Thread: PAM - Kerberos issues
View Single Post

   
  #8 (permalink)  
Old 02-20-2008, 08:43 AM
Menno Duursma
 
Posts: n/a
Default Re: PAM - Kerberos issues
On Sun, 10 Jul 2005 21:35:05 -0400, Madhusudan Singh wrote:
> Matt Payton wrote:
>> Madhusudan Singh wrote:

>> I would guess that you'll have to recompile kerberos to include PAM,
>> and as part of ./configure you'd tell it where the PAM libs are.

You don't, it's the other way around: compile Kerberos first, then
anything that needs its libs - against them.

>> Actually, now that I poked around on a RedHat based machine I see there
>> is a specific pam_krb5afs package. googling pam_krb5afs turns up quite
>> a few hits, so maybe that's a good place to start...

It's part of the pam_krb5 tarball.

> I found the pam_krb5 source code on sourceforge. But I cannot seem to
> find pam_krb5afs.

Look at the README ... The makefile creates it if the AFS lib is forund.

> Further, the configure options for pam_krb5 seem to
> make reference to existing kerberos 5 library and pam library paths :
[ ... ]
> So what should I do ? Compile kerberos first

Yes.

> or pam_krb5 first ? And does either give me pam_krb5afs ?

It should (the Kerberos first one.)

> krbafs is another package entirely and does not seem to have anything to
> do with pam_krb5afs (http://web.mit.edu/openafs/krbafs/).

I've never used AFS but, from what i gather, the latest OpenAFS supports
Krb5. I know Heimdal Kerberos should be able to work with that (it has a
build-time flag for it), and AFAICT you wount need anything besides those
then.

> I have been a slack user for more than a year and would gladly recommend
> this to anyone anyday, but this mess with pam seems to be a serious
> shortcoming to me.

Well it whould be nice if like a libnss_krb5 or libnss_gss exist(ed) ...
One is very unlikely to _need_ PAM for this now, but stuff /does/ need to
be recompiled (or replacements used) which maybe annoying.

> Thanks for your response.

With MIT Kerberos some people had problems with multi-threading, now
idunno if that is still the case, but Heimdal has worked fine here. You
may want to try that, and: read "info heimdal" after install (which is a
good read, even if you stick with MIT - or the Shishi implementation.)
ftp://ftp.pdc.kth.se/pub/heimdal/src/

heimdal.Slackbuild :

#!/bin/sh

NAME=heimdal
VERSION=0.7
ARCH=i486
BUILD=1

CPU=i686

if [ "$TMP" == "" ]; then
TMP=/tmp
fi
if [ ! -d $TMP ]; then
mkdir -p $TMP
fi

if [ "$CPU" = "i686" ]; then
SLKCFLAGS="-O2 -march=$ARCH -mcpu=$CPU"
else
SLKCFLAGS="-O2"
fi

CWD=`pwd`
PKG=$TMP/package-$NAME
rm -rf $PKG
mkdir -p $PKG

cd $TMP
tar xzvf $CWD/$NAME-$VERSION.tar.gz

cd $NAME-$VERSION

# Set basic permissions
find . -type f -print0 | xargs -0 chmod go-w
find . -type d -print0 | xargs -0 chmod 0755
chown -R root:root .
chmod -R -s .

# Lets build this already
CFLAGS="$SLKCFLAGS" \
../configure \
--enable-shared=yes \
--without-krb4 \
--without-hesiod \
--without-ipv6 \
--without-openldap \
--with-x
make
make install DESTDIR=$PKG

# Strip symbols off of binaries
strip $PKG/usr/heimdal/bin/*
strip $PKG/usr/heimdal/sbin/*
strip --strip-unneeded $PKG/usr/heimdal/lib/*
strip --strip-unneeded $PKG/usr/heimdal/libexec/*

# Set the binaries in bin directorys to group bin
chgrp -R bin $PKG/usr/heimdal/bin
chgrp -R bin $PKG/usr/heimdal/sbin

# Database dir
mkdir -p $PKG/var/heimdal

# Set PATH and MANPATH
mkdir -p $PKG/etc/profile.d
cat << END > $PKG/etc/profile.d/heimdal.sh
#!/bin/sh

export INFOPATH="/usr/heimdal/info:"
MANPATH="\$MANPATH:/usr/heimdal/man"
PATH="\$PATH:/usr/heimdal/bin"
if [ x"\$EUID" == x"0" ]; then
PATH="\$PATH:/usr/heimdal/sbin"
fi
END
chmod +x $PKG/etc/profile.d/heimdal.sh

# Include a KDC rc-file for the admin to consider
mkdir -p $PKG/etc/rc.d
cat << END > $PKG/etc/rc.d/rc.heimdal
#!/bin/sh

heimdal_start() {
if [ -r /var/heimdal/kdc.conf -a -x /usr/heimdal/libexec/kdc ]; then
echo "Starting the Kerberos service: /usr/heimdal/libexec/kdc --detach"
/usr/heimdal/libexec/kdc --detach
fi
}

heimdal_stop() {
killall kdc
}

heimdal_restart() {
heimdal_stop
sleep 1
heimdal_start
}

case "\$1" in
'start')
heimdal_start
;;
'stop')
heimdal_stop
;;
'restart')
heimdal_restart
;;
*)
echo "Usage: \$0 start|stop|restart"
esac
END
chmod +x $PKG/etc/rc.d/rc.heimdal

#
# Documentation :
#
mkdir -p $PKG/usr/doc/$NAME-$VERSION
cp -a NEWS README TODO* config.log \
$PKG/usr/doc/$NAME-$VERSION
mkdir -p $PKG/usr/doc/$NAME-$VERSION/ChangeLog
cp -a ChangeLog* $PKG/usr/doc/$NAME-$VERSION/ChangeLog
mkdir -p $PKG/usr/doc/$NAME-$VERSION/etc
cp -a etc/services.append \
$PKG/usr/doc/$NAME-$VERSION/etc
mkdir -p $PKG/usr/doc/$NAME-$VERSION/doc
cp -a doc/{init-creds,layman.asc,mdate-sh} \
$PKG/usr/doc/$NAME-$VERSION/doc
mkdir -p $PKG/usr/doc/$NAME-$VERSION/doc/standardisation
cp -a doc/standardisation/* \
$PKG/usr/doc/$NAME-$VERSION/doc/standardisation

mkdir -p $PKG/etc
cp krb5.conf $PKG/etc/krb5.conf.new

# Compress manual pages
( for dir in `find $PKG/usr -type d -name 'man?' -print`; do
cd $dir && \
gzip -9 *
done
)

# Compress info pages
( cd $PKG/usr/heimdal/info
find . -type f \! -name dir -exec gzip -9 {} \;
# Link the main compressed info page to a name as if it was clear
# as otherwise the GNU info utility somehow fails to render it...
ln -s heimdal.info.gz heimdal
)

mkdir $PKG/install

# Things todo on target machine after install
cat << END > $PKG/install/doinst.sh
if ! grep '^/usr/heimdal/lib$' /etc/ld.so.conf ; then
echo "/usr/heimdal/lib" >> /etc/ld.so.conf
/sbin/ldconfig
fi
END

# Add package description
cat $CWD/slack-desc > $PKG/install/slack-desc

# Create a package out of this
cd $PKG
makepkg -l y -c n ../$NAME-$VERSION-$ARCH-$BUILD.tgz

# Clean up the extra stuff:
if [ "$1" = "--cleanup" ]; then
rm -rf $TMP/$NAME-$VERSION
rm -rf $PKG
fi

--
-Menno.

Reply With Quote