1 @value{PRODUCT} uses a configuration system built using the Free
2 Software Foundation's @samp{autoconf} program. This system makes
3 Kerberos V5 much simpler to build and reduces the amount of effort
4 required in porting Kerberos V5 to a new platform.
7 * Organization of the Source Directory:: Description of the source tree.
8 * Build Requirements:: How much disk space, etc. you need to
10 * Unpacking the Sources:: Preparing the source tree.
11 * Doing the Build:: Compiling Kerberos.
12 * Installing the Binaries:: Installing the compiled binaries.
13 * Testing the Build:: Making sure Kerberos built correctly.
14 * Options to Configure:: Command-line options to Configure
15 * osconf.h:: Header file-specific configurations
16 * Shared Library Support:: Building Shared Libraries for Kerberos V5
17 * OS Incompatibilities:: Special cases to watch for.
18 * Using Autoconf:: Modifying Kerberos V5's
19 configuration scripts.
22 @node Organization of the Source Directory, Build Requirements, Building Kerberos V5, Building Kerberos V5
23 @section Organization of the Source Directory
25 Below is a brief overview of the organization of the complete source
26 directory. More detailed descriptions follow.
30 applications with @value{PRODUCT} extensions
32 @value{PRODUCT} user programs
34 manpages for @value{PRODUCT} and the @value{PRODUCT} login program
38 administrative interface to the Kerberos master database
40 the @value{PRODUCT} Authentication Service and Key Distribution Center
42 utilities for converting between Kerberos 4 and Kerberos 5
44 libraries for use with/by @value{PRODUCT}
46 source code for building @value{PRODUCT} on MacOS
48 templates for source code files
50 utilities for propagating the database to slave KDCs
54 various utilities for building/configuring the code, sending bug reports, etc.
56 source code for building @value{PRODUCT} on Windows (see windows/README)
60 * The appl Directory::
61 * The clients Directory::
62 * The gen-manpages Directory::
63 * The include Directory::
64 * The kadmin Directory::
66 * The krb524 Directory::
68 * The prototype Directory::
69 * The slave Directory::
70 * The util Directory::
73 @node The appl Directory, The clients Directory, Organization of the Source Directory, Organization of the Source Directory
74 @subsection The appl Directory
76 The @i{appl} directory contains sample Kerberos application client and
77 server programs. In previous releases, it contained Kerberized versions
78 of remote access daemons, but those have now been moved to a separate
81 @node The clients Directory, The gen-manpages Directory, The appl Directory, Organization of the Source Directory
82 @subsection The clients Directory
84 This directory contains the code for several user-oriented programs.
88 This program destroys the user's active Kerberos authorization tickets.
89 @value{COMPANY} recommends that users @code{kdestroy} before logging out.
92 This program prompts users for their Kerberos principal name and password,
93 and attempts to get an initial ticket-granting-ticket for that principal.
96 This program lists the Kerberos principal and Kerberos tickets held in
97 a credentials cache, or the keys held in a keytab file.
100 This program changes a user's Kerberos password.
103 This program is a Kerberized version of the @code{su} program that is
104 meant to securely change the real and effective user ID to that of the
105 target user and to create a new security context.
108 This program acquires a service ticket for the specified Kerberos
109 principals and prints out the key version numbers of each.
112 @node The gen-manpages Directory, The include Directory, The clients Directory, Organization of the Source Directory
113 @subsection The gen-manpages Directory
115 There are two manual pages in this directory. One is an introduction
116 to the Kerberos system. The other describes the @code{.k5login} file
117 which allows users to give access with their UID to other users
118 authenticated by the Kerberos system.
120 @node The include Directory, The kadmin Directory, The gen-manpages Directory, Organization of the Source Directory
121 @subsection The include Directory
123 This directory contains the @i{include} files needed to build the
126 @node The kadmin Directory, The kdc Directory, The include Directory, Organization of the Source Directory
127 @subsection The kadmin Directory
129 In this directory is the code for the utilities @code{kadmin},
130 @code{kadmin.local}, @code{kdb5_util}, and @code{ktutil}.
131 @code{ktutil} is the Kerberos keytab file maintenance utility from
132 which a Kerberos administrator can read, write, or edit entries in a
133 Kerberos V5 keytab or Kerberos V4 srvtab. @code{kadmin} and
134 @code{kadmin.local} are command-line interfaces to the Kerberos V5 KADM5
135 administration system. @code{kadmin.local} runs on the master KDC and
136 does not use Kerberos to authenticate to the database, while
137 @code{kadmin} uses Kerberos authentication and an encrypted RPC. The
138 two provide identical functionalities, which allow administrators to
139 modify the database of Kerberos principals. @code{kdb5_util} allows
140 administrators to perform low-level maintenance procedures on Kerberos
141 and the KADM5 database. With this utility, databases can be created,
142 destroyed, or dumped to and loaded from ASCII files. It can also be
143 used to create master key stash files.
145 @node The kdc Directory, The krb524 Directory, The kadmin Directory, Organization of the Source Directory
146 @subsection The kdc Directory
148 This directory contains the code for the @code{krb5kdc} daemon, the
149 Kerberos Authentication Service and Key Distribution Center.
151 @node The krb524 Directory, The lib Directory, The kdc Directory, Organization of the Source Directory
152 @subsection The krb524 Directory
154 This directory contains the code for @code{krb524}, a service that
155 converts Kerberos V5 credentials into Kerberos V4 credentials suitable
156 for use with applications that for whatever reason do not use V5
159 @node The lib Directory, The prototype Directory, The krb524 Directory, Organization of the Source Directory
160 @subsection The lib Directory
162 The @i{lib} directory contain 10 subdirectories as well as some
163 definition and glue files. The @i{crypto} subdirectory contains the
164 Kerberos V5 encryption library. The @i{des425} subdirectory exports
165 the Kerberos V4 encryption API, and translates these functions into
166 calls to the Kerberos V5 encryption API. The @i{gssapi} library
167 contains the Generic Security Services API, which is a library of
168 commands to be used in secure client-server communication. The
169 @i{kadm5} directory contains the libraries for the KADM5 administration
170 utilities. The Kerberos 5 database libraries are contained in
171 @i{kdb}. The directories @i{krb4} and @i{krb5} contain the Kerberos 4
172 and Kerberos 5 APIs, respectively. The @i{rpc} directory contains the
173 API for the Kerberos Remote Procedure Call protocol.
175 @node The prototype Directory, The slave Directory, The lib Directory, Organization of the Source Directory
176 @subsection The prototype Directory
178 This directory contains several template files. The @code{prototype.h}
179 and @code{prototype.c} files contain the MIT copyright message and a
180 placeholder for the title and description of the file.
181 @code{prototype.h} also has a short template for writing @code{ifdef}
182 and @code{ifndef} preprocessor statements. The @code{getopt.c} file
183 provides a template for writing code that will parse the options with
184 which a program was called.
186 @node The slave Directory, The util Directory, The prototype Directory, Organization of the Source Directory
187 @subsection The slave Directory
189 This directory contains code which allows for the propagation of the
190 Kerberos principal database from the master KDC to slave KDCs over an
191 encrypted, secure channel. @code{kprop} is the program which actually
192 propagates the database dump file. @code{kpropd} is the Kerberos V5
193 slave KDC update server which accepts connections from the @code{kprop}
194 program. @code{kslave_update} is a script that takes the name of a
195 slave server, and propagates the database to that server if the
196 database has been modified since the last dump or if the database has
197 been dumped since the last propagation.
199 @node The util Directory, , The slave Directory, Organization of the Source Directory
200 @subsection The util Directory
202 This directory contains several utility programs and libraries. The
203 programs used to configure and build the code, such as @code{autoconf},
204 @code{lndir}, @code{kbuild}, @code{reconf}, and @code{makedepend},
205 are in this directory. The @i{profile} directory contains most of the
206 functions which parse the Kerberos configuration files (@code{krb5.conf}
207 and @code{kdc.conf}). Also in this directory are the Kerberos error table
208 library and utilities (@i{et}), the Sub-system library and utilities
209 (@i{ss}), database utilities (@i{db2}), pseudo-terminal utilities
210 (@i{pty}), bug-reporting program @code{send-pr}, and a generic
211 support library @code{support} used by several of our other libraries.
213 @node Build Requirements, Unpacking the Sources, Organization of the Source Directory, Building Kerberos V5
214 @section Build Requirements
216 In order to build Kerberos V5, you will need approximately 60-70
217 megabytes of disk space. The exact amount will vary depending on the
218 platform and whether the distribution is compiled with debugging symbol
221 Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, ``c89'').
222 Some operating systems do not have an ANSI C compiler, or their
223 default compiler requires extra command-line options to enable ANSI C
226 If you wish to keep a separate @dfn{build tree}, which contains the compiled
227 @file{*.o} file and executables, separate from your source tree, you
228 will need a @samp{make} program which supports @samp{VPATH}, or
229 you will need to use a tool such as @samp{lndir} to produce a symbolic
230 link tree for your build tree.
232 @c Library support...
234 @node Unpacking the Sources, Doing the Build, Build Requirements, Building Kerberos V5
235 @section Unpacking the Sources
237 The first step in each of these build procedures is to unpack the
238 source distribution. The Kerberos V5 distribution comes in a tar file,
239 generally named @file{krb5-@value{RELEASE}.tar}, which contains a
240 compressed tar file consisting of the sources for all of Kerberos
241 (generally @file{krb5-@value{RELEASE}.tar.gz}) and a PGP signature for
242 this source tree (generally @file{krb5-@value{RELEASE}.tar.gz.asc}).
243 @value{COMPANY} highly recommends that you verify the integrity of the
244 source code using this signature.
246 Unpack the compressed tar file in some directory, such as
247 @file{/u1/krb5-@value{RELEASE}}. (In the rest of this document, we
248 will assume that you have chosen to unpack the Kerberos V5 source
249 distribution in this directory. Note that the tarfiles will by default
250 all unpack into the @file{./krb5-@value{RELEASE}} directory, so that if
251 your current directory is @file{/u1} when you unpack the tarfiles, you
252 will get @file{/u1/krb5-@value{RELEASE}/src}, etc.)
255 @node Doing the Build, Installing the Binaries, Unpacking the Sources, Building Kerberos V5
256 @section Doing the Build
258 You have a number of different options in how to build Kerberos. If you
259 only need to build Kerberos for one platform, using a single directory
260 tree which contains both the source files and the object files is the
261 simplest. However, if you need to maintain Kerberos for a large number
262 of platforms, you will probably want to use separate build trees for
263 each platform. We recommend that you look at @ref{OS
264 Incompatibilities}, for notes that we have on particular operating
268 * Building Within a Single Tree::
269 * Building with Separate Build Directories::
270 * Building using lndir::
273 @node Building Within a Single Tree, Building with Separate Build Directories, Doing the Build, Doing the Build
274 @subsection Building Within a Single Tree
276 If you don't want separate build trees for each architecture, then
277 use the following abbreviated procedure.
281 @code{cd /u1/krb5-@value{RELEASE}/src}
290 @node Building with Separate Build Directories, Building using lndir, Building Within a Single Tree, Doing the Build
291 @subsection Building with Separate Build Directories
293 If you wish to keep separate build directories for each platform, you
294 can do so using the following procedure. (Note, this requires that your
295 @samp{make} program support @samp{VPATH}. GNU's make will provide this
296 functionality, for example.) If your @samp{make} program does not
297 support this, see the next section.
299 For example, if you wish to create a build directory for @code{pmax} binaries
300 you might use the following procedure:
304 @code{mkdir /u1/krb5-@value{RELEASE}/pmax}
306 @code{cd /u1/krb5-@value{RELEASE}/pmax}
308 @code{../src/configure}
313 @node Building using lndir, , Building with Separate Build Directories, Doing the Build
314 @subsection Building Using @samp{lndir}
316 If you wish to keep separate build directories for each platform, and
317 you do not have access to a @samp{make} program which supports @samp{VPATH},
318 all is not lost. You can use the @samp{lndir} program to create
319 symbolic link trees in your build directory.
321 For example, if you wish to create a build directory for solaris binaries
322 you might use the following procedure:
326 @code{mkdir /u1/krb5-@value{RELEASE}/solaris}
328 @code{cd /u1/krb5-@value{RELEASE}/solaris}
330 @code{/u1/krb5-@value{RELEASE}/src/util/lndir `pwd`/../src}
337 You must give an absolute pathname to @samp{lndir} because it has a bug that
338 makes it fail for relative pathnames. Note that this version differs
339 from the latest version as distributed and installed by the XConsortium
340 with X11R6. Either version should be acceptable.
342 @node Installing the Binaries, Testing the Build, Doing the Build, Building Kerberos V5
343 @section Installing the Binaries
345 Once you have built Kerberos, you should install the binaries. You
346 can do this by running:
352 If you want to install the binaries into a destination directory that
353 is not their final destination, which may be convenient if you want to
354 build a binary distribution to be deployed on multiple hosts, you may
358 % make install DESTDIR=/path/to/destdir
361 This will install the binaries under @code{DESTDIR/PREFIX}, e.g., the
362 user programs will install into @code{DESTDIR/PREFIX/bin}, the
363 libraries into @code{DESTDIR/PREFIX/lib}, etc.
365 Note that if you want to test the build (see @ref{Testing the Build}),
366 you usually do not need to do a @code{make install} first.
368 Some implementations of @samp{make} allow multiple commands to be run in
369 parallel, for faster builds. We test our Makefiles in parallel builds with
370 GNU @samp{make} only; they may not be compatible with other parallel build
373 @node Testing the Build, Options to Configure, Installing the Binaries, Building Kerberos V5
374 @section Testing the Build
376 The Kerberos V5 distribution comes with built-in regression tests. To
377 run them, simply type the following command while in the top-level build
378 directory (i.e., the directory where you sent typed @samp{make} to start
379 building Kerberos; see @ref{Doing the Build}.):
385 However, there are several prerequisites that must be satisfied first:
389 Configure and build Kerberos with Tcl support. Tcl is used to drive the
390 test suite. This often means passing @code{--with-tcl} to configure to
391 tell it the location of the Tcl configuration script. (See
392 @xref{Options to Configure}.)
395 On some operating systems, you have to run @samp{make install} before
396 running @samp{make check}, or the test suite will pick up installed
397 versions of Kerberos libraries rather than the newly built ones. You
398 can install into a prefix that isn't in the system library search path,
399 though. Alternatively, you can configure with @code{--disable-rpath},
400 which renders the build tree less suitable for installation, but allows
401 testing without interference from previously installed libraries.
404 In order to test the RPC layer, the local system has to be running the
405 @command{portmap} daemon and it has to be listening to the regular
406 network interface (not just localhost).
410 * The DejaGnu Tests::
414 @node The DejaGnu Tests, The KADM5 Tests, Testing the Build, Testing the Build
415 @subsection The DejaGnu Tests
417 Some of the built-in regression tests are setup to use the DejaGnu
418 framework for running tests. These tests tend to be more comprehensive
419 than the normal built-in tests as they setup test servers and test
420 client/server activities.
422 DejaGnu may be found wherever GNU software is archived.
424 @node The KADM5 Tests, , The DejaGnu Tests, Testing the Build
425 @subsection The KADM5 Tests
427 Regression tests for the KADM5 system, including the GSS-RPC, KADM5
428 client and server libraries, and kpasswd, are also included in this
429 release. Each set of KADM5 tests is contained in a sub-directory called
430 @code{unit-test} directly below the system being tested. For example,
431 lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all
432 based on DejaGnu (but they are not actually called part of "The DejaGnu
433 tests," whose naming predates the inclusion of the KADM5 system). In
434 addition, they require the Tool Command Language (TCL) header files and
435 libraries to be available during compilation and some of the tests also
436 require Perl in order to operate. If all of these resources are not
437 available during configuration, the KADM5 tests will not run. The TCL
438 installation directory can be specified with the @code{--with-tcl}
439 configure option. (See @xref{Options to Configure}.) The runtest and
440 perl programs must be in the current execution path.
442 If you install DejaGnu, TCL, or Perl after configuring and building
443 Kerberos and then want to run the KADM5 tests, you will need to
444 re-configure the tree and run @code{make} at the top level again to make
445 sure all the proper programs are built. To save time, you actually only
446 need to reconfigure and build in the directories src/kadmin/testing,
447 src/lib/rpc, src/lib/kadm5.
449 @node Options to Configure, osconf.h, Testing the Build, Building Kerberos V5
450 @section Options to Configure
452 There are a number of options to @samp{configure} which you can use to
453 control how the Kerberos distribution is built. The following table
454 lists the most commonly used options to Kerberos V5's @samp{configure}
461 Provides help to configure. This will list the set of commonly used
462 options for building Kerberos.
464 @item --prefix=PREFIX
466 By default, Kerberos will install the package's files rooted at
467 `/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you
468 desire a different location, use this option.
470 @item --exec-prefix=EXECPREFIX
472 This option allows one to separate the architecture independent programs
473 from the configuration files and manual pages.
475 @item --localstatedir=LOCALSTATEDIR
477 This option sets the directory for locally modifiable single-machine
478 data. In Kerberos, this mostly is useful for setting a location for the
479 KDC data files, as they will be installed in
480 @code{LOCALSTATEDIR/krb5kdc}, which is by default
481 @code{PREFIX/var/krb5kdc}.
485 Use @code{COMPILER} as the C compiler.
489 Use @code{FLAGS} as the default set of C compiler flags.
491 Note that if you use the native Ultrix compiler on a
492 DECstation you are likely to lose if you pass no flags to cc; md4.c
493 takes an estimated 3,469 billion years to compile if you provide neither
494 the @samp{-g} flag nor the @samp{-O} flag to @samp{cc}.
496 @item CPPFLAGS=CPPOPTS
498 Use @code{CPPOPTS} as the default set of C preprocessor flags. The most
499 common use of this option is to select certain @code{#define}'s for use
500 with the operating system's include files.
504 Use @code{LINKER} as the default loader if it should be different from C
505 compiler as specified above.
509 This option allows one to specify optional arguments to be passed to the
510 linker. This might be used to specify optional library paths.
514 This option enables Kerberos V4 backwards compatibility using the
515 builtin Kerberos V4 library.
517 @item --with-krb4=KRB4DIR
519 This option enables Kerberos V4 backwards compatibility using a
520 pre-existing Kerberos V4 installation. The directory specified by
521 @code{KRB4DIR} specifies where the V4 header files should be found
522 (@file{KRB4DIR/include}) as well as where the V4 Kerberos library should
523 be found (@file{KRB4DIR/lib}).
527 Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4
528 clients from using the V5 services including the KDC. This would be
529 useful if you know you will never install or need to interact with V4
532 @item --with-netlib[=libs]
534 Allows for suppression of or replacement of network libraries. By
535 default, Kerberos V5 configuration will look for @code{-lnsl} and
536 @code{-lsocket}. If your operating system has a broken resolver library
537 (see @ref{Solaris versions 2.0 through 2.3}) or fails to pass the tests in
538 @file{src/tests/resolv} you will need to use this option.
540 @item --with-tcl=TCLPATH
542 Some of the unit-tests in the build tree rely upon using a program in
543 Tcl. The directory specified by @code{TCLPATH} specifies where the Tcl
544 header file (@file{TCLPATH/include/tcl.h} as well as where the Tcl
545 library should be found (@file{TCLPATH/lib}).
547 @item --enable-shared
549 This option will turn on the building and use of shared library objects
550 in the Kerberos build. This option is only supported on certain
554 @item --enable-dns-for-kdc
555 @item --enable-dns-for-realm
557 Enable the use of DNS to look up a host's Kerberos realm, or a realm's
558 KDCs, if the information is not provided in krb5.conf. See @ref{Hostnames
559 for the Master and Slave KDCs} for information about using DNS to
560 locate the KDCs, and @ref{Mapping Hostnames onto Kerberos Realms} for
561 information about using DNS to determine the default realm. By default,
562 DNS lookups are enabled for the former but not for the latter.
564 @item --disable-kdc-lookaside-cache
566 Disables the cache in the KDC which detects retransmitted client
567 requests and resends the previous responses to them.
569 @item --with-system-et
571 Use an installed version of the error-table support software, the
572 @samp{compile_et} program, the @file{com_err.h} header file and the
573 @file{com_err} library. If these are not in the default locations,
574 you may wish to specify @code{CPPFLAGS=-I/some/dir} and
575 @code{LDFLAGS=-L/some/other/dir} options at configuration time as
578 If this option is not given, a version supplied with the Kerberos
579 sources will be built and installed along with the rest of the
580 Kerberos tree, for Kerberos applications to link against.
582 @item --with-system-ss
584 Use an installed version of the subsystem command-line interface
585 software, the @samp{mk_cmds} program, the @file{ss/ss.h} header file
586 and the @file{ss} library. If these are not in the default locations,
587 you may wish to specify @code{CPPFLAGS=-I/some/dir} and
588 @code{LDFLAGS=-L/some/other/dir} options at configuration time as
589 well. See also the @samp{SS_LIB} option.
591 If this option is not given, the @file{ss} library supplied with the
592 Kerberos sources will be compiled and linked into those programs that
593 need it; it will not be installed separately.
597 If @samp{-lss} is not the correct way to link in your installed
598 @file{ss} library, for example if additional support libraries are
599 needed, specify the correct link options here. Some variants of this
600 library are around which allow for Emacs-like line editing, but
601 different versions require different support libraries to be
602 explicitly specified.
604 This option is ignored if @samp{--with-system-ss} is not specified.
606 @item --with-system-db
608 Use an installed version of the Berkeley DB package, which must
609 provide an API compatible with version 1.85. This option is
610 @emph{unsupported} and untested. In particular, we do not know if the
611 database-rename code used in the dumpfile load operation will behave
614 If this option is not given, a version supplied with the Kerberos
615 sources will be built and installed. (We are not updating this
616 version at this time because of licensing issues with newer versions
617 that we haven't investigated sufficiently yet.)
619 @item DB_HEADER=headername.h
621 If @samp{db.h} is not the correct header file to include to compile
622 against the Berkeley DB 1.85 API, specify the correct header file name
623 with this option. For example, @samp{DB_HEADER=db3/db_185.h}.
627 If @samp{-ldb} is not the correct library specification for the
628 Berkeley DB library version to be used, override it with this option.
629 For example, @samp{DB_LIB=-ldb-3.3}.
631 @item --with-crypto-impl=IMPL
633 Use specified crypto implementation in lieu of the default builtin.
634 Currently only one alternative crypto-system openssl is available and
635 it requires version 1.0.0 or higher of OpenSSL.
639 For example, in order to configure Kerberos on a Solaris machine using
640 the @samp{suncc} compiler with the optimizer turned on, run the configure
641 script with the following options:
644 % ./configure CC=suncc CFLAGS=-O
647 For a slightly more complicated example, consider a system where
648 several packages to be used by Kerberos are installed in
649 @samp{/usr/foobar}, including Berkeley DB 3.3, and an @samp{ss}
650 library that needs to link against the @samp{curses} library. The
651 configuration of Kerberos might be done thus:
654 % ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \
655 --with-system-et --with-system-ss --with-system-db \
656 SS_LIB='-lss -lcurses' \
657 DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3
660 In previous releases, @code{--with-} options were used to specify the
661 compiler and linker and their options.
663 @node osconf.h, Shared Library Support, Options to Configure, Building Kerberos V5
664 @section @file{osconf.h}
666 There is one configuration file which you may wish to edit to control
667 various compile-time parameters in the Kerberos distribution:
668 @file{include/stock/osconf.h}. The list that follows is by no means
669 complete, just some of the more interesting variables.
671 Please note: The former configuration file @file{config.h} no longer
672 exists as its functionality has been merged into the auto-configuration
673 process. @xref{Options to Configure}.
678 @item DEFAULT_PROFILE_PATH
680 The pathname to the file which contains the profiles for the known realms,
681 their KDCs, etc. The default value is @value{DefaultDefaultProfilePath}.
683 The profile file format is no longer the same format as Kerberos V4's
684 @file{krb.conf} file.
686 @item DEFAULT_KEYTAB_NAME
688 The type and pathname to the default server keytab file (the
689 equivalent of Kerberos V4's @file{/etc/srvtab}). The default is
690 @value{DefaultDefaultKeytabName}.
692 @item DEFAULT_KDC_ENCTYPE
694 The default encryption type for the KDC. The default value is
695 @value{DefaultMasterKeyType}.
699 The name of the replay cache used by the KDC. The default value is
700 @value{DefaultKDCRCache}.
704 The directory which stores replay caches. The default is to try
705 @value{DefaultRCTmpDirs}.
707 @item DEFAULT_KDB_FILE
709 The location of the default database. The default value is
710 @value{DefaultDatabaseName}.
714 @node Shared Library Support, OS Incompatibilities, osconf.h, Building Kerberos V5
715 @section Shared Library Support
717 Shared library support is provided for a few operating systems. There
718 are restrictions as to which compiler to use when using shared
719 libraries. In all cases, executables linked with the shared libraries in
720 this build process will have built in the location of the libraries,
721 therefore obliterating the need for special LD_LIBRARY_PATH, et al environment
722 variables when using the programs. Except where noted, multiple versions
723 of the libraries may be installed on the same system and continue to
726 Currently the supported platforms are Solaris 2.6-2.9 (aka SunOS
727 5.6-5.9), Irix 6.5, Redhat Linux, MacOS 8-10, and Microsoft Windows
730 Shared library support has been tested on the following platforms but
731 not exhaustively (they have been built but not necessarily tested in an
732 installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, and
735 Platforms for which there is shared library support but not significant
736 testing include FreeBSD, OpenBSD, AIX (4.3.3), Linux, NetBSD 1.4.x
739 To enable shared libraries on the above platforms, run the configure
740 script with the option @samp{--enable-shared}.
744 XXX What does this mean?
746 One special note is that if the Kerberos V4 compatibility is compiled
747 in, you @b{must not} specify an alternate Kerberos V4 library from the
748 one in the tree or you will be missing references.
752 @node OS Incompatibilities, Using Autoconf, Shared Library Support, Building Kerberos V5
753 @section Operating System Incompatibilities
755 This section details operating system incompatibilities with Kerberos V5
756 which have been reported to the developers at MIT. If you find
757 additional incompatibilities, and/or discover workarounds to such
758 problems, please send a report via the @code{krb5-send-pr} program.
768 * Solaris versions 2.0 through 2.3::
775 @node AIX, Alpha OSF/1 V1.3, OS Incompatibilities, OS Incompatibilities
778 The AIX 3.2.5 linker dumps core trying to build a shared
779 @samp{libkrb5.a} produced with the GNU C compiler. The native AIX
780 compiler works fine. This problem is fixed using the AIX 4.1 linker.
782 @node Alpha OSF/1 V1.3, Alpha OSF/1 V2.0, AIX, OS Incompatibilities
783 @subsection Alpha OSF/1 V1.3
785 Using the native compiler, compiling with the @samp{-O} compiler flag
786 causes the @code{asn.1} library to be compiled incorrectly.
788 Using GCC version 2.6.3 or later instead of the native compiler will also work
789 fine, both with or without optimization.
791 @node Alpha OSF/1 V2.0, Alpha OSF/1 V4.0, Alpha OSF/1 V1.3, OS Incompatibilities
792 @subsection Alpha OSF/1 V2.0
794 There used to be a bug when using the native compiler in compiling
795 @file{md4.c} when compiled without either the @samp{-O} or @samp{-g}
796 compiler options. We have changed the code and there is no problem
797 under V2.1, but we do not have access to V2.0 to test and see if the
798 problem would exist there. (We welcome feedback on this issue). There
799 was never a problem in using GCC version 2.6.3.
801 In version 3.2 and beyond of the operating system, we have not seen
802 this sort of problem with the native compiler.
804 @node Alpha OSF/1 V4.0, BSDI, Alpha OSF/1 V2.0, OS Incompatibilities
805 @subsection Alpha OSF/1 (Digital UNIX) V4.0
807 The C compiler provided with Alpha OSF/1 V4.0 (a.k.a. Digital UNIX)
808 defaults to an extended K&R C mode, not ANSI C. You need to provide
809 the @samp{-std} argument to the compiler (i.e., @samp{./configure
810 CC='cc -std'}) to enable extended ANSI C mode. More recent versions
811 of the operating system, such as 5.0, seem to have C compilers which
812 default to @samp{-std}.
814 @c @node Alpha Tru64 UNIX 5.0
815 @c @subsection Alpha Tru64 UNIX 5.0
816 @c ... login.krb5 problems
818 @node BSDI, HPUX, Alpha OSF/1 V4.0, OS Incompatibilities
821 BSDI versions 1.0 and 1.1 reportedly has a bad @samp{sed} which causes
822 it to go into an infinite loop during the build. The work around is
823 to use a @samp{sed} from somewhere else, such as GNU. (This may be
824 true for some versions of other systems derived from BSD 4.4, such as
827 @node HPUX, Solaris versions 2.0 through 2.3, BSDI, OS Incompatibilities
830 The native (bundled) compiler for HPUX currently will not work,
831 because it is not a full ANSI C compiler. The optional ANSI C
832 compiler should work as long as you give it the @samp{-Ae} flag
833 (i.e. @samp{./configure CC='cc -Ae'}). This is equivalent to
834 @samp{./configure CC='c89 -D_HPUX_SOURCE'}, which was the previous
835 recommendation. This has only been tested recently for HPUX 10.20.
837 You will need to configure with @samp{--disable-shared
838 --enable-static}, because as of 1.4 we don't have support for HPUX
839 shared library finalization routines, nor the option (yet) to ignore
840 that lack of support (which means repeated
841 @code{dlopen}/@code{dlclose} cycles on the Kerberos libraries may not
842 be safe) and build the shared libraries anyways.
844 You will also need to configure the build tree with
845 @samp{--disable-thread-support} if you are on HPUX 10 and do not have
846 the DCE development package installed, because that's where the
847 @code{pthread.h} header file is found. (We don't know if our code
848 will work with such a package installed, because according to some HP
849 documentation, their @code{pthread.h} has to be included before any
850 other header files, and our code doesn't do that.)
852 If you use GCC, it may work, but some versions of GCC have omitted
853 certain important preprocessor defines, like @code{__STDC_EXT__} and
856 @node Solaris versions 2.0 through 2.3, Solaris 2.X, HPUX, OS Incompatibilities
857 @subsection Solaris versions 2.0 through 2.3
859 The @code{gethostbyname()} routine is broken; it does not return a fully
860 qualified domain name, even if you are using the Domain Name Service
861 routines. Since Kerberos V5 uses the fully qualified domain name as the
862 second component of a service principal (i.e,
863 @samp{host/tsx-11.mit.edu@@ATHENA.MIT.EDU}), this causes problems for servers
864 who try to figure out their own fully qualified domain name.
871 Supply your own resolver library. (such as bind-4.9.3pl1 available
875 Upgrade to Solaris 2.4
878 Make sure your /etc/nsswitch.conf has `files' before `dns' like:
884 and then in /etc/hosts, make sure there is a line with your
885 workstation's IP address and hostname, with the fully qualified domain
889 18.172.1.4 dcl.mit.edu dcl
892 Note that making this change may cause other programs in your
893 environment to break or behave differently.
897 @node Solaris 2.X, Solaris 9, Solaris versions 2.0 through 2.3, OS Incompatibilities
898 @subsection Solaris 2.X
900 You @b{must} compile Kerberos V5 without the UCB compatibility
901 libraries. This means that @file{/usr/ucblib} must not be in the
902 LD_LIBRARY_PATH environment variable when you compile it. Alternatively
903 you can use the @code{-i} option to @samp{cc}, by using the specifying
904 @code{CFLAGS=-i} option to @samp{configure}.
906 If you are compiling for a 64-bit execution environment, you may need
907 to configure with the option @code{CFLAGS="-D_XOPEN_SOURCE=500
908 -D__EXTENSIONS__"}. This is not well tested; at MIT we work primarily
909 with the 32-bit execution environment.
911 @node Solaris 9, SGI Irix 5.X, Solaris 2.X, OS Incompatibilities
912 @subsection Solaris 9
914 Solaris 9 has a kernel race condition which causes the final output
915 written to the slave side of a pty to be lost upon the final close()
916 of the slave device. This causes the dejagnu-based tests to fail
917 intermittently. A workaround exists, but requires some help from the
918 scheduler, and the ``make check'' must be executed from a shell with
919 elevated priority limits.
923 @code{priocntl -s -c FX -m 30 -p 30 -i pid nnnn}
925 as root, where @code{nnnn} is the pid of the shell whose priority
926 limit you wish to raise.
928 Sun has released kernel patches for this race condition. Apply patch
929 117171-11 for sparc, or patch 117172-11 for x86. Later revisions of
930 the patches should also work. It is not necessary to run ``make
931 check'' from a shell with elevated priority limits once the patch has
934 @node SGI Irix 5.X, Ultrix 4.2/3, Solaris 9, OS Incompatibilities
935 @subsection SGI Irix 5.X
937 If you are building in a tree separate from the source tree, the vendors
938 version of make does not work properly with regards to
939 @samp{VPATH}. It also has problems with standard inference rules in 5.2
940 (not tested yet in 5.3) so one needs to use GNU's make.
942 Under 5.2, there is a bug in the optional System V @code{-lsocket}
943 library in which the routine @code{gethostbyname()} is broken. The
944 system supplied version in @code{-lc} appears to work though so one may
945 simply specify @code{--with-netlib} option to @samp{configure}.
947 In 5.3, @code{gethostbyname()} is no longer present in @code{-lsocket} and
948 is no longer an issue.
950 @node Ultrix 4.2/3, , SGI Irix 5.X, OS Incompatibilities
951 @subsection Ultrix 4.2/3
953 The DEC MIPS platform currently will not support the native compiler,
954 since the Ultrix compiler is not a full ANSI C compiler. You should use
959 On the DEC MIPS platform, using the native compiler, @file{md4.c} and
960 @file{md5.c} can not be compiled with the optimizer set at level 1.
961 That is, you must specify either @samp{CFLAGS=-O} and
962 @samp{CFLAGS=-g} to configure. If you don't specify either, the
963 compile will never complete.
965 The optimizer isn't hung; it just takes an exponentially long time.
966 Compiling 6 out of the 48 algorithmic steps takes 3 seconds; compiling 7
967 steps takes 9 seconds; compiling 8 steps takes 27 seconds, and so on.
968 Calculations estimate it will finish in approximately 3,469 billion
971 Using GCC instead of the native compiler will also work fine, both with
972 or without optimization.
976 @node Using Autoconf, , OS Incompatibilities, Building Kerberos V5
977 @section Using @samp{Autoconf}
979 (If you are not a developer, you can skip this section.)
981 In most of the Kerberos V5 source directories, there is a
982 @file{configure} script which automatically determines the compilation
983 environment and creates the proper Makefiles for a particular
984 platform. These @file{configure} files are generated using
985 @samp{autoconf}, which can be found in the @file{src/util/autoconf}
986 directory in the distribution.
988 Normal users will not need to worry about running @samp{autoconf}; the
989 distribution comes with the @file{configure} files already prebuilt.
990 Developers who wish to modify the @file{configure.in} files should see
991 @ref{Top, , Overview, autoconf, The Autoconf Manual}.
993 Note that in order to run @samp{autoconf}, you must have GNU @samp{m4}
994 in your path. Before you use the @samp{autoconf} in the Kerberos V5
995 source tree, you may also need to run @samp{configure}, and then run
996 @samp{make} in the @file{src/util/autoconf} directory in order to
997 properly set up @samp{autoconf}.
999 One tool which is provided for the convenience of developers can be
1000 found in @file{src/util/reconf}. This program should be run while the
1001 current directory is the top source directory. It will automatically
1002 rebuild any @file{configure} files which need rebuilding. If you know
1003 that you have made a change that will require that all the
1004 @file{configure} files need to be rebuilt from scratch, specify the
1005 @code{--force} option:
1008 % cd /u1/krb5-@value{RELEASE}/src
1009 % ./util/reconf --force
1012 The developmental sources are a raw source tree (before it's been packaged
1013 for public release), without the pre-built @file{configure} files.
1014 In order to build from such a source tree, you must do:
1017 % cd krb5/util/autoconf
1024 Then follow the instructions for building packaged source trees (above).
1025 To install the binaries into a binary tree, do:
1028 % cd /u1/krb5-@value{RELEASE}/src
1030 % make install DESTDIR=somewhere-else