[7467] in Kerberos
Re: don't expect Beta6 to work well on AIX4
daemon@ATHENA.MIT.EDU (Doug Engert)
Wed Jun 12 15:51:26 1996
Date: Wed, 12 Jun 1996 14:35:02 -0500
From: Doug Engert <DEEngert@anl.gov>
To: kerberos@MIT.EDU
In-Reply-To: <tsl91dt9479.fsf@tertius.mit.edu>
Sam Hartman writes:
>
> Looking over old messages, I realize that most of this
> happened on krb5-bugs and not here. So, most users are probably not
> aware that telnetd and rlogin (as compiled in Beta 6) do *not* work on
> AIX 4.1.4, and probably other AIX4 varients.
....
> Basically, under AIX4.1.4, the kernel panics generally while
> running login.krb5 or telnetd, crashing the system and producing a
> dump.
....
> Doug Engert worked on this problem and came up with an
> interum solution. If in the appl/bsd Makefile or Makefile.in, you
> arrange for the symbol DO_NOT_USE_K_LOGIN and USE_LOGIN_F to be
> defined, krlogind will work with the vendor-supplied /bin/login.
> Then, with a line in /etc/inetd.conf like the following, you might get
> it to work:
>
> eklogin stream tcp nowwait root /krb5/sbin/klogind
> eklogin -5ec -L /usr/bin/login
>
> Note that the above two lines should be combined into one line
> in /etc/inetd.conf.
>
> Doug says that this works fine for him, but I recently managed
> to crash an AIX box even with this patch.
>
Sam is correct. I do have the Kerberos 5 beta 6 working on AIX 4.1.4
using the vendor's login. I too had the system crash in login.krb5
and have not gotten back to it.
I have added to the configure:
--with-cppopts='-DANL_DCE -DAFS524 -ULOGIN_PROGRAM -DDO_NOT_USE_K_LOGIN -DUSE_LOGIN_F '
The -ULOGIN_PROGRAM undefines the
-DLOGIN_PROGRAM=\"/krb5/sbin/login.krb5\" which is added in the
Makefile. This lets krlogind.c pick the name of the login program,
/bin/login for the AIX system. Using the -L option should also work.
The -DDO_NOT_USE_K_LOGIN and -DUSE_LOGIN_F tell krlogind.c to generates the
parameters for the AIX login as "-p -h rhostname -f lusername"
I have not tested telnet yet, but klogind appears to work well.
The inetd.conf has:
eklogin stream tcp nowait root /krb5/sbin/klogind klogind -kie
klogin stream tcp nowait root /krb5/sbin/klogind klogind -ki
-k says accept k5 or k4 (Still need to test the k4 on AIX)
-i is dont check the checksum, we have some 5.6 snapshot clients
still running which generate a different checksum.
-e encrypt.
Although K5b6 will run using a DCE security server without
modifications, now the -DANL_DCE and -DAFS524 are for two additional
changes, which allow the conversion of a forwarded K5 ticket into a
DCE context and/or an AFS token. This is done by having klogind exec a
k5dcelogin and/or a k5afslogin module which then exec the
/bin/login. The k5afslogin uses a modified aklog, and the krb524d
running on the DCE security server. (The k5dcelogin works on HPUX, but
not on AIX yet, a linking problem, the k5afslogin works on AIX.)
I will be sending in these additional mods soon.
When using DCE as the security server, add to the krb5.conf
in the [libdefaults] section: kdc_req_checksum_type = 2 and
ccache_type = 1
K5 beta 6 is looking very clean. keep up the good work!
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
PGP Key fingerprint = 20 2B 0C 78 43 8A 9C A6 29 F7 A3 6D 5E 30 A6 7F
