1 Starting with the Beta 4 distribution, we are using a new configuration
2 system, which was built using the Free Software Foundation's
3 @samp{autoconf} program. This system will hopefully make Kerberos V5
4 much simpler to build and reduce the amount of effort required in
5 porting Kerberos V5 to a new platform.
8 * Build Requirements:: How much disk space, etc. you need to
10 * Unpacking the Sources:: Preparing the source tree.
11 * Doing the Build:: Compiling Kerberos.
12 * Testing the Build:: Making sure Kerberos built correctly.
13 * Options to Configure:: Command-line options to Configure
14 * osconf.h:: Header file-specific configurations
15 * Shared Library Support:: Building Shared Libraries for Kerberos V5
16 * OS Incompatibilities:: Special cases to watch for.
17 * Using Autoconf:: Modifying Kerberos V5's
18 configuration scripts.
21 @node Build Requirements, Unpacking the Sources, Building Kerberos V5, Building Kerberos V5
22 @section Build Requirements
24 In order to build Kerberos V5, you will need approximately 60-70
25 megabytes of disk space. The exact amount will vary depending on the
26 platform and whether the distribution is compiled with debugging symbol
29 If you wish to keep a separate @dfn{build tree}, which contains the compiled
30 @file{*.o} file and executables, separate from your source tree, you
31 will need a @samp{make} program which supports @samp{VPATH}, or
32 you will need to use a tool such as @samp{lndir} to produce a symbolic
33 link tree for your build tree.
35 @node Unpacking the Sources, Doing the Build, Build Requirements, Building Kerberos V5
36 @section Unpacking the Sources
38 The first step in each of these build procedures is to unpack the source
39 distribution. The Kerberos V5 distribution comes in two compressed tar
40 files. The first file, which is generally named
41 @file{krb5-1.0.src.tar.gz}, contains the sources for all of Kerberos
42 except for the crypto library, which is found in the file
43 @file{krb5-1.0.crypto.tar.gz}.
45 Both files should be unpacked in the same directory, such as
46 @file{/u1/krb5-1.0}. (In the rest of this document, we will assume that
47 you have chosen to unpack the Kerberos V5 source distribution in this
48 directory. Note that the tarfiles will by default all unpack into the
49 @file{./krb5-1.0} directory, so that if your current directory is
50 @file{/u1} when you unpack the tarfiles, you will get
51 @file{/u1/krb5-1.0/src}, etc.)
54 @node Doing the Build, Testing the Build, Unpacking the Sources, Building Kerberos V5
55 @section Doing the Build
57 You have a number of different options in how to build Kerberos. If you
58 only need to build Kerberos for one platform, using a single directory
59 tree which contains both the source files and the object files is the
60 simplest. However, if you need to maintain Kerberos for a large number
61 of platforms, you will probably want to use separate build trees for
62 each platform. We recommend that you look at see @ref{OS
63 Incompatibilities} for notes that we have on particular operating
67 * Building Within a Single Tree::
68 * Building with Separate Build Directories::
69 * Building using lndir::
72 @node Building Within a Single Tree, Building with Separate Build Directories, Doing the Build, Doing the Build
73 @subsection Building Within a Single Tree
75 If you don't want separate build trees for each architecture, then
76 use the following abbreviated procedure.
80 @code{cd /u1/krb5-1.0/src}
89 @node Building with Separate Build Directories, Building using lndir, Building Within a Single Tree, Doing the Build
90 @subsection Building with Separate Build Directories
92 If you wish to keep separate build directories for each platform, you
93 can do so using the following procedure. (Note, this requires that your
94 @samp{make} program support @samp{VPATH}. GNU's make will provide this
95 functionality, for example.) If your @samp{make} program does not
96 support this, see the next section.
98 For example, if you wish to create a build directory for @code{pmax} binaries
99 you might use the following procedure:
103 @code{mkdir /u1/krb5-1.0/pmax}
105 @code{cd /u1/krb5-1.0/pmax}
107 @code{../src/configure}
112 @node Building using lndir, , Building with Separate Build Directories, Doing the Build
113 @subsection Building Using @samp{lndir}
115 If you wish to keep separate build directories for each platform, and
116 you do not have access to a @samp{make} program which supports @samp{VPATH},
117 all is not lost. You can use the @samp{lndir} program to create
118 symbolic link trees in your build directory.
120 For example, if you wish to create a build directory for solaris binaries
121 you might use the following procedure:
125 @code{mkdir /u1/krb5-1.0/solaris}
127 @code{cd /u1/krb5-1.0/solaris}
129 @code{/u1/krb5-1.0/src/util/lndir `pwd`/../src}
136 You must give an absolute pathname to @samp{lndir} because it has a bug that
137 makes it fail for relative pathnames. Note that this version differs
138 from the latest version as distributed and installed by the XConsortium
139 with X11R6. Either version should be acceptable.
141 @node Testing the Build, Options to Configure, Doing the Build, Building Kerberos V5
142 @section Testing the Build
144 The Kerberos V5 distribution comes with built-in regression tests. To
145 run them, simply type the following command while in the top-level build
146 directory (i.e., the directory where you sent typed @samp{make} to start
147 building Kerberos; see @ref{Doing the Build}.):
154 * The DejaGnu Tests::
158 @node The DejaGnu Tests, The KADM5 Tests, Testing the Build, Testing the Build
159 @subsection The DejaGnu Tests
161 Some of the built-in regression tests are setup to use the DejaGnu
162 framework for running tests. These tests tend to be more comprehensive
163 than the normal built-in tests as they setup test servers and test
164 client/server activities.
166 DejaGnu may be found wherever GNU software is archived.
168 Most of the tests are setup to run as a non-privledged user. For some
169 of the krb-root tests to work properly, either (a) the user running the
170 tests must not have a .k5login file in the home directory or (b) the
171 .k5login file must contain an entry for @code{<username>@@KRBTEST.COM}.
172 There are two series of tests (@samp{rlogind} and @samp{telnetd}) which
173 require the ability to @samp{rlogin} as root to the local
174 machine. Admittedly, this does require the use of a @file{.rhosts} file
175 or some authenticated means. @footnote{If you are fortunate enough to
176 have a previous version of Kerberos V5 or V4 installed, and the Kerberos
177 rlogin is first in your path, you can setup @file{.k5login} or
178 @file{.klogin} respectively to allow you access.}
180 If you cannot obtain root access to your machine, all the other tests
181 will still run. Note however, with DejaGnu 1.2, the "untested testcases"
182 will cause the testsuite to exit with a non-zero exit status which
183 @samp{make} will consider a failure of the testing process. Do not worry
184 about this, as these tests are the last run when @samp{make check} is
185 executed from the top level of the build tree. This problem does not
186 exist with DejaGnu 1.3.
188 @node The KADM5 Tests, , The DejaGnu Tests, Testing the Build
189 @subsection The KADM5 Tests
191 Regression tests for the KADM5 system, including the GSS-RPC, KADM5
192 client and server libraries, and kpasswd, are also included in this
193 release. Each set of KADM5 tests is contained in a sub-directory called
194 @code{unit-test} directly below the system being tested. For example,
195 lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all
196 based on DejaGnu (but they are not actually called part of "The DejaGnu
197 tests," whose naming predates the inclusion of the KADM5 system). In
198 addition, they require the Tool Command Language (TCL) header files and
199 libraries to be available during compilation and some of the tests also
200 require Perl in order to operate. If all of these resources are not
201 available during configuration, the KADM5 tests will not run. The TCL
202 installation directory can be specified with the @code{--with-tcl}
203 configure option (see @xref{Options to Configure}). The runtest and
204 perl programs must be in the current execution path.
206 If you install DejaGnu, TCL, or Perl after configuring and building
207 Kerberos and then want to run the KADM5 tests, you will need to
208 re-configure the tree and run @code{make} at the top level again to make
209 sure all the proper programs are built. To save time, you actually only
210 need to reconfigure and build in the directories src/kadmin/testing,
211 src/lib/rpc, src/lib/kadm5, and src/kpasswd.
213 @node Options to Configure, osconf.h, Testing the Build, Building Kerberos V5
214 @section Options to Configure
216 There are a number of options to @samp{configure} which you can use to
217 control how the Kerberos distribution is built. The following table
218 lists the most commonly used options to Kerberos V5's @samp{configure}
225 Provides help to configure. This will list the set of commonly used
226 options for building Kerberos.
228 @item --prefix=PREFIX
230 By default, Kerberos will install the package's files rooted at
231 `/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you
232 desire a different location, use this option.
234 @item --exec-prefix=EXECPREFIX
236 This option allows one to separate the architecture independent programs
237 from the configuration files and manual pages.
239 @item --localstatedir=LOCALSTATEDIR
241 This option sets the directory for locally modifiable single-machine
242 data. In Kerberos, this mostly is useful for setting a location for the
243 KDC data files, as they will be installed in
244 @code{LOCALSTATEDIR/krb5kdc}, which is by default
245 @code{PREFIX/var/krb5kdc}.
247 @item --with-cc=COMPILER
249 Use @code{COMPILER} as the C compiler.
251 @item --with-ccopts=FLAGS
253 Use @code{FLAGS} as the default set of C compiler flags.
255 Note that if you use the native Ultrix compiler on a
256 DECstation you are likely to lose if you pass no flags to cc; md4.c
257 takes an estimated 3,469 billion years to compile if you provide neither
258 the @samp{-g} flag nor the @samp{-O} flag to @samp{cc}.
260 @item --with-cppopts=CPPOPTS
262 Use @code{CPPOPTS} as the default set of C preprocessor flags. The most
263 common use of this option is to select certain @code{#define}'s for use
264 with the operating system's include files.
266 @item --with-linker=LINKER
268 Use @code{LINKER} as the default loader if it should be different from C
269 compiler as specified above.
271 @item --with-ldopts=LDOPTS
273 This option allows one to specify optional arguments to be passed to the
274 linker. This might be used to specify optional library paths.
278 This option enables Kerberos V4 backwards compatibility using the
279 builtin Kerberos V4 library.
281 @item --with-krb4=KRB4DIR
283 This option enables Kerberos V4 backwards compatibility using a
284 pre-existing Kerberos V4 installation. The directory specified by
285 @code{KRB4DIR} specifies where the V4 header files should be found
286 (@file{KRB4DIR/include}) as well as where the V4 Kerberos library should
287 be found (@file{KRB4DIR/lib}).
291 Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4
292 clients from using the V5 services including the KDC. This would be
293 useful if you know you will never install or need to interact with V4
296 @item --with-netlib[=libs]
298 Allows for suppression of or replacement of network libraries. By
299 default, Kerberos V5 configuration will look for @code{-lnsl} and
300 @code{-lsocket}. If your operating system has a broken resolver library
301 (see @ref{Solaris versions 2.0 through 2.3}) or fails to pass the tests in
302 @file{src/tests/resolv} you will need to use this option.
304 @item --enable-shared
306 This option will turn on the building and use of shared library objects
307 in the Kerberos build. This option is only supported on certain
310 @item --with-vague-errors
312 If enabled, gives vague and unhelpful error messages to the client... er,
313 attacker. (Needed to meet silly government regulations; most other
314 sites will want to keep this undefined.)
316 @item --with-kdc-kdb-update
318 Set this option if you want to allow the KDC to modify the Kerberos
319 database; this allows the last request information to be updated, as
320 well as the failure count information. Note that this doesn't work if
321 you're using slave servers!!! It also causes the database to be
322 modified (and thus needing to be locked) frequently. Please note that
323 the implementors do not regularly test this feature.
325 @item --with-tcl=TCLPATH
327 Some of the unit-tests in the build tree rely upon using a program in
328 Tcl. The directory specified by @code{TCLPATH} specifies where the Tcl
329 header file (@file{TCLPATH/include/tcl.h} as well as where the Tcl
330 library should be found (@file{TCLPATH/lib}).
334 For example, in order to configure Kerberos on a Solaris machine using
335 the @samp{suncc} with the optimizer turned on, run the configure
336 script with the following options:
339 % ./configure --with-cc=suncc --with-ccopts=-O
342 @node osconf.h, Shared Library Support, Options to Configure, Building Kerberos V5
343 @section @file{osconf.h}
345 There is one configuration file which you may wish to edit to control
346 various compile-time parameters in the Kerberos distribution:
347 @file{include/krb5/stock/osconf.h}. The list that follows is by no means
348 complete, just some of the more interesting variables.
350 Please note: The former configuration file @file{config.h} no longer
351 exists as its functionality has been merged into the auto-configuration
352 process. @xref{Options to Configure}.
357 @item DEFAULT_PROFILE_PATH
359 The pathname to the file which contains the profiles for the known
360 realms, their KDCs, etc.
362 The profile file format is no longer the same format as Kerberos V4's
363 @file{krb.conf} file.
365 @item DEFAULT_KEYTAB_NAME
367 The type and pathname to the default server keytab file (the equivalent
368 of Kerberos V4's @file{/etc/srvtab}).
370 @item DEFAULT_KDC_ENCTYPE
372 The default encryption type for the KDC.
376 The name of the replay cache used by the KDC.
380 The directory which stores replay caches.
382 @item DEFAULT_KDB_FILE
384 The location of the default database
388 @node Shared Library Support, OS Incompatibilities, osconf.h, Building Kerberos V5
389 @section Shared Library Support
391 Shared library support is provided for a few operating systems. There
392 are restrictions as to which compiler to use when using shared
393 libraries. In all cases, executables linked with the shared libraries in
394 this build process will have built in the location of the libraries,
395 therefore obliterating the need for special LD_LIBRARY_PATH, et al environment
396 variables when using the programs. Except where noted, multiple versions
397 of the libraries may be installed on the same system and continue to
400 Currently the supported platforms are: NetBSD 1.0A, AIX 3.2.5, AIX 4.1,
401 Solaris 2.4 (aka SunOS 5.4), Alpha OSF/1 >= 2.1, HP-UX >= 9.X.
403 To enable shared libraries on the above platforms, run the configure
404 script with the option @samp{--enable-shared}.
408 XXX What does this mean?
410 One special note is that if the Kerberos V4 compatibility is compiled
411 in, you @b{must not} specify an alternate Kerberos V4 library from the
412 one in the tree or you will be missing references.
416 @node OS Incompatibilities, Using Autoconf, Shared Library Support, Building Kerberos V5
417 @section Operating System Incompatibilities
419 This section details operating system incompatibilities with Kerberos V5
420 which have been reported to the developers at MIT. If you find
421 additional incompatibilities, and/or discover work arounds to such
422 problems, please send a report via the @code{krb5-send-pr} program.
428 * Alpha OSF/1 (Digital Unix) V2.0++::
431 * Solaris versions 2.0 through 2.3::
437 @node AIX, Alpha OSF/1 V1.3, OS Incompatibilities, OS Incompatibilities
440 The AIX 3.2.5 linker dumps core trying to build a shared
441 @samp{libkrb5.a} produced with the GNU C compiler. The native AIX
442 compiler works fine. This problem is fixed using the AIX 4.1 linker.
444 @node Alpha OSF/1 V1.3, Alpha OSF/1 (Digital Unix) V2.0++, AIX, OS Incompatibilities
445 @subsection Alpha OSF/1 V1.3
447 Using the native compiler, compiling with the @samp{-O} compiler flag
448 causes the @code{asn.1} library to be compiled incorrectly.
450 Using GCC version 2.6.3 or later instead of the native compiler will also work
451 fine, both with or without optimization.
453 @node Alpha OSF/1 (Digital Unix) V2.0++, BSDI, Alpha OSF/1 V1.3, OS Incompatibilities
454 @subsection Alpha OSF/1 V2.0++
456 There used to be a bug when using the native compiler in compiling
457 @file{md4.c} when compiled without either the @samp{-O} or @samp{-g}
458 compiler options. We have changed the code and there is no problem
459 under V2.1, but we do not have access to V2.0 to test and see if the
460 problem would exist there. (We welcome feedback on this issue). There
461 was never a problem in using GCC version 2.6.3.
463 In version 3.2 and beyond of the operating system, we have not seen any
464 problems with the native compiler.
466 @node BSDI, HPUX, Alpha OSF/1 (Digital Unix) V2.0++, OS Incompatibilities
469 BSDI versions 1.0 and 1.1 reportedly has a bad @samp{sed} which causes
470 it to go into an infinite loop during the build. The work around is
471 to use a @samp{sed} from somewhere else, such as GNU. (This may be
472 true for some versions of other systems derived from BSD 4.4, such as
475 @node HPUX, Solaris versions 2.0 through 2.3, BSDI, OS Incompatibilities
478 The native compiler for HPUX currently will not work, because it is not
479 a full ANSI C compiler. The optional compiler (c89) should work as long
480 as you give it the @samp{+Olibcalls -D_HPUX_SOURCE} (this has only been
481 tested for HPUX 9.0). At this point, using GCC is probably your best
484 @node Solaris versions 2.0 through 2.3, Solaris 2.X, HPUX, OS Incompatibilities
485 @subsection Solaris versions 2.0 through 2.3
487 The @code{gethostbyname()} routine is broken; it does not return a fully
488 qualified domain name, even if you are using the Domain Name Service
489 routines. Since Kerberos V5 uses the fully qualified domain name as the
490 second component of a service principal (i.e,
491 @samp{host/tsx-11.mit.edu@@ATHENA.MIT.EDU}), this causes problems for servers
492 who try to figure out their own fully qualified domain name.
499 Supply your own resolver library. (such as bind-4.9.3pl1 availavle
503 Upgrade to Solaris 2.4
506 Make sure your /etc/nsswitch.conf has `files' before `dns' like:
512 and then in /etc/hosts, make sure there is a line with your
513 workstation's IP address and hostname, with the fully qualified domain
517 18.172.1.4 dcl.mit.edu dcl
520 Note that making this change may cause other programs in your
521 environment to break or behave differently.
525 @node Solaris 2.X, SGI Irix 5.X, Solaris versions 2.0 through 2.3, OS Incompatibilities
526 @subsection Solaris 2.X
528 You @b{must} compile Kerberos V5 without the UCB compatibility
529 libraries. This means that @file{/usr/ucblib} must not be in the
530 LD_LIBRARY_PATH environment variable when you compile it. Alternatively
531 you can use the @code{-i} option to @samp{cc}, by using the specifying
532 @code{--with-ccopts=-i} option to @samp{configure}.
534 @node SGI Irix 5.X, Ultrix 4.2/3, Solaris 2.X, OS Incompatibilities
535 @subsection SGI Irix 5.X
537 If you are building in a tree separate from the source tree, the vendors
538 version of make does not work properly with regards to
539 @samp{VPATH}. It also has problems with standard inference rules in 5.2
540 (not tested yet in 5.3) so one needs to use GNU's make.
542 Under 5.2, there is a bug in the optional System V @code{-lsocket}
543 library in which the routine @code{gethostbyname()} is broken. The
544 system supplied version in @code{-lc} appears to work though so one may
545 simply specify @code{--with-netlib} option to @samp{configure}.
547 In 5.3, @code{gethostbyname()} is no longer present in @code{-lsocket} and
548 is no longer an issue.
550 @node Ultrix 4.2/3, , SGI Irix 5.X, OS Incompatibilities
551 @subsection Ultrix 4.2/3
553 The DEC MIPS platform currently will not support the native compiler,
554 since the Ultrix compiler is not a full ANSI C compiler. You should use
559 On the DEC MIPS platform, using the native compiler, @file{md4.c} and
560 @file{md5.c} can not be compiled with the optimizer set at level 1.
561 That is, you must specify either @samp{--with-ccopts=-O} and
562 @samp{--with-ccopts=-g} to configure. If you don't specify either, the
563 compile will never complete.
565 The optimizer isn't hung; it just takes an exponentially long time.
566 Compiling 6 out of the 48 algorithmic steps takes 3 seconds; compiling 7
567 steps takes 9 seconds; compiling 8 steps takes 27 seconds, and so on.
568 Calculations estimate it will finish in approximately 3,469 billion
571 Using GCC instead of the native compiler will also work fine, both with
572 or without optimization.
576 @node Using Autoconf, , OS Incompatibilities, Building Kerberos V5
577 @section Using @samp{Autoconf}
579 (If you are not a developer, you can skip this section.)
581 In most of the Kerberos V5 source directories, there is a
582 @file{configure} script which automatically determines the compilation
583 environment and creates the proper Makefiles for a particular platform.
584 These @file{configure} files are generated using @samp{autoconf} version
585 2.4, which can be found in the @file{src/util/autoconf} directory in the
588 Normal users will not need to worry about running @samp{autoconf}; the
589 distribution comes with the @file{configure} files already prebuilt.
590 Developers who wish to modify the @file{configure.in} files should see
591 @ref{Top, , Overview, autoconf, The Autoconf Manual}.
593 Note that in order to run @samp{autoconf}, you must have GNU @samp{m4}
594 in your path. Before you use the @samp{autoconf} in the Kerberos V5
595 source tree, you may also need to run @samp{configure}, and then run
596 @samp{make} in the @file{src/util/autoconf} directory in order to
597 properly set up @samp{autoconf}.
599 One tool which is provided for the convenience of developers can be
600 found in @file{src/util/reconf}. This program should be run while the
601 current directory is the top source directory. It will automatically
602 rebuild any @file{configure} files which need rebuilding. If you know
603 that you have made a change that will require that all the
604 @file{configure} files need to be rebuilt from scratch, specify the
605 @code{--force} option:
608 % cd /u1/krb5-1.0/src
609 % ./util/reconf --force
612 The developmental sources are a raw source tree (before it's been packaged
613 for public release), without the pre-built @file{configure} files.
614 In order to build from such a source tree, you must do:
617 % cd krb5/util/autoconf
624 Then follow the instructions for building packaged source trees (above).
625 To install the binaries into a binary tree, do:
628 % cd /u1/krb5-1.0/src
630 % make install DESTDIR=somewhere-else