[16119] in Kerberos_V5_Development
Re: Fw: Kerberos MIT on Solaris
daemon@ATHENA.MIT.EDU (Will Fiveash)
Mon Aug 23 16:32:52 2010
Date: Mon, 23 Aug 2010 15:32:28 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Message-ID: <20100823203228.GD1880@sun.com>
Mail-Followup-To: "Douglas E. Engert" <deengert@anl.gov>, krbdev@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4C72D3C0.7040108@anl.gov>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Aug 23, 2010 at 03:02:08PM -0500, Douglas E. Engert wrote:
>
>
> On 8/23/2010 2:33 PM, Will Fiveash wrote:
> > On Mon, Aug 23, 2010 at 09:35:08AM -0500, Douglas E. Engert wrote:
> >>
> >> On 8/22/2010 12:33 PM, vir vir wrote:
> >>> Hi Will,
> >>>
> >>>
> >>> On Salaris 9 can't find a library libkrb5.so
> >>>
> >>> On Salaris 10 I can't find a library libgssapi_krb5.so that has
> >>> gss_krb5_ccache_name,
> >>
> >> On Solaris 10, use something like:
> >> CPPFLAGS="-I/usr/include/kerberosv5"
> >> LDFLAGS="/usr/lib/gss/mech_krb5.so -R/usr/lib/gss"
> >
> > Note that linking this way is unsupported as there are a bunch of
> > private interfaces (functions) that could be changed without violating
> > the advertised stability level. At this point Solaris offers libgss
> > (Interface Stability == Committed), libsasl (Interface Stability ==
> > Committed) and libkrb5 (Interface Stability == Volatile) as supported
> > APIs to access krb security. Doing anything else is not supported and
> > has a greater risk of breaking with updates and new releases. See the
> > Interface Stability section of the attributes.5 man page for more
> > information on this topic.
>
> Understood. But if the existing application is using Kerberos APIs,
> and can not be converted to use GSS that is one of the risks one takes.
Well, libkrb5 is supported in Solaris 10, however (as noted),
Solaris libgss != MITKC libgssapi_krb5
in regards to interfaces. Really though, the point of libgss is to
insulate a caller from the specifics of security mech used. If the
caller needs to do krb specific things then it should link with libkrb5.
--
Will Fiveash
Oracle
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
