experiences with auth_krb5, MIT Kerberos, Solaris
rra at stanford.edu
Mon Aug 25 20:39:38 UTC 2008
Todd Olson <tco2 at cornell.edu> writes:
> Since 2005 we were successfully using auth_krb5 with nnrpd on a Solaris
> 9 sparc system. Then in 2008 June we applied a bunch of Sun patches,
> that among other things replaced a bunch of Solaris' system libraries.
> At that point auth_krb5 failed with segfaults. Oddly the kerberos call
> was successfully made and response received. It was after that that the
> segfault occurred.
> Ultimately the solution was to update our MIT kerberos library from
> version 1.4 to version 1.6.3. Just recompiling the code that we had did
> not resolve the problem ... we had to get new code.
> We suspect that one of the updated Solaris libraries revealed a memory
> management problem in the MIT kerberos 1.4 library that was apparently
> fixed by at least v 1.6.3.
auth_krb5 is somewhat broken, btw, in that it doesn't call the correct
current Kerberos v5 interfaces. I haven't had a chance to fix it.
It's probably better to use PAM support if possible instead, since then
you can use the OS Kerberos PAM module, which is often better supported
and more actively developed (and has more options).
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers