RETIRED) gentoo-dev 2006-07-04 10:19:28 UTC 
v4 compatibility mode requires libkrb4, which I am trying to deprecate... My question was about the usefulness of krb4 support in xscreensaver.
Comment 11 Martin Mokrejš 2006-07-04 10:25:35 UTC 
Well, people *can* type in their kerberos or afs password instead of their local/NIS password. AFS also can use krb4 protocol.

Maybe their *token* to afs is renewed when they type in the password. That should be handled by the PAM stuff though and depend on the configuration.
Comment 12 Emanuele Giaquinta (RETIRED) gentoo-dev 2006-07-10 04:53:51 UTC 
Well, since you can get the same functionality using one of the pam_krb5 modules I vote to prune krb4 support in xscreensaver, if you agree.
Comment 13 Krzysztof Pawlik (RETIRED) gentoo-dev 2006-07-10 08:49:35 UTC 
exg: feel free to do so, just after it send me the diff of ebuilds.
Comment 14 Martin Mokrejš 2006-07-10 09:48:07 UTC 
Have you tested the pam_krb5 modules? ;-)
Comment 15 Martin Mokrejš 2006-07-10 15:11:38 UTC 
I tried the pam_krb5-2.2.6-r1 ebuild and it doesn't work correctly and user providing correct kerberos password cannot get in through xscreensaver or even login on virtual teminal or ssh terminal.

Interrestingly the pam module/xscreensaver attempts blindly to use the password also for principal root which doesn't seem like a good idea).

For xscreensaver I cannot confirm it looks into ~/.k5login either:

Jul 10 23:38:44 vrapenec kdc[17287]: TGS-REQ mmokrejs/admin@DOMA from IPv4:192.168.0.2 for kadmin/admin@DOMA
Jul 10 23:38:44 vrapenec kdc[17287]: sending 582 bytes to IPv4:192.168.0.2
Jul 10 23:38:44 vrapenec kadmind[17340]: connection from IPv4:192.168.0.2
Jul 10 23:38:44 vrapenec kadmind[17378]: mmokrejs/admin@DOMA: GET default@DOMA
Jul 10 23:38:55 vrapenec kadmind[17378]: mmokrejs/admin@DOMA: CREATE mmokrejs@DOMA
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: configured realm 'DOMA'
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flags: forwardable proxiable
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no ignore_afs
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: user_check
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no krb4_convert
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_convert_524
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_use_as_req
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no use_shmem
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no external
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: warn
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: ticket lifetime: 604800
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: renewable lifetime: 0
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: banner: Kerberos 5
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: ccache dir: /tmp
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: keytab: FILE:/etc/krb5.keytab
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: called to authenticate 'mmokrejs', realm 'DOMA'
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: authenticating 'mmokrejs@DOMA'
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: authentication fails for 'mmokrejs' (mmokrejs@DOMA): Authentication failure (Unknown code krb5 60)
Jul 10 23:39:06 vrapenec xscreensaver[8051]: pam_krb5[8051]: pam_authenticate returning 7 (Authentication failure)
Jul 10 23:39:06 vrapenec xscreensaver(pam_unix)[8051]: authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost=  user=mmokrejs
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: configured realm 'DOMA'
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flags: forwardable proxiable
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no ignore_afs
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: user_check
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no krb4_convert
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_convert_524
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_use_as_req
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no use_shmem
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no external
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: warn
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: ticket lifetime: 604800
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: renewable lifetime: 0
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: banner: Kerberos 5
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: ccache dir: /tmp
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: keytab: FILE:/etc/krb5.keytab
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: called to authenticate 'root', realm 'DOMA'
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: authenticating 'root@DOMA'
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: authentication fails for 'root' (root@DOMA): Authentication failure (Unknown code krb5 60)
Jul 10 23:39:09 vrapenec xscreensaver[8051]: pam_krb5[8051]: pam_authenticate returning 7 (Authentication failure)
Jul 10 23:39:09 vrapenec xscreensaver(pam_unix)[8051]: authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost=  user=root
Jul 10 23:39:10 vrapenec xscreensaver[8051]: FAILED LOGIN 1 ON DISPLAY ":0.0", FOR "mmokrejs"
Comment 16 Martin Mokrejš 2006-07-10 15:11:56 UTC 
When I have used my local password for user mmokrejs, I have unlocked the screen successfully:

Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: configured realm 'DOMA'
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flags: forwardable proxiable
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no ignore_afs
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: user_check
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no krb4_convert
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_convert_524
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_use_as_req
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no use_shmem
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no external
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: warn
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: ticket lifetime: 604800
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: renewable lifetime: 0
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: banner: Kerberos 5
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: ccache dir: /tmp
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: keytab: FILE:/etc/krb5.keytab
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: called to authenticate 'mmokrejs', realm 'DOMA'
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: authenticating 'mmokrejs@DOMA'
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: authentication fails for 'mmokrejs' (mmokrejs@DOMA): Authentication failure (Unknown code krb5 60)
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: pam_authenticate returning 7 (Authentication failure)
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: configured realm 'DOMA'
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flags: forwardable proxiable
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no ignore_afs
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: user_check
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no krb4_convert
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_convert_524
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: krb4_use_as_req
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no use_shmem
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: no external
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: flag: warn
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: ticket lifetime: 604800
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: renewable lifetime: 0
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: banner: Kerberos 5
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: ccache dir: /tmp
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: keytab: FILE:/etc/krb5.keytab
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: called to update credentials for 'mmokrejs'
Jul 10 23:39:25 vrapenec xscreensaver[8051]: pam_krb5[8051]: _pam_krb5_sly_refresh returning 0 (Success)


See bug #139929 for more details on the pam_krb5-2.2.6 issue.
Comment 17 Emanuele Giaquinta (RETIRED) gentoo-dev 2006-07-12 12:35:00 UTC 
Krzysiek, I did not understand; do you want a diff to commit it by yourself, or is it ok if I commit it?
Comment 18 Krzysztof Pawlik (RETIRED) gentoo-dev 2006-07-12 12:43:49 UTC 
You're free to commit it yourself, all I would like afterwards is a diff of changes. If you can could you modifiy version 5.00 too.
Comment 19 Emanuele Giaquinta (RETIRED) gentoo-dev 2006-07-12 14:46:27 UTC 
Created attachment 91600 [details, diff]
patch to remove kerberosIV support

here it is the patch against xscreensaver-5.00.ebuild, the same applies to xscreensaver-4.24.ebuild. Haven't got much time, so if you have 2 min commit it ;)
Comment 20 Emanuele Giaquinta (RETIRED) gentoo-dev 2006-09-05 02:02:12 UTC 
Since I have removed krb4 support in xscreensaver I am resolving this as WONTFIX.