1 @value{PRODUCT} uses a configuration system built using the Free
2 Software Foundation's @samp{autoconf} program. This system makes
3 Kerberos V5 much simpler to build and reduces the amount of effort
4 required in porting Kerberos V5 to a new platform.
7 * Organization of the Source Directory:: Description of the source tree.
8 * Build Requirements:: How much disk space, etc. you need to
10 * Unpacking the Sources:: Preparing the source tree.
11 * Doing the Build:: Compiling Kerberos.
12 * Installing the Binaries:: Installing the compiled binaries.
13 * Testing the Build:: Making sure Kerberos built correctly.
14 * Options to Configure:: Command-line options to Configure
15 * osconf.h:: Header file-specific configurations
16 * Shared Library Support:: Building Shared Libraries for Kerberos V5
17 * OS Incompatibilities:: Special cases to watch for.
18 * Using Autoconf:: Modifying Kerberos V5's
19 configuration scripts.
22 @node Organization of the Source Directory, Build Requirements, Building Kerberos V5, Building Kerberos V5
23 @section Organization of the Source Directory
25 Below is a brief overview of the organization of the complete source
26 directory. More detailed descriptions follow.
30 applications with @value{PRODUCT} extensions
32 @value{PRODUCT} user programs
34 manpages for @value{PRODUCT} and the @value{PRODUCT} login program
38 administrative interface to the Kerberos master database
40 the @value{PRODUCT} Authentication Service and Key Distribution Center
42 utilities for converting between Kerberos 4 and Kerberos 5
44 libraries for use with/by @value{PRODUCT}
46 source code for building @value{PRODUCT} on MacOS
48 templates for source code files
50 utilities for propagating the database to slave KDCs
54 various utilities for building/configuring the code, sending bug reports, etc.
56 source code for building @value{PRODUCT} on Windows (see windows/README)
60 * The appl Directory::
61 * The clients Directory::
62 * The gen-manpages Directory::
63 * The include Directory::
64 * The kadmin Directory::
66 * The krb524 Directory::
68 * The prototype Directory::
69 * The slave Directory::
70 * The util Directory::
73 @node The appl Directory, The clients Directory, Organization of the Source Directory, Organization of the Source Directory
74 @subsection The appl Directory
76 The Kerberos release provides certain UNIX utilities, modified to use
77 Kerberos authentication. In the @i{appl/bsd} directory are the
78 Berkeley utilities @i{login}, @i{rlogin}, @i{rsh}, and @i{rcp}, as well as
79 the associated daemons @i{kshd} and @i{klogind}. The @i{login} program
80 obtains ticket-granting tickets for users upon login; the other utilities
81 provide authenticated Unix network services.
83 The @i{appl} directory also contains Kerberized telnet and ftp programs,
84 as well as sample Kerberos application client and server programs.
86 @node The clients Directory, The gen-manpages Directory, The appl Directory, Organization of the Source Directory
87 @subsection The clients Directory
89 This directory contains the code for several user-oriented programs.
93 This program destroys the user's active Kerberos authorization tickets.
94 @value{COMPANY} recommends that users @code{kdestroy} before logging out.
97 This program prompts users for their Kerberos principal name and password,
98 and attempts to get an initial ticket-granting-ticket for that principal.
101 This program lists the Kerberos principal and Kerberos tickets held in
102 a credentials cache, or the keys held in a keytab file.
105 This program changes a user's Kerberos password.
108 This program is a Kerberized version of the @code{su} program that is
109 meant to securely change the real and effective user ID to that of the
110 target user and to create a new security context.
113 This program acquires a service ticket for the specified Kerberos
114 principals and prints out the key version numbers of each.
117 @node The gen-manpages Directory, The include Directory, The clients Directory, Organization of the Source Directory
118 @subsection The gen-manpages Directory
120 There are two manual pages in this directory. One is an introduction
121 to the Kerberos system. The other describes the @code{.k5login} file
122 which allows users to give access with their UID to other users
123 authenticated by the Kerberos system.
125 @node The include Directory, The kadmin Directory, The gen-manpages Directory, Organization of the Source Directory
126 @subsection The include Directory
128 This directory contains the @i{include} files needed to build the
131 @node The kadmin Directory, The kdc Directory, The include Directory, Organization of the Source Directory
132 @subsection The kadmin Directory
134 In this directory is the code for the utilities @code{kadmin},
135 @code{kadmin.local}, @code{kdb5_util}, and @code{ktutil}.
136 @code{ktutil} is the Kerberos keytab file maintenance utility from
137 which a Kerberos administrator can read, write, or edit entries in a
138 Kerberos V5 keytab or Kerberos V4 srvtab. @code{kadmin} and
139 @code{kadmin.local} are command-line interfaces to the Kerberos V5 KADM5
140 administration system. @code{kadmin.local} runs on the master KDC and
141 does not use Kerberos to authenticate to the database, while
142 @code{kadmin} uses Kerberos authentication and an encrypted RPC. The
143 two provide identical functionalities, which allow administrators to
144 modify the database of Kerberos principals. @code{kdb5_util} allows
145 administrators to perform low-level maintenance procedures on Kerberos
146 and the KADM5 database. With this utility, databases can be created,
147 destroyed, or dumped to and loaded from ASCII files. It can also be
148 used to create master key stash files.
150 @node The kdc Directory, The krb524 Directory, The kadmin Directory, Organization of the Source Directory
151 @subsection The kdc Directory
153 This directory contains the code for the @code{krb5kdc} daemon, the
154 Kerberos Authentication Service and Key Distribution Center.
156 @node The krb524 Directory, The lib Directory, The kdc Directory, Organization of the Source Directory
157 @subsection The krb524 Directory
159 This directory contains the code for @code{krb524}, a service that
160 converts Kerberos V5 credentials into Kerberos V4 credentials suitable
161 for use with applications that for whatever reason do not use V5
164 @node The lib Directory, The prototype Directory, The krb524 Directory, Organization of the Source Directory
165 @subsection The lib Directory
167 The @i{lib} directory contain 10 subdirectories as well as some
168 definition and glue files. The @i{crypto} subdirectory contains the
169 Kerberos V5 encryption library. The @i{des425} subdirectory exports
170 the Kerberos V4 encryption API, and translates these functions into
171 calls to the Kerberos V5 encryption API. The @i{gssapi} library
172 contains the Generic Security Services API, which is a library of
173 commands to be used in secure client-server communication. The
174 @i{kadm5} directory contains the libraries for the KADM5 administration
175 utilities. The Kerberos 5 database libraries are contained in
176 @i{kdb}. The directories @i{krb4} and @i{krb5} contain the Kerberos 4
177 and Kerberos 5 APIs, respectively. The @i{rpc} directory contains the
178 API for the Kerberos Remote Procedure Call protocol.
180 @node The prototype Directory, The slave Directory, The lib Directory, Organization of the Source Directory
181 @subsection The prototype Directory
183 This directory contains several template files. The @code{prototype.h}
184 and @code{prototype.c} files contain the MIT copyright message and a
185 placeholder for the title and description of the file.
186 @code{prototype.h} also has a short template for writing @code{ifdef}
187 and @code{ifndef} preprocessor statements. The @code{getopt.c} file
188 provides a template for writing code that will parse the options with
189 which a program was called.
191 @node The slave Directory, The util Directory, The prototype Directory, Organization of the Source Directory
192 @subsection The slave Directory
194 This directory contains code which allows for the propagation of the
195 Kerberos principal database from the master KDC to slave KDCs over an
196 encrypted, secure channel. @code{kprop} is the program which actually
197 propagates the database dump file. @code{kpropd} is the Kerberos V5
198 slave KDC update server which accepts connections from the @code{kprop}
199 program. @code{kslave_update} is a script that takes the name of a
200 slave server, and propagates the database to that server if the
201 database has been modified since the last dump or if the database has
202 been dumped since the last propagation.
204 @node The util Directory, , The slave Directory, Organization of the Source Directory
205 @subsection The util Directory
207 This directory contains several utility programs and libraries. The
208 programs used to configure and build the code, such as @code{autoconf},
209 @code{lndir}, @code{kbuild}, @code{reconf}, and @code{makedepend},
210 are in this directory. The @i{profile} directory contains most of the
211 functions which parse the Kerberos configuration files (@code{krb5.conf}
212 and @code{kdc.conf}). Also in this directory are the Kerberos error table
213 library and utilities (@i{et}), the Sub-system library and utilities
214 (@i{ss}), database utilities (@i{db2}), pseudo-terminal utilities
215 (@i{pty}), and bug-reporting program @code{send-pr}.
217 @node Build Requirements, Unpacking the Sources, Organization of the Source Directory, Building Kerberos V5
218 @section Build Requirements
220 In order to build Kerberos V5, you will need approximately 60-70
221 megabytes of disk space. The exact amount will vary depending on the
222 platform and whether the distribution is compiled with debugging symbol
225 Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, ``c89'').
226 Some operating systems do not have an ANSI C compiler, or their
227 default compiler requires extra command-line options to enable ANSI C
230 If you wish to keep a separate @dfn{build tree}, which contains the compiled
231 @file{*.o} file and executables, separate from your source tree, you
232 will need a @samp{make} program which supports @samp{VPATH}, or
233 you will need to use a tool such as @samp{lndir} to produce a symbolic
234 link tree for your build tree.
236 @node Unpacking the Sources, Doing the Build, Build Requirements, Building Kerberos V5
237 @section Unpacking the Sources
239 The first step in each of these build procedures is to unpack the
240 source distribution. The Kerberos V5 distribution comes in a tar file,
241 generally named @file{krb5-@value{RELEASE}.tar}, which contains a
242 compressed tar file consisting of the sources for all of Kerberos
243 (generally @file{krb5-@value{RELEASE}.tar.gz}) and a PGP signature for
244 this source tree (generally @file{krb5-@value{RELEASE}.tar.gz.asc}).
245 @value{COMPANY} highly recommends that you verify the integrity of the
246 source code using this signature.
248 Unpack the compressed tar file in some directory, such as
249 @file{/u1/krb5-@value{RELEASE}}. (In the rest of this document, we
250 will assume that you have chosen to unpack the Kerberos V5 source
251 distribution in this directory. Note that the tarfiles will by default
252 all unpack into the @file{./krb5-@value{RELEASE}} directory, so that if
253 your current directory is @file{/u1} when you unpack the tarfiles, you
254 will get @file{/u1/krb5-@value{RELEASE}/src}, etc.)
257 @node Doing the Build, Installing the Binaries, Unpacking the Sources, Building Kerberos V5
258 @section Doing the Build
260 You have a number of different options in how to build Kerberos. If you
261 only need to build Kerberos for one platform, using a single directory
262 tree which contains both the source files and the object files is the
263 simplest. However, if you need to maintain Kerberos for a large number
264 of platforms, you will probably want to use separate build trees for
265 each platform. We recommend that you look at @ref{OS
266 Incompatibilities}, for notes that we have on particular operating
270 * Building Within a Single Tree::
271 * Building with Separate Build Directories::
272 * Building using lndir::
275 @node Building Within a Single Tree, Building with Separate Build Directories, Doing the Build, Doing the Build
276 @subsection Building Within a Single Tree
278 If you don't want separate build trees for each architecture, then
279 use the following abbreviated procedure.
283 @code{cd /u1/krb5-@value{RELEASE}/src}
292 @node Building with Separate Build Directories, Building using lndir, Building Within a Single Tree, Doing the Build
293 @subsection Building with Separate Build Directories
295 If you wish to keep separate build directories for each platform, you
296 can do so using the following procedure. (Note, this requires that your
297 @samp{make} program support @samp{VPATH}. GNU's make will provide this
298 functionality, for example.) If your @samp{make} program does not
299 support this, see the next section.
301 For example, if you wish to create a build directory for @code{pmax} binaries
302 you might use the following procedure:
306 @code{mkdir /u1/krb5-@value{RELEASE}/pmax}
308 @code{cd /u1/krb5-@value{RELEASE}/pmax}
310 @code{../src/configure}
315 @node Building using lndir, , Building with Separate Build Directories, Doing the Build
316 @subsection Building Using @samp{lndir}
318 If you wish to keep separate build directories for each platform, and
319 you do not have access to a @samp{make} program which supports @samp{VPATH},
320 all is not lost. You can use the @samp{lndir} program to create
321 symbolic link trees in your build directory.
323 For example, if you wish to create a build directory for solaris binaries
324 you might use the following procedure:
328 @code{mkdir /u1/krb5-@value{RELEASE}/solaris}
330 @code{cd /u1/krb5-@value{RELEASE}/solaris}
332 @code{/u1/krb5-@value{RELEASE}/src/util/lndir `pwd`/../src}
339 You must give an absolute pathname to @samp{lndir} because it has a bug that
340 makes it fail for relative pathnames. Note that this version differs
341 from the latest version as distributed and installed by the XConsortium
342 with X11R6. Either version should be acceptable.
344 @node Installing the Binaries, Testing the Build, Doing the Build, Building Kerberos V5
345 @section Installing the Binaries
347 Once you have built Kerberos, you should install the binaries. You
348 can do this by running:
354 If you want to install the binaries into a destination directory that
355 is not their final destination, which may be convenient if you want to
356 build a binary distribution to be deployed on multiple hosts, you may
360 % make install DESTDIR=/path/to/destdir
363 This will install the binaries under @code{DESTDIR/PREFIX}, e.g., the
364 user programs will install into @code{DESTDIR/PREFIX/bin}, the
365 libraries into @code{DESTDIR/PREFIX/lib}, etc.
367 Note that if you want to test the build (see @ref{Testing the Build}),
368 you usually do not need to do a @code{make install} first.
370 @node Testing the Build, Options to Configure, Installing the Binaries, Building Kerberos V5
371 @section Testing the Build
373 The Kerberos V5 distribution comes with built-in regression tests. To
374 run them, simply type the following command while in the top-level build
375 directory (i.e., the directory where you sent typed @samp{make} to start
376 building Kerberos; see @ref{Doing the Build}.):
383 * The DejaGnu Tests::
387 @node The DejaGnu Tests, The KADM5 Tests, Testing the Build, Testing the Build
388 @subsection The DejaGnu Tests
390 Some of the built-in regression tests are setup to use the DejaGnu
391 framework for running tests. These tests tend to be more comprehensive
392 than the normal built-in tests as they setup test servers and test
393 client/server activities.
395 DejaGnu may be found wherever GNU software is archived.
397 Most of the tests are setup to run as a non-privileged user. For some
398 of the krb-root tests to work properly, either (a) the user running the
399 tests must not have a .k5login file in the home directory or (b) the
400 .k5login file must contain an entry for @code{<username>@@KRBTEST.COM}.
401 There are two series of tests (@samp{rlogind} and @samp{telnetd}) which
402 require the ability to @samp{rlogin} as root to the local
403 machine. Admittedly, this does require the use of a @file{.rhosts} file
404 or some authenticated means. @footnote{If you are fortunate enough to
405 have a previous version of Kerberos V5 or V4 installed, and the Kerberos
406 rlogin is first in your path, you can setup @file{.k5login} or
407 @file{.klogin} respectively to allow you access.}
409 If you cannot obtain root access to your machine, all the other tests
410 will still run. Note however, with DejaGnu 1.2, the "untested testcases"
411 will cause the testsuite to exit with a non-zero exit status which
412 @samp{make} will consider a failure of the testing process. Do not worry
413 about this, as these tests are the last run when @samp{make check} is
414 executed from the top level of the build tree. This problem does not
415 exist with DejaGnu 1.3.
417 @node The KADM5 Tests, , The DejaGnu Tests, Testing the Build
418 @subsection The KADM5 Tests
420 Regression tests for the KADM5 system, including the GSS-RPC, KADM5
421 client and server libraries, and kpasswd, are also included in this
422 release. Each set of KADM5 tests is contained in a sub-directory called
423 @code{unit-test} directly below the system being tested. For example,
424 lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all
425 based on DejaGnu (but they are not actually called part of "The DejaGnu
426 tests," whose naming predates the inclusion of the KADM5 system). In
427 addition, they require the Tool Command Language (TCL) header files and
428 libraries to be available during compilation and some of the tests also
429 require Perl in order to operate. If all of these resources are not
430 available during configuration, the KADM5 tests will not run. The TCL
431 installation directory can be specified with the @code{--with-tcl}
432 configure option. (See @xref{Options to Configure}.) The runtest and
433 perl programs must be in the current execution path.
435 If you install DejaGnu, TCL, or Perl after configuring and building
436 Kerberos and then want to run the KADM5 tests, you will need to
437 re-configure the tree and run @code{make} at the top level again to make
438 sure all the proper programs are built. To save time, you actually only
439 need to reconfigure and build in the directories src/kadmin/testing,
440 src/lib/rpc, src/lib/kadm5.
442 @node Options to Configure, osconf.h, Testing the Build, Building Kerberos V5
443 @section Options to Configure
445 There are a number of options to @samp{configure} which you can use to
446 control how the Kerberos distribution is built. The following table
447 lists the most commonly used options to Kerberos V5's @samp{configure}
454 Provides help to configure. This will list the set of commonly used
455 options for building Kerberos.
457 @item --prefix=PREFIX
459 By default, Kerberos will install the package's files rooted at
460 `/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you
461 desire a different location, use this option.
463 @item --exec-prefix=EXECPREFIX
465 This option allows one to separate the architecture independent programs
466 from the configuration files and manual pages.
468 @item --localstatedir=LOCALSTATEDIR
470 This option sets the directory for locally modifiable single-machine
471 data. In Kerberos, this mostly is useful for setting a location for the
472 KDC data files, as they will be installed in
473 @code{LOCALSTATEDIR/krb5kdc}, which is by default
474 @code{PREFIX/var/krb5kdc}.
478 Use @code{COMPILER} as the C compiler.
482 Use @code{FLAGS} as the default set of C compiler flags.
484 Note that if you use the native Ultrix compiler on a
485 DECstation you are likely to lose if you pass no flags to cc; md4.c
486 takes an estimated 3,469 billion years to compile if you provide neither
487 the @samp{-g} flag nor the @samp{-O} flag to @samp{cc}.
489 @item CPPFLAGS=CPPOPTS
491 Use @code{CPPOPTS} as the default set of C preprocessor flags. The most
492 common use of this option is to select certain @code{#define}'s for use
493 with the operating system's include files.
497 Use @code{LINKER} as the default loader if it should be different from C
498 compiler as specified above.
502 This option allows one to specify optional arguments to be passed to the
503 linker. This might be used to specify optional library paths.
507 This option enables Kerberos V4 backwards compatibility using the
508 builtin Kerberos V4 library.
510 @item --with-krb4=KRB4DIR
512 This option enables Kerberos V4 backwards compatibility using a
513 pre-existing Kerberos V4 installation. The directory specified by
514 @code{KRB4DIR} specifies where the V4 header files should be found
515 (@file{KRB4DIR/include}) as well as where the V4 Kerberos library should
516 be found (@file{KRB4DIR/lib}).
520 Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4
521 clients from using the V5 services including the KDC. This would be
522 useful if you know you will never install or need to interact with V4
525 @item --with-netlib[=libs]
527 Allows for suppression of or replacement of network libraries. By
528 default, Kerberos V5 configuration will look for @code{-lnsl} and
529 @code{-lsocket}. If your operating system has a broken resolver library
530 (see @ref{Solaris versions 2.0 through 2.3}) or fails to pass the tests in
531 @file{src/tests/resolv} you will need to use this option.
533 @item --with-tcl=TCLPATH
535 Some of the unit-tests in the build tree rely upon using a program in
536 Tcl. The directory specified by @code{TCLPATH} specifies where the Tcl
537 header file (@file{TCLPATH/include/tcl.h} as well as where the Tcl
538 library should be found (@file{TCLPATH/lib}).
540 @item --enable-shared
542 This option will turn on the building and use of shared library objects
543 in the Kerberos build. This option is only supported on certain
547 @item --enable-dns-for-kdc
548 @item --enable-dns-for-realm
550 Enable the use of DNS to look up a host's Kerberos realm, or a realm's
551 KDCs, if the information is not provided in krb5.conf. See @ref{Hostnames
552 for the Master and Slave KDCs} for information about using DNS to
553 locate the KDCs, and @ref{Mapping Hostnames onto Kerberos Realms} for
554 information about using DNS to determine the default realm. By default,
555 DNS lookups are enabled for the former but not for the latter.
557 @item --enable-kdc-replay-cache
559 Enable a cache in the KDC to detect retransmitted messages, and resend
560 the previous responses to them. This protects against certain types of
561 attempts to extract information from the KDC through some of the
562 hardware preauthentication systems.
564 @item --with-system-et
566 Use an installed version of the error-table support software, the
567 @samp{compile_et} program, the @file{com_err.h} header file and the
568 @file{com_err} library. If these are not in the default locations,
569 you may wish to specify @code{CPPFLAGS=-I/some/dir} and
570 @code{LDFLAGS=-L/some/other/dir} options at configuration time as
573 If this option is not given, a version supplied with the Kerberos
574 sources will be built and installed along with the rest of the
575 Kerberos tree, for Kerberos applications to link against.
577 @item --with-system-ss
579 Use an installed version of the subsystem command-line interface
580 software, the @samp{mk_cmds} program, the @file{ss/ss.h} header file
581 and the @file{ss} library. If these are not in the default locations,
582 you may wish to specify @code{CPPFLAGS=-I/some/dir} and
583 @code{LDFLAGS=-L/some/other/dir} options at configuration time as
584 well. See also the @samp{SS_LIB} option.
586 If this option is not given, the @file{ss} library supplied with the
587 Kerberos sources will be compiled and linked into those programs that
588 need it; it will not be installed separately.
592 If @samp{-lss} is not the correct way to link in your installed
593 @file{ss} library, for example if additional support libraries are
594 needed, specify the correct link options here. Some variants of this
595 library are around which allow for Emacs-like line editing, but
596 different versions require different support libraries to be
597 explicitly specified.
599 This option is ignored if @samp{--with-system-ss} is not specified.
601 @item --with-system-db
603 Use an installed version of the Berkeley DB package, which must
604 provide an API compatible with version 1.85. This option is
605 @emph{unsupported} and untested. In particular, we do not know if the
606 database-rename code used in the dumpfile load operation will behave
609 If this option is not given, a version supplied with the Kerberos
610 sources will be built and installed. (We are not updating this
611 version at this time because of licensing issues with newer versions
612 that we haven't investigated sufficiently yet.)
614 @item DB_HEADER=headername.h
616 If @samp{db.h} is not the correct header file to include to compile
617 against the Berkeley DB 1.85 API, specify the correct header file name
618 with this option. For example, @samp{DB_HEADER=db3/db_185.h}.
622 If @samp{-ldb} is not the correct library specification for the
623 Berkeley DB library version to be used, override it with this option.
624 For example, @samp{DB_LIB=-ldb-3.3}.
628 For example, in order to configure Kerberos on a Solaris machine using
629 the @samp{suncc} compiler with the optimizer turned on, run the configure
630 script with the following options:
633 % ./configure CC=suncc CFLAGS=-O
636 For a slightly more complicated example, consider a system where
637 several packages to be used by Kerberos are installed in
638 @samp{/usr/foobar}, including Berkeley DB 3.3, and an @samp{ss}
639 library that needs to link against the @samp{curses} library. The
640 configuration of Kerberos might be done thus:
643 % ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \
644 --with-system-et --with-system-ss --with-system-db \
645 SS_LIB='-lss -lcurses' \
646 DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3
649 In previous releases, @code{--with-} options were used to specify the
650 compiler and linker and their options.
652 @node osconf.h, Shared Library Support, Options to Configure, Building Kerberos V5
653 @section @file{osconf.h}
655 There is one configuration file which you may wish to edit to control
656 various compile-time parameters in the Kerberos distribution:
657 @file{include/krb5/stock/osconf.h}. The list that follows is by no means
658 complete, just some of the more interesting variables.
660 Please note: The former configuration file @file{config.h} no longer
661 exists as its functionality has been merged into the auto-configuration
662 process. @xref{Options to Configure}.
667 @item DEFAULT_PROFILE_PATH
669 The pathname to the file which contains the profiles for the known realms,
670 their KDCs, etc. The default value is @value{DefaultDefaultProfilePath}.
672 The profile file format is no longer the same format as Kerberos V4's
673 @file{krb.conf} file.
675 @item DEFAULT_KEYTAB_NAME
677 The type and pathname to the default server keytab file (the
678 equivalent of Kerberos V4's @file{/etc/srvtab}). The default is
679 @value{DefaultDefaultKeytabName}.
681 @item DEFAULT_KDC_ENCTYPE
683 The default encryption type for the KDC. The default value is
684 @value{DefaultMasterKeyType}.
688 The name of the replay cache used by the KDC. The default value is
689 @value{DefaultKDCRCache}.
693 The directory which stores replay caches. The default is to try
694 @value{DefaultRCTmpDirs}.
696 @item DEFAULT_KDB_FILE
698 The location of the default database. The default value is
699 @value{DefaultDatabaseName}.
703 @node Shared Library Support, OS Incompatibilities, osconf.h, Building Kerberos V5
704 @section Shared Library Support
706 Shared library support is provided for a few operating systems. There
707 are restrictions as to which compiler to use when using shared
708 libraries. In all cases, executables linked with the shared libraries in
709 this build process will have built in the location of the libraries,
710 therefore obliterating the need for special LD_LIBRARY_PATH, et al environment
711 variables when using the programs. Except where noted, multiple versions
712 of the libraries may be installed on the same system and continue to
715 Currently the supported platforms are Solaris 2.6-2.9 (aka SunOS
716 5.6-5.9), Irix 6.5, Redhat Linux, MacOS 8-10, and Microsoft Windows
719 Shared library support has been tested on the following platforms but
720 not exhaustively (they have been built but not necessarily tested in an
721 installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, and
724 Platforms for which there is shared library support but not significant
725 testing include FreeBSD, OpenBSD, AIX (4.3.3), Linux, NetBSD 1.4.x
726 (i386), and SunOS 4.x.
728 To enable shared libraries on the above platforms, run the configure
729 script with the option @samp{--enable-shared}.
733 XXX What does this mean?
735 One special note is that if the Kerberos V4 compatibility is compiled
736 in, you @b{must not} specify an alternate Kerberos V4 library from the
737 one in the tree or you will be missing references.
741 @node OS Incompatibilities, Using Autoconf, Shared Library Support, Building Kerberos V5
742 @section Operating System Incompatibilities
744 This section details operating system incompatibilities with Kerberos V5
745 which have been reported to the developers at MIT. If you find
746 additional incompatibilities, and/or discover workarounds to such
747 problems, please send a report via the @code{krb5-send-pr} program.
757 * Solaris versions 2.0 through 2.3::
764 @node AIX, Alpha OSF/1 V1.3, OS Incompatibilities, OS Incompatibilities
767 The AIX 3.2.5 linker dumps core trying to build a shared
768 @samp{libkrb5.a} produced with the GNU C compiler. The native AIX
769 compiler works fine. This problem is fixed using the AIX 4.1 linker.
771 @node Alpha OSF/1 V1.3, Alpha OSF/1 V2.0, AIX, OS Incompatibilities
772 @subsection Alpha OSF/1 V1.3
774 Using the native compiler, compiling with the @samp{-O} compiler flag
775 causes the @code{asn.1} library to be compiled incorrectly.
777 Using GCC version 2.6.3 or later instead of the native compiler will also work
778 fine, both with or without optimization.
780 @node Alpha OSF/1 V2.0, Alpha OSF/1 V4.0, Alpha OSF/1 V1.3, OS Incompatibilities
781 @subsection Alpha OSF/1 V2.0
783 There used to be a bug when using the native compiler in compiling
784 @file{md4.c} when compiled without either the @samp{-O} or @samp{-g}
785 compiler options. We have changed the code and there is no problem
786 under V2.1, but we do not have access to V2.0 to test and see if the
787 problem would exist there. (We welcome feedback on this issue). There
788 was never a problem in using GCC version 2.6.3.
790 In version 3.2 and beyond of the operating system, we have not seen
791 this sort of problem with the native compiler.
793 @node Alpha OSF/1 V4.0, BSDI, Alpha OSF/1 V2.0, OS Incompatibilities
794 @subsection Alpha OSF/1 (Digital UNIX) V4.0
796 The C compiler provided with Alpha OSF/1 V4.0 (a.k.a. Digital UNIX)
797 defaults to an extended K&R C mode, not ANSI C. You need to provide
798 the @samp{-std} argument to the compiler (i.e., @samp{./configure
799 CC='cc -std'}) to enable extended ANSI C mode. More recent versions
800 of the operating system, such as 5.0, seem to have C compilers which
801 default to @samp{-std}.
803 @c @node Alpha Tru64 UNIX 5.0
804 @c @subsection Alpha Tru64 UNIX 5.0
805 @c ... login.krb5 problems
807 @node BSDI, HPUX, Alpha OSF/1 V4.0, OS Incompatibilities
810 BSDI versions 1.0 and 1.1 reportedly has a bad @samp{sed} which causes
811 it to go into an infinite loop during the build. The work around is
812 to use a @samp{sed} from somewhere else, such as GNU. (This may be
813 true for some versions of other systems derived from BSD 4.4, such as
816 @node HPUX, Solaris versions 2.0 through 2.3, BSDI, OS Incompatibilities
819 The native (bundled) compiler for HPUX currently will not work,
820 because it is not a full ANSI C compiler. The optional ANSI C
821 compiler should work as long as you give it the @samp{-Ae} flag
822 (i.e. @samp{./configure CC='cc -Ae'}). This is equivalent to
823 @samp{./configure CC='c89 -D_HPUX_SOURCE'}, which was the previous
824 recommendation. This has only been tested recently for HPUX 10.20.
826 @node Solaris versions 2.0 through 2.3, Solaris 2.X, HPUX, OS Incompatibilities
827 @subsection Solaris versions 2.0 through 2.3
829 The @code{gethostbyname()} routine is broken; it does not return a fully
830 qualified domain name, even if you are using the Domain Name Service
831 routines. Since Kerberos V5 uses the fully qualified domain name as the
832 second component of a service principal (i.e,
833 @samp{host/tsx-11.mit.edu@@ATHENA.MIT.EDU}), this causes problems for servers
834 who try to figure out their own fully qualified domain name.
841 Supply your own resolver library. (such as bind-4.9.3pl1 available
845 Upgrade to Solaris 2.4
848 Make sure your /etc/nsswitch.conf has `files' before `dns' like:
854 and then in /etc/hosts, make sure there is a line with your
855 workstation's IP address and hostname, with the fully qualified domain
859 18.172.1.4 dcl.mit.edu dcl
862 Note that making this change may cause other programs in your
863 environment to break or behave differently.
867 @node Solaris 2.X, Solaris 9, Solaris versions 2.0 through 2.3, OS Incompatibilities
868 @subsection Solaris 2.X
870 You @b{must} compile Kerberos V5 without the UCB compatibility
871 libraries. This means that @file{/usr/ucblib} must not be in the
872 LD_LIBRARY_PATH environment variable when you compile it. Alternatively
873 you can use the @code{-i} option to @samp{cc}, by using the specifying
874 @code{CFLAGS=-i} option to @samp{configure}.
876 If you are compiling for a 64-bit execution environment, you may need
877 to configure with the option @code{CFLAGS="-D_XOPEN_SOURCE=500
878 -D__EXTENSIONS__"}. This is not well tested; at MIT we work primarily
879 with the 32-bit execution environment.
881 @node Solaris 9, SGI Irix 5.X, Solaris 2.X, OS Incompatibilities
882 @subsection Solaris 9
884 Solaris 9 has a kernel race condition which causes the final output
885 written to the slave side of a pty to be lost upon the final close()
886 of the slave device. This causes the dejagnu-based tests to fail
887 intermittently. A workaround exists, but requires some help from the
888 scheduler, and the ``make check'' must be executed from a shell with
889 elevated priority limits.
893 @code{priocntl -s -c FX -m 30 -p 30 -i pid nnnn}
895 as root, where @code{nnnn} is the pid of the shell whose priority
896 limit you wish to raise.
898 Sun has released kernel patches for this race condition. Apply patch
899 117171-11 for sparc, or patch 117172-11 for x86. Later revisions of
900 the patches should also work. It is not necessary to run ``make
901 check'' from a shell with elevated priority limits once the patch has
904 @node SGI Irix 5.X, Ultrix 4.2/3, Solaris 9, OS Incompatibilities
905 @subsection SGI Irix 5.X
907 If you are building in a tree separate from the source tree, the vendors
908 version of make does not work properly with regards to
909 @samp{VPATH}. It also has problems with standard inference rules in 5.2
910 (not tested yet in 5.3) so one needs to use GNU's make.
912 Under 5.2, there is a bug in the optional System V @code{-lsocket}
913 library in which the routine @code{gethostbyname()} is broken. The
914 system supplied version in @code{-lc} appears to work though so one may
915 simply specify @code{--with-netlib} option to @samp{configure}.
917 In 5.3, @code{gethostbyname()} is no longer present in @code{-lsocket} and
918 is no longer an issue.
920 @node Ultrix 4.2/3, , SGI Irix 5.X, OS Incompatibilities
921 @subsection Ultrix 4.2/3
923 The DEC MIPS platform currently will not support the native compiler,
924 since the Ultrix compiler is not a full ANSI C compiler. You should use
929 On the DEC MIPS platform, using the native compiler, @file{md4.c} and
930 @file{md5.c} can not be compiled with the optimizer set at level 1.
931 That is, you must specify either @samp{CFLAGS=-O} and
932 @samp{CFLAGS=-g} to configure. If you don't specify either, the
933 compile will never complete.
935 The optimizer isn't hung; it just takes an exponentially long time.
936 Compiling 6 out of the 48 algorithmic steps takes 3 seconds; compiling 7
937 steps takes 9 seconds; compiling 8 steps takes 27 seconds, and so on.
938 Calculations estimate it will finish in approximately 3,469 billion
941 Using GCC instead of the native compiler will also work fine, both with
942 or without optimization.
946 @node Using Autoconf, , OS Incompatibilities, Building Kerberos V5
947 @section Using @samp{Autoconf}
949 (If you are not a developer, you can skip this section.)
951 In most of the Kerberos V5 source directories, there is a
952 @file{configure} script which automatically determines the compilation
953 environment and creates the proper Makefiles for a particular
954 platform. These @file{configure} files are generated using
955 @samp{autoconf}, which can be found in the @file{src/util/autoconf}
956 directory in the distribution.
958 Normal users will not need to worry about running @samp{autoconf}; the
959 distribution comes with the @file{configure} files already prebuilt.
960 Developers who wish to modify the @file{configure.in} files should see
961 @ref{Top, , Overview, autoconf, The Autoconf Manual}.
963 Note that in order to run @samp{autoconf}, you must have GNU @samp{m4}
964 in your path. Before you use the @samp{autoconf} in the Kerberos V5
965 source tree, you may also need to run @samp{configure}, and then run
966 @samp{make} in the @file{src/util/autoconf} directory in order to
967 properly set up @samp{autoconf}.
969 One tool which is provided for the convenience of developers can be
970 found in @file{src/util/reconf}. This program should be run while the
971 current directory is the top source directory. It will automatically
972 rebuild any @file{configure} files which need rebuilding. If you know
973 that you have made a change that will require that all the
974 @file{configure} files need to be rebuilt from scratch, specify the
975 @code{--force} option:
978 % cd /u1/krb5-@value{RELEASE}/src
979 % ./util/reconf --force
982 The developmental sources are a raw source tree (before it's been packaged
983 for public release), without the pre-built @file{configure} files.
984 In order to build from such a source tree, you must do:
987 % cd krb5/util/autoconf
994 Then follow the instructions for building packaged source trees (above).
995 To install the binaries into a binary tree, do:
998 % cd /u1/krb5-@value{RELEASE}/src
1000 % make install DESTDIR=somewhere-else