Hi,
Would it be possible to extend SSSD and also support Heimdal as Kerberos client implementation?
This patch seems to provide just that: http://cvs.pld-linux.org/cgi-bin/viewvc.cgi/cvs/packages/sssd/sssd-heimdal.p...
My setup is as follows: - server with - Heimdal KDC - openldap - pam_ldap / nss_ldap
- laptops/workstations with - mit kerberos clients - SSSD
I would like to use SSSD on all my machines, but because SSSD does not support Heimdal I cannot replace pam_ldap/nss_ldap on the server.
Maybe you could consider this patch and add it to SSSD?
Thanks,
J.
On Tue, 2011-12-20 at 19:37 +0100, lists wrote:
Hi,
Would it be possible to extend SSSD and also support Heimdal as Kerberos client implementation?
This patch seems to provide just that: http://cvs.pld-linux.org/cgi-bin/viewvc.cgi/cvs/packages/sssd/sssd-heimdal.p...
My setup is as follows:
server with
- Heimdal KDC
- openldap
- pam_ldap / nss_ldap
laptops/workstations with
- mit kerberos clients
- SSSD
I would like to use SSSD on all my machines, but because SSSD does not support Heimdal I cannot replace pam_ldap/nss_ldap on the server.
Maybe you could consider this patch and add it to SSSD?
Well, this patch as-is won't work (because it disables support for MIT Kerberos while adding support for Heimdal. We may be able to add support for choosing the kerberos implementation at build-time.
It's going to be difficult to test for us, however. Most of our development is done on Fedora, which has no standalone Heimdal package (this is because MIT kerberos and Heimdal cannot currently coexist on the same system because they conflict with some files (like libkrb5.so).
I can work up a possible patch, but I'd need you to be able to help test it. Is that something you'd be willing to work on?
Also, please file an enhancement request at https://fedorahosted.org/sssd (if you don't have a Fedora login account, you can get one for free at https://admin.fedoraproject.org/accounts)
Stephen Gallagher schreef op di 20-12-2011 om 13:42 [-0500]:
On Tue, 2011-12-20 at 19:37 +0100, lists wrote:
Hi,
Would it be possible to extend SSSD and also support Heimdal as Kerberos client implementation?
This patch seems to provide just that: http://cvs.pld-linux.org/cgi-bin/viewvc.cgi/cvs/packages/sssd/sssd-heimdal.p...
My setup is as follows:
server with
- Heimdal KDC
- openldap
- pam_ldap / nss_ldap
laptops/workstations with
- mit kerberos clients
- SSSD
I would like to use SSSD on all my machines, but because SSSD does not support Heimdal I cannot replace pam_ldap/nss_ldap on the server.
Maybe you could consider this patch and add it to SSSD?
Well, this patch as-is won't work (because it disables support for MIT Kerberos while adding support for Heimdal. We may be able to add support for choosing the kerberos implementation at build-time.
It's going to be difficult to test for us, however. Most of our development is done on Fedora, which has no standalone Heimdal package (this is because MIT kerberos and Heimdal cannot currently coexist on the same system because they conflict with some files (like libkrb5.so).
I can work up a possible patch, but I'd need you to be able to help test it. Is that something you'd be willing to work on?
That would be great. I can help to test it. I will also file an enhancement request.
thanks J.
Also, please file an enhancement request at https://fedorahosted.org/sssd (if you don't have a Fedora login account, you can get one for free at https://admin.fedoraproject.org/accounts) _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
On Tue, 2011-12-20 at 19:54 +0100, lists wrote:
Stephen Gallagher schreef op di 20-12-2011 om 13:42 [-0500]:
On Tue, 2011-12-20 at 19:37 +0100, lists wrote:
Hi,
Would it be possible to extend SSSD and also support Heimdal as Kerberos client implementation?
This patch seems to provide just that: http://cvs.pld-linux.org/cgi-bin/viewvc.cgi/cvs/packages/sssd/sssd-heimdal.p...
My setup is as follows:
server with
- Heimdal KDC
- openldap
- pam_ldap / nss_ldap
laptops/workstations with
- mit kerberos clients
- SSSD
I would like to use SSSD on all my machines, but because SSSD does not support Heimdal I cannot replace pam_ldap/nss_ldap on the server.
Maybe you could consider this patch and add it to SSSD?
Well, this patch as-is won't work (because it disables support for MIT Kerberos while adding support for Heimdal. We may be able to add support for choosing the kerberos implementation at build-time.
It's going to be difficult to test for us, however. Most of our development is done on Fedora, which has no standalone Heimdal package (this is because MIT kerberos and Heimdal cannot currently coexist on the same system because they conflict with some files (like libkrb5.so).
I can work up a possible patch, but I'd need you to be able to help test it. Is that something you'd be willing to work on?
That would be great. I can help to test it. I will also file an enhancement request.
Ok, I've got a first-pass of the Heimdal compatibility layer. I've attached the patch (which applies cleanly on the current master). You could also clone my public git repo at git://fedorapeople.org/home/fedora/sgallagh/public_git/sssd.git and then 'git checkout heimdal'.
You can then build with 'autoreconf -if && ./configure [appropriate distro flags] && make'
(Then finally, 'make install' as root).
Stephen Gallagher schreef op 20.12.2011 22:20:
On Tue, 2011-12-20 at 19:54 +0100, lists wrote:
Stephen Gallagher schreef op di 20-12-2011 om 13:42 [-0500]:
On Tue, 2011-12-20 at 19:37 +0100, lists wrote:
Hi,
Would it be possible to extend SSSD and also support Heimdal as
Kerberos
client implementation?
This patch seems to provide just that:
http://cvs.pld-linux.org/cgi-bin/viewvc.cgi/cvs/packages/sssd/sssd-heimdal.p...
My setup is as follows:
server with
- Heimdal KDC
- openldap
- pam_ldap / nss_ldap
laptops/workstations with
- mit kerberos clients
- SSSD
I would like to use SSSD on all my machines, but because SSSD
does not
support Heimdal I cannot replace pam_ldap/nss_ldap on the
server.
Maybe you could consider this patch and add it to SSSD?
Well, this patch as-is won't work (because it disables support for
MIT
Kerberos while adding support for Heimdal. We may be able to add
support
for choosing the kerberos implementation at build-time.
It's going to be difficult to test for us, however. Most of our development is done on Fedora, which has no standalone Heimdal
package
(this is because MIT kerberos and Heimdal cannot currently coexist
on
the same system because they conflict with some files (like
libkrb5.so).
I can work up a possible patch, but I'd need you to be able to
help test
it. Is that something you'd be willing to work on?
That would be great. I can help to test it. I will also file an enhancement request.
Ok, I've got a first-pass of the Heimdal compatibility layer. I've attached the patch (which applies cleanly on the current master). You could also clone my public git repo at git://fedorapeople.org/home/fedora/sgallagh/public_git/sssd.git and then 'git checkout heimdal'.
You can then build with 'autoreconf -if && ./configure [appropriate distro flags] && make'
(Then finally, 'make install' as root).
I used the git route. My distro is gentoo, and I am using Heimdal 1.4.1.
This is what I used as configure command; ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-dependency-tracking --localstatedir=/var --enable-nsslibdir=/lib64 --with-plugin-path=/usr/lib64/sssd --enable-pammoddir=//lib64/security --with-ldb-lib-dir=/usr/lib64/ldb/modules/ldb --without-nscd --with-unicode-lib=libunistring --without-selinux --without-semanage --without-python-bindings --enable-krb5-locator-plugin --enable-nls --without-libnl
and configure asks me to report this: .... checking for pcre_compile in -lpcre... yes checking for krb5-config... /usr/bin/krb5-config checking for working krb5-config... yes checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking krb5/krb5.h usability... no checking krb5/krb5.h presence... no checking for krb5/krb5.h... no checking for krb5_ticket_times... no checking for krb5_times... yes checking for krb5_get_init_creds_opt_alloc... yes checking for krb5_get_error_message... yes checking for krb5_free_unparsed_name... yes checking for krb5_get_init_creds_opt_set_expire_callback... no checking for krb5_get_init_creds_opt_set_fast_ccache_name... no checking for krb5_get_init_creds_opt_set_fast_flags... no checking for krb5_get_init_creds_opt_set_canonicalize... yes checking for krb5_unparse_name_flags... yes checking for krb5_get_init_creds_opt_set_change_password_prompt... no checking for krb5_free_keytab_entry_contents... no checking for krb5_kt_free_entry... yes checking for krb5_princ_realm... yes checking for krb5_get_time_offsets... no checking for krb5_principal_get_realm... yes checking krb5/locate_plugin.h usability... no checking krb5/locate_plugin.h presence... yes configure: WARNING: krb5/locate_plugin.h: present but cannot be compiled configure: WARNING: krb5/locate_plugin.h: check for missing prerequisite headers? configure: WARNING: krb5/locate_plugin.h: see the Autoconf documentation configure: WARNING: krb5/locate_plugin.h: section "Present But Cannot Be Compiled" configure: WARNING: krb5/locate_plugin.h: proceeding with the compiler's result configure: WARNING: ## ------------------------------------------------ ## configure: WARNING: ## Report this to sssd-devel@lists.fedorahosted.org ## configure: WARNING: ## ------------------------------------------------ ## checking for krb5/locate_plugin.h... no configure: Kerberos locator plugin cannot be build checking ares.h usability... yes ....
Compilation fails with this error: ..... libtool: link: ( cd ".libs" && rm -f "libsss_util.la" && ln -s "../libsss_util.la" "libsss_util.la" ) \ # source='src/util/sss_krb5.c' object='src/util/libsss_ldap_la-sss_krb5.lo' libtool=yes /bin/sh ./libtool --tag=CC --mode=compile x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -Wall -Iinclude -I.. -I./include -I./src/sss_client -I./src -Iinclude -I. -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -DLIBDIR="/usr/lib64" -DVARDIR="/var" -DSHLIBEXT="" -DSSSD_LIBEXEC_PATH="/usr/libexec/sssd" -DSSSD_INTROSPECT_PATH="" -DSSSD_CONF_DIR="/etc/sssd" -DSSS_NSS_SOCKET_NAME="/var/lib/sss/pipes/nss" -DSSS_PAM_SOCKET_NAME="/var/lib/sss/pipes/pam" -DSSS_PAM_PRIV_SOCKET_NAME="/var/lib/sss/pipes/private/pam" -DSSS_SUDO_SOCKET_NAME="/var/lib/sss/pipes/sudo" -DLOCALEDIR="/usr/share/locale" -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Werror-implicit-function-declaration -fno-strict-aliasing -I/usr/include -I/usr/include -g -O2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -c -o src/util/libsss_ldap_la-sss_krb5.lo `test -f 'src/util/sss_krb5.c' || echo './'`src/util/sss_krb5.c libtool: compile: x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -Wall -Iinclude -I.. -I./include -I./src/sss_client -I./src -Iinclude -I. -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -DLIBDIR="/usr/lib64" -DVARDIR="/var" -DSHLIBEXT="" -DSSSD_LIBEXEC_PATH="/usr/libexec/sssd" -DSSSD_INTROSPECT_PATH="" -DSSSD_CONF_DIR="/etc/sssd" -DSSS_NSS_SOCKET_NAME="/var/lib/sss/pipes/nss" -DSSS_PAM_SOCKET_NAME="/var/lib/sss/pipes/pam" -DSSS_PAM_PRIV_SOCKET_NAME="/var/lib/sss/pipes/private/pam" -DSSS_SUDO_SOCKET_NAME="/var/lib/sss/pipes/sudo" -DLOCALEDIR="/usr/share/locale" -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Werror-implicit-function-declaration -fno-strict-aliasing -I/usr/include -I/usr/include -g -O2 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -c src/util/sss_krb5.c -fPIC -DPIC -o src/util/.libs/libsss_ldap_la-sss_krb5.o src/util/sss_krb5.c: In function 'match_principal': src/util/sss_krb5.c:396:5: warning: 'krb5_princ_realm' is deprecated (declared at /usr/include/krb5-protos.h:3198) src/util/sss_krb5.c:396:16: warning: assignment from incompatible pointer type src/util/sss_krb5.c: In function 'sss_krb5_free_unparsed_name': src/util/sss_krb5.c:587:5: warning: 'krb5_free_unparsed_name' is deprecated (declared at /usr/include/krb5-protos.h:1925) src/util/sss_krb5.c: In function 'sss_krb5_get_init_creds_opt_set_canonicalize': src/util/sss_krb5.c:925:5: warning: passing argument 1 of 'krb5_get_init_creds_opt_set_canonicalize' from incompatible pointer type /usr/include/krb5-protos.h:2254:1: note: expected 'krb5_context' but argument is of type 'struct krb5_get_init_creds_opt *' src/util/sss_krb5.c:925:5: warning: passing argument 2 of 'krb5_get_init_creds_opt_set_canonicalize' makes pointer from integer without a cast /usr/include/krb5-protos.h:2254:1: note: expected 'struct krb5_get_init_creds_opt *' but argument is of type 'int' src/util/sss_krb5.c:925:5: error: too few arguments to function 'krb5_get_init_creds_opt_set_canonicalize' /usr/include/krb5-protos.h:2254:1: note: declared here src/util/sss_krb5.c:925:5: warning: 'return' with a value, in function returning void src/util/sss_krb5.c: In function 'sss_krb5_princ_realm': src/util/sss_krb5.c:935:12: warning: assignment discards qualifiers from pointer target type src/util/sss_krb5.c:936:5: warning: passing argument 1 of 'strlen' from incompatible pointer type /usr/include/string.h:399:15: note: expected 'const char *' but argument is of type 'char **' make[2]: *** [src/util/libsss_ldap_la-sss_krb5.lo] Error 1 make[2]: Leaving directory `/root/sssd/sssd' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/sssd/sssd' make: *** [all] Error 2
note, I also tried Heimdal 1.5.1 with the same failure.
regards
J.
On Wed, 2011-12-21 at 11:40 +0100, lists wrote:
Stephen Gallagher schreef op 20.12.2011 22:20:
On Tue, 2011-12-20 at 19:54 +0100, lists wrote:
Stephen Gallagher schreef op di 20-12-2011 om 13:42 [-0500]:
On Tue, 2011-12-20 at 19:37 +0100, lists wrote:
Hi,
Would it be possible to extend SSSD and also support Heimdal as
Kerberos
client implementation?
This patch seems to provide just that:
http://cvs.pld-linux.org/cgi-bin/viewvc.cgi/cvs/packages/sssd/sssd-heimdal.p...
My setup is as follows:
server with
- Heimdal KDC
- openldap
- pam_ldap / nss_ldap
laptops/workstations with
- mit kerberos clients
- SSSD
I would like to use SSSD on all my machines, but because SSSD
does not
support Heimdal I cannot replace pam_ldap/nss_ldap on the
server.
Maybe you could consider this patch and add it to SSSD?
Well, this patch as-is won't work (because it disables support for
MIT
Kerberos while adding support for Heimdal. We may be able to add
support
for choosing the kerberos implementation at build-time.
It's going to be difficult to test for us, however. Most of our development is done on Fedora, which has no standalone Heimdal
package
(this is because MIT kerberos and Heimdal cannot currently coexist
on
the same system because they conflict with some files (like
libkrb5.so).
I can work up a possible patch, but I'd need you to be able to
help test
it. Is that something you'd be willing to work on?
That would be great. I can help to test it. I will also file an enhancement request.
Ok, I've got a first-pass of the Heimdal compatibility layer. I've attached the patch (which applies cleanly on the current master). You could also clone my public git repo at git://fedorapeople.org/home/fedora/sgallagh/public_git/sssd.git and then 'git checkout heimdal'.
You can then build with 'autoreconf -if && ./configure [appropriate distro flags] && make'
(Then finally, 'make install' as root).
I used the git route. My distro is gentoo, and I am using Heimdal 1.4.1.
This is what I used as configure command; ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-dependency-tracking --localstatedir=/var --enable-nsslibdir=/lib64 --with-plugin-path=/usr/lib64/sssd --enable-pammoddir=//lib64/security --with-ldb-lib-dir=/usr/lib64/ldb/modules/ldb --without-nscd --with-unicode-lib=libunistring --without-selinux --without-semanage --without-python-bindings --enable-krb5-locator-plugin --enable-nls --without-libnl
and configure asks me to report this: .... checking for pcre_compile in -lpcre... yes checking for krb5-config... /usr/bin/krb5-config checking for working krb5-config... yes checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking krb5/krb5.h usability... no checking krb5/krb5.h presence... no checking for krb5/krb5.h... no checking for krb5_ticket_times... no checking for krb5_times... yes checking for krb5_get_init_creds_opt_alloc... yes checking for krb5_get_error_message... yes checking for krb5_free_unparsed_name... yes checking for krb5_get_init_creds_opt_set_expire_callback... no checking for krb5_get_init_creds_opt_set_fast_ccache_name... no checking for krb5_get_init_creds_opt_set_fast_flags... no checking for krb5_get_init_creds_opt_set_canonicalize... yes checking for krb5_unparse_name_flags... yes checking for krb5_get_init_creds_opt_set_change_password_prompt... no checking for krb5_free_keytab_entry_contents... no checking for krb5_kt_free_entry... yes checking for krb5_princ_realm... yes checking for krb5_get_time_offsets... no checking for krb5_principal_get_realm... yes checking krb5/locate_plugin.h usability... no checking krb5/locate_plugin.h presence... yes configure: WARNING: krb5/locate_plugin.h: present but cannot be compiled configure: WARNING: krb5/locate_plugin.h: check for missing prerequisite headers? configure: WARNING: krb5/locate_plugin.h: see the Autoconf documentation configure: WARNING: krb5/locate_plugin.h: section "Present But Cannot Be Compiled" configure: WARNING: krb5/locate_plugin.h: proceeding with the compiler's result configure: WARNING: ## ------------------------------------------------ ## configure: WARNING: ## Report this to sssd-devel@lists.fedorahosted.org ## configure: WARNING: ## ------------------------------------------------ ## checking for krb5/locate_plugin.h... no configure: Kerberos locator plugin cannot be build checking ares.h usability... yes
This looks like a bug in your Heimdal package. The locator plugin header can't be compiled. I suggest removing the --enable-krb5-locator-plugin argument from configure and trying without it.
The locator plugin is there to ensure that non-SSSD kerberized applications will always talk to the same KDC/kadmin server that SSSD is currently using. Without it, you need to make sure that krb5.conf is configured correctly. Then your kerberized apps will EACH make their own decision as to which KDC to talk to (rather than asking SSSD which one to use).
I used the git route. My distro is gentoo, and I am using Heimdal 1.4.1.
This is what I used as configure command; ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-dependency-tracking --localstatedir=/var --enable-nsslibdir=/lib64 --with-plugin-path=/usr/lib64/sssd --enable-pammoddir=//lib64/security --with-ldb-lib-dir=/usr/lib64/ldb/modules/ldb --without-nscd --with-unicode-lib=libunistring --without-selinux --without-semanage --without-python-bindings --enable-krb5-locator-plugin --enable-nls --without-libnl
and configure asks me to report this: .... checking for pcre_compile in -lpcre... yes checking for krb5-config... /usr/bin/krb5-config checking for working krb5-config... yes checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking krb5/krb5.h usability... no checking krb5/krb5.h presence... no checking for krb5/krb5.h... no checking for krb5_ticket_times... no checking for krb5_times... yes checking for krb5_get_init_creds_opt_alloc... yes checking for krb5_get_error_message... yes checking for krb5_free_unparsed_name... yes checking for krb5_get_init_creds_opt_set_expire_callback... no checking for krb5_get_init_creds_opt_set_fast_ccache_name... no checking for krb5_get_init_creds_opt_set_fast_flags... no checking for krb5_get_init_creds_opt_set_canonicalize... yes checking for krb5_unparse_name_flags... yes checking for krb5_get_init_creds_opt_set_change_password_prompt... no checking for krb5_free_keytab_entry_contents... no checking for krb5_kt_free_entry... yes checking for krb5_princ_realm... yes checking for krb5_get_time_offsets... no checking for krb5_principal_get_realm... yes checking krb5/locate_plugin.h usability... no checking krb5/locate_plugin.h presence... yes configure: WARNING: krb5/locate_plugin.h: present but cannot be compiled configure: WARNING: krb5/locate_plugin.h: check for missing prerequisite headers? configure: WARNING: krb5/locate_plugin.h: see the Autoconf documentation configure: WARNING: krb5/locate_plugin.h: section "Present But Cannot Be Compiled" configure: WARNING: krb5/locate_plugin.h: proceeding with the compiler's result configure: WARNING: ## ------------------------------------------------ ## configure: WARNING: ## Report this to sssd-devel@lists.fedorahosted.org ## configure: WARNING: ## ------------------------------------------------ ## checking for krb5/locate_plugin.h... no configure: Kerberos locator plugin cannot be build checking ares.h usability... yes
This looks like a bug in your Heimdal package. The locator plugin header can't be compiled. I suggest removing the --enable-krb5-locator-plugin argument from configure and trying without it.
This particular configure rule does not depend on --enable-krb5-locator-plugin. I get the same configure error message with or without enabling it. I tried adding krb5.h as include on the ac rule. This resolve the "WARNING: Report this to sssd-devel@lists.fedorahosted.org" warning.
The real issue is the compile error, witch remains the same in all cases. The compile error during make is (as far as I can see) not related to the locator plugin.
On Wed, 2011-12-21 at 21:10 +0100, lists wrote:
I used the git route. My distro is gentoo, and I am using Heimdal 1.4.1.
This is what I used as configure command; ./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-dependency-tracking --localstatedir=/var --enable-nsslibdir=/lib64 --with-plugin-path=/usr/lib64/sssd --enable-pammoddir=//lib64/security --with-ldb-lib-dir=/usr/lib64/ldb/modules/ldb --without-nscd --with-unicode-lib=libunistring --without-selinux --without-semanage --without-python-bindings --enable-krb5-locator-plugin --enable-nls --without-libnl
and configure asks me to report this: .... checking for pcre_compile in -lpcre... yes checking for krb5-config... /usr/bin/krb5-config checking for working krb5-config... yes checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking krb5/krb5.h usability... no checking krb5/krb5.h presence... no checking for krb5/krb5.h... no checking for krb5_ticket_times... no checking for krb5_times... yes checking for krb5_get_init_creds_opt_alloc... yes checking for krb5_get_error_message... yes checking for krb5_free_unparsed_name... yes checking for krb5_get_init_creds_opt_set_expire_callback... no checking for krb5_get_init_creds_opt_set_fast_ccache_name... no checking for krb5_get_init_creds_opt_set_fast_flags... no checking for krb5_get_init_creds_opt_set_canonicalize... yes checking for krb5_unparse_name_flags... yes checking for krb5_get_init_creds_opt_set_change_password_prompt... no checking for krb5_free_keytab_entry_contents... no checking for krb5_kt_free_entry... yes checking for krb5_princ_realm... yes checking for krb5_get_time_offsets... no checking for krb5_principal_get_realm... yes checking krb5/locate_plugin.h usability... no checking krb5/locate_plugin.h presence... yes configure: WARNING: krb5/locate_plugin.h: present but cannot be compiled configure: WARNING: krb5/locate_plugin.h: check for missing prerequisite headers? configure: WARNING: krb5/locate_plugin.h: see the Autoconf documentation configure: WARNING: krb5/locate_plugin.h: section "Present But Cannot Be Compiled" configure: WARNING: krb5/locate_plugin.h: proceeding with the compiler's result configure: WARNING: ## ------------------------------------------------ ## configure: WARNING: ## Report this to sssd-devel@lists.fedorahosted.org ## configure: WARNING: ## ------------------------------------------------ ## checking for krb5/locate_plugin.h... no configure: Kerberos locator plugin cannot be build checking ares.h usability... yes
This looks like a bug in your Heimdal package. The locator plugin header can't be compiled. I suggest removing the --enable-krb5-locator-plugin argument from configure and trying without it.
This particular configure rule does not depend on --enable-krb5-locator-plugin. I get the same configure error message with or without enabling it. I tried adding krb5.h as include on the ac rule. This resolve the "WARNING: Report this to sssd-devel@lists.fedorahosted.org" warning.
The real issue is the compile error, witch remains the same in all cases. The compile error during make is (as far as I can see) not related to the locator plugin.
Thanks, I took a closer look and I think (hope) I fixed the warnings and errors.
There's one 'gotcha' here. I added a nasty hack to the definition of sss_krb5_get_init_creds_opt_set_canonicalize() to work around the fact that Heimdal and MIT both define this function with a different set of options. For the moment, I'm just adding an extra check so that it will fall back to 'unsupported' until we figure out a way with autoconf to check what arguments the function takes.
I've attached the new version of the patch and pushed it to my fedorapeople repo as well, on the 'heimdal' branch. You should be able to do a 'git pull' to update it.
Thanks, I took a closer look and I think (hope) I fixed the warnings and errors.
There's one 'gotcha' here. I added a nasty hack to the definition of sss_krb5_get_init_creds_opt_set_canonicalize() to work around the fact that Heimdal and MIT both define this function with a different set of options. For the moment, I'm just adding an extra check so that it will fall back to 'unsupported' until we figure out a way with autoconf to check what arguments the function takes.
I've attached the new version of the patch and pushed it to my fedorapeople repo as well, on the 'heimdal' branch. You should be able to do a 'git pull' to update it.
Ok, this seems to work. The only change I had to make was to add check-ticket-addresses = false to my KDC configuration. In the Heimdal based version there is HostAddresses parameter present that is not there in the MIT based version. (as seen with wireshark)
this is what I tested: - getent passwd <ldapuser> - ssh <ldapuser>@localhost - graphical login (user had a ticket after login) all with success.
The communication to openldap was sasl based, so sssd was able to get a ticket and use it to communicate with openldap.
Do you have other scenarios/things you want me to test?
On Thu, 2011-12-22 at 11:46 +0100, lists wrote:
Thanks, I took a closer look and I think (hope) I fixed the warnings and errors.
There's one 'gotcha' here. I added a nasty hack to the definition of sss_krb5_get_init_creds_opt_set_canonicalize() to work around the fact that Heimdal and MIT both define this function with a different set of options. For the moment, I'm just adding an extra check so that it will fall back to 'unsupported' until we figure out a way with autoconf to check what arguments the function takes.
I've attached the new version of the patch and pushed it to my fedorapeople repo as well, on the 'heimdal' branch. You should be able to do a 'git pull' to update it.
Ok, this seems to work. The only change I had to make was to add check-ticket-addresses = false to my KDC configuration. In the Heimdal based version there is HostAddresses parameter present that is not there in the MIT based version. (as seen with wireshark)
this is what I tested:
- getent passwd <ldapuser>
- ssh <ldapuser>@localhost
- graphical login (user had a ticket after login)
all with success.
The communication to openldap was sasl based, so sssd was able to get a ticket and use it to communicate with openldap.
Do you have other scenarios/things you want me to test?
That's a good start. If possible, I'd like you to test the following additional features:
1) Password-change (using chpass_provider = krb5) 2) Expiration warning. Set a user principal's password expiration time to less than seven days in the future, then perform an online login at the console or SSH and verify that you get a warning message that it will expire soon. 3) Deferred kinit: set 'cache_credentials = True' and 'krb5_store_password_if_offline = True' in sssd.conf and restart SSSD. Then perform an offline cached authentication (unplug your network cable and log in). Then plug the cable back in. Wait 10-15s and then do a klist and verify that your credentials were automatically retrieved once SSSD detected that you were back online.
Those are the major features I'd like to have tested. Thank you very much for your help!
On Thu, Dec 22, 2011 at 07:59:39AM -0500, Stephen Gallagher wrote:
On Thu, 2011-12-22 at 11:46 +0100, lists wrote:
Thanks, I took a closer look and I think (hope) I fixed the warnings and errors.
There's one 'gotcha' here. I added a nasty hack to the definition of sss_krb5_get_init_creds_opt_set_canonicalize() to work around the fact that Heimdal and MIT both define this function with a different set of options. For the moment, I'm just adding an extra check so that it will fall back to 'unsupported' until we figure out a way with autoconf to check what arguments the function takes.
I've attached the new version of the patch and pushed it to my fedorapeople repo as well, on the 'heimdal' branch. You should be able to do a 'git pull' to update it.
Ok, this seems to work. The only change I had to make was to add check-ticket-addresses = false to my KDC configuration. In the Heimdal based version there is HostAddresses parameter present that is not there in the MIT based version. (as seen with wireshark)
this is what I tested:
- getent passwd <ldapuser>
- ssh <ldapuser>@localhost
- graphical login (user had a ticket after login)
all with success.
The communication to openldap was sasl based, so sssd was able to get a ticket and use it to communicate with openldap.
Do you have other scenarios/things you want me to test?
That's a good start. If possible, I'd like you to test the following additional features:
- Password-change (using chpass_provider = krb5)
- Expiration warning. Set a user principal's password expiration time
to less than seven days in the future, then perform an online login at the console or SSH and verify that you get a warning message that it will expire soon. 3) Deferred kinit: set 'cache_credentials = True' and 'krb5_store_password_if_offline = True' in sssd.conf and restart SSSD. Then perform an offline cached authentication (unplug your network cable and log in). Then plug the cable back in. Wait 10-15s and then do a klist and verify that your credentials were automatically retrieved once SSSD detected that you were back online.
Those are the major features I'd like to have tested. Thank you very much for your help!
I haven't actually tested the Heimdal support -- I don't have any distribution that includes Heimdal handy -- but the patch looks good and as far as I could see it does not break anything.
Ack.
On Thu, 2011-12-22 at 16:11 +0100, Jakub Hrozek wrote:
On Thu, Dec 22, 2011 at 07:59:39AM -0500, Stephen Gallagher wrote:
On Thu, 2011-12-22 at 11:46 +0100, lists wrote:
Thanks, I took a closer look and I think (hope) I fixed the warnings and errors.
There's one 'gotcha' here. I added a nasty hack to the definition of sss_krb5_get_init_creds_opt_set_canonicalize() to work around the fact that Heimdal and MIT both define this function with a different set of options. For the moment, I'm just adding an extra check so that it will fall back to 'unsupported' until we figure out a way with autoconf to check what arguments the function takes.
I've attached the new version of the patch and pushed it to my fedorapeople repo as well, on the 'heimdal' branch. You should be able to do a 'git pull' to update it.
Ok, this seems to work. The only change I had to make was to add check-ticket-addresses = false to my KDC configuration. In the Heimdal based version there is HostAddresses parameter present that is not there in the MIT based version. (as seen with wireshark)
this is what I tested:
- getent passwd <ldapuser>
- ssh <ldapuser>@localhost
- graphical login (user had a ticket after login)
all with success.
The communication to openldap was sasl based, so sssd was able to get a ticket and use it to communicate with openldap.
Do you have other scenarios/things you want me to test?
That's a good start. If possible, I'd like you to test the following additional features:
- Password-change (using chpass_provider = krb5)
- Expiration warning. Set a user principal's password expiration time
to less than seven days in the future, then perform an online login at the console or SSH and verify that you get a warning message that it will expire soon. 3) Deferred kinit: set 'cache_credentials = True' and 'krb5_store_password_if_offline = True' in sssd.conf and restart SSSD. Then perform an offline cached authentication (unplug your network cable and log in). Then plug the cable back in. Wait 10-15s and then do a klist and verify that your credentials were automatically retrieved once SSSD detected that you were back online.
Those are the major features I'd like to have tested. Thank you very much for your help!
I haven't actually tested the Heimdal support -- I don't have any distribution that includes Heimdal handy -- but the patch looks good and as far as I could see it does not break anything.
Ack.
Pushed to master
On Thu, 2011-12-22 at 10:38 -0500, Stephen Gallagher wrote:
On Thu, 2011-12-22 at 16:11 +0100, Jakub Hrozek wrote:
On Thu, Dec 22, 2011 at 07:59:39AM -0500, Stephen Gallagher wrote:
On Thu, 2011-12-22 at 11:46 +0100, lists wrote:
Thanks, I took a closer look and I think (hope) I fixed the warnings and errors.
There's one 'gotcha' here. I added a nasty hack to the definition of sss_krb5_get_init_creds_opt_set_canonicalize() to work around the fact that Heimdal and MIT both define this function with a different set of options. For the moment, I'm just adding an extra check so that it will fall back to 'unsupported' until we figure out a way with autoconf to check what arguments the function takes.
I've attached the new version of the patch and pushed it to my fedorapeople repo as well, on the 'heimdal' branch. You should be able to do a 'git pull' to update it.
Ok, this seems to work. The only change I had to make was to add check-ticket-addresses = false to my KDC configuration. In the Heimdal based version there is HostAddresses parameter present that is not there in the MIT based version. (as seen with wireshark)
this is what I tested:
- getent passwd <ldapuser>
- ssh <ldapuser>@localhost
- graphical login (user had a ticket after login)
all with success.
The communication to openldap was sasl based, so sssd was able to get a ticket and use it to communicate with openldap.
Do you have other scenarios/things you want me to test?
That's a good start. If possible, I'd like you to test the following additional features:
- Password-change (using chpass_provider = krb5)
- Expiration warning. Set a user principal's password expiration time
to less than seven days in the future, then perform an online login at the console or SSH and verify that you get a warning message that it will expire soon. 3) Deferred kinit: set 'cache_credentials = True' and 'krb5_store_password_if_offline = True' in sssd.conf and restart SSSD. Then perform an offline cached authentication (unplug your network cable and log in). Then plug the cable back in. Wait 10-15s and then do a klist and verify that your credentials were automatically retrieved once SSSD detected that you were back online.
Those are the major features I'd like to have tested. Thank you very much for your help!
I haven't actually tested the Heimdal support -- I don't have any distribution that includes Heimdal handy -- but the patch looks good and as far as I could see it does not break anything.
Ack.
Pushed to master
Also pushed to sssd-1-7.
Stephen Gallagher schreef op 22.12.2011 13:59:
On Thu, 2011-12-22 at 11:46 +0100, lists wrote:
Thanks, I took a closer look and I think (hope) I fixed the
warnings
and errors.
There's one 'gotcha' here. I added a nasty hack to the definition
of
sss_krb5_get_init_creds_opt_set_canonicalize() to work around the fact that Heimdal and MIT both define this function with a different
set
of options. For the moment, I'm just adding an extra check so that it will fall back to 'unsupported' until we figure out a way with autoconf
to
check what arguments the function takes.
I've attached the new version of the patch and pushed it to my fedorapeople repo as well, on the 'heimdal' branch. You should be able to do a 'git pull' to update it.
Ok, this seems to work. The only change I had to make was to add check-ticket-addresses = false to my KDC configuration. In the Heimdal based version there is HostAddresses parameter present that is not there in the MIT based version. (as seen with wireshark)
this is what I tested:
- getent passwd <ldapuser>
- ssh <ldapuser>@localhost
- graphical login (user had a ticket after login)
all with success.
The communication to openldap was sasl based, so sssd was able to get a ticket and use it to communicate with openldap.
Do you have other scenarios/things you want me to test?
That's a good start. If possible, I'd like you to test the following additional features:
- Password-change (using chpass_provider = krb5)
- Expiration warning. Set a user principal's password expiration
time to less than seven days in the future, then perform an online login at the console or SSH and verify that you get a warning message that it will expire soon. 3) Deferred kinit: set 'cache_credentials = True' and 'krb5_store_password_if_offline = True' in sssd.conf and restart SSSD. Then perform an offline cached authentication (unplug your network cable and log in). Then plug the cable back in. Wait 10-15s and then do a klist and verify that your credentials were automatically retrieved once SSSD detected that you were back online.
Those are the major features I'd like to have tested. Thank you very much for your help!
Here are my test results; 1) I was not able to change passwords. However I do not think it is SSSD related. I was also not able to change passwords via kpasswd. I tried to setup a completely new realm but even then I could not change a password via kpasswd. So either I am doing something wrong or it is a bug in Heimdal.
When changing passwords via SSSD, it sends out the same messages to the KDC compared to kpasswd.
2) this is working.
3) This is not working. I am not able to log in when the cable is not connected, only when the cable is connected. I get a segfaul message in the /var/log/messages file: kernel: krb5_child[14373]: segfault at 0 ip 00007f9ad9655471 sp 00007fff8d12f2a8 error 4 in libc-2.13.so[7f9ad95d5000+182000] I will send sssd logging via pm
tis 2011-12-20 klockan 13:42 -0500 skrev Stephen Gallagher:
It's going to be difficult to test for us, however. Most of our development is done on Fedora, which has no standalone Heimdal package (this is because MIT kerberos and Heimdal cannot currently coexist on the same system because they conflict with some files (like libkrb5.so).
No the so-versions are very different so the runtime library won't conflict, but other files probably will, like man pages and anything in -devel.
/Alexander
fre 2011-12-23 klockan 21:53 +0100 skrev Alexander Boström:
tis 2011-12-20 klockan 13:42 -0500 skrev Stephen Gallagher:
It's going to be difficult to test for us, however. Most of our development is done on Fedora, which has no standalone Heimdal package (this is because MIT kerberos and Heimdal cannot currently coexist on the same system because they conflict with some files (like libkrb5.so).
No the so-versions are very different so the runtime library won't conflict, but other files probably will, like man pages and anything in -devel.
Actually that's what you wrote. Oh well.
/Alexander
sssd-devel@lists.fedorahosted.org