| View previous topic :: View next topic |
| Author |
Message |
depontius
Advocate
Joined: 05 May 2004
Posts: 3526
|
 Posted: Thu Sep 23, 2004 12:29 pm Post subject: Two pam_krb5 lineages in portage |
 |
|
In portage, there are currently 3 ebuilds for pam_krb5:
pam_krb5-1.0-r1.ebuild
pam_krb5-1.0.ebuild
pam_krb5-20030601.ebuild
and the "current" one is pam_krb5-1.0-r1.
The pam_krb5-1.0 ebuilds uses source from http://www.fcusack.com, while pam_krb5-20030601.ebuild uses source from http://pam-krb5.sourceforge.net. I haven't looked in detail, but they appear to be independent pieces of code. But that's not the problem. The pam_krb5-1.0 ebuilds use app-crypt/mit-krb5, while the pam_krb5-20030601 ebuild uses virtual/krb5. I'm running with Heimdal, so I can't run the pam_krb5-1.0 ebuilds. I've looked in the source, and the author says he's done no work with Heimdal, so it's probably not a good idea to just tweak the ebuild. My obvious solution is to just grab the pam_krb5-20030601 ebuild.
It's worth mentioning that these two lineages are leapfrogging in portage. The 1.0 date is 2004/06/24, followed by 20030601 on 2004/07/22, followed by 1.0-r1 on 2004/08/19. It would be really good to either settle on one package here, or split them into two packages. In order to settle on the 1.0 family, it would be necessary to first make it work with Heimdal, as Heimdal currently does things that MIT doesn't. (like threading and key storage in LDAP.)
For now, I'll just force the 20030601 version in /etc/portage, but that may leave me missing a security update.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
 |
depontius
Advocate
Joined: 05 May 2004
Posts: 3526
|
| Posted: Fri Sep 24, 2004 12:34 am Post subject: Can't block pam_krb5-1.0* |
|
|
Several gyrations later, I have in /etc/portage/package.mask:
=app-crypt/pam_krb5-1.0
=app-crypt/pam_krb5-1.0-r1
and when I try to 'emerge pam_krb5' instead of finding pam_krb5-20030601, it says that all ebuilds that could satisfy pam_krb5 have been masked. I tried to work around this by removing the package.mask, then install the 20030601, but again it says that all possible ebuilds have been masked.
I suppose I need to open a bugzilla account, because as far as I can tell, this is BROKEN. (Or hard to find in the documentation, which is a different kind of breakage.)
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3526
|
| Posted: Fri Sep 24, 2004 3:41 pm Post subject: Resolved (I think) ~x86 -> x86 ? |
|
|
I just went through all of the pam_krb5 bugs, instead of trying to search for the relevant ones. The Sourceforge code is newer than and derived from the FCusack code. It only looked like the FCusack 1.0-r1 ebuild was newer because of ebuild-type work on amd64. The latest Sourceforge code is simply marked with a snapshot number, -20030601 instead of the more conventional 1.3-rc7, the previous relase. Of course all of this code is rather old, going back to May/June 2003. The FCusack code is even older at 2000.
The 20030601 code is marked ~x86, so a simple addition to package.keywords will put me on my way.
What will it take to get this moved from ~x86 to x86?
I hear of a shortage of people using Kerberos under Gentoo. I'm trying to become one. Once I am, how can I help?
Incidentally, I've read the LDAPV3 work @bayour.com and am currently working with the similar document for Gentoo from Jose Gonzalez Gomez.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
mxc
Guru
Joined: 05 Mar 2003
Posts: 442
Location: South Africa
|
| Posted: Thu Dec 23, 2004 4:28 am Post subject: |
|
|
Hey there,
I have just come across this same problem as you. I have opened a bug on bugzilla.
I must agree with you about lack of info concerning kerberos/ldap on gentoo. Its a mission trying to work thing out the first time. |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3526
|
| Posted: Thu Dec 23, 2004 5:12 pm Post subject: Kerberos and friends |
|
|
| mxc wrote: | Hey there,
I have just come across this same problem as you. I have opened a bug on bugzilla.
I must agree with you about lack of info concerning kerberos/ldap on gentoo. Its a mission trying to work thing out the first time. |
On my way out, at the moment. To be honest, I just marked it ~x86 in my /etc/portage/package.keywords, and have sort of moved on. Actually, I haven't had time to do much more with this, real life intrudes. My LDAP/Kerberos/PAM stuff languishes - maybe next year.
What does it take to get an ID so you can post bugs in bugzilla?
This issue was one of my pet peeves, and you've submitted it.
Having leafnode2 make a directory /etc/leafnode/local.groups instead of a file was another, and that just got fixed.
Next there's libcom_err.so being supplied by both Heimdal and e2fsprogs, so that rebuilding Heimdall "toggles" that shared lib, and needs to be done twice every time.
Then we can get to my recent lvm2/udev problems.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
Spooky Ghost
Apprentice
Joined: 19 Apr 2002
Posts: 210
Location: Bristol, United Kingdom
|
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3526
|
| Posted: Fri Dec 24, 2004 3:21 am Post subject: |
|
|
That's the one I've shifted to, especially since it's Gentoo-based. Before I bring Kerberos up again, I want to rename my LAN subnets. Just need to get a round tuit.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
mxc
Guru
Joined: 05 Mar 2003
Posts: 442
Location: South Africa
|
| Posted: Fri Dec 24, 2004 7:32 am Post subject: Re: Kerberos and friends |
|
|
| depontius wrote: |
What does it take to get an ID so you can post bugs in bugzilla?
|
Try
https://bugs.gentoo.org/createaccount.cgi
| Quote: | Next there's libcom_err.so being supplied by both Heimdal and e2fsprogs, so that rebuilding Heimdall "toggles" that shared lib, and needs to be done twice every time.
|
Man, I feel your pain. I just had this nasty suprise a few hours ago. The problem is that when you are trying to get to grips with a new piece of software the last thing you need is library and compatibility errors. Things seem to be working then they dont. So you start eliminating
1) Do I understand what I am doing?
2) Maybe its a typo in a config file etc
3) Maybe its slapd.conf permission?
4) Maybe it slapd.conf sasl-regex?
5) What recently changed on the client or check client configs
6) What recently changed on the server
7) Is sasl still working (seems to get borked every now and then)
Then you find out that it was some recent emerge -uaD world which seemed to have nothingh to do with kerberos and openldap 
I had evolution insisting on mit-krb5 on the client machines as well as some other pieces of software which I cant remember now. It seems that a lot of apps are hard-coded for dependency on mit-krb5
My current favourite problem is access permisions in slapd.conf. Whenever I try and add new users via kadmin I just get errors. I have to enable to get it | Quote: | | access to * by * write |
to work.
I have also found the link you refer to but it seems to be a bit silent on sasl-regex and permissions in slapd.conf.
Here is the extract from my slapd.conf
| Quote: | sasl-regexp
uid=(.*),cn=abc.co.za,cn=digest-md5,cn=auth
uid=$1,ou=people,dc=abc,dc=co,dc=za
sasl-regexp
uid=(.*),cn=abc.co.za,cn=cram-md5,cn=auth
uid=$1,ou=people,dc=abc,dc=co,dc=za
sasl-regexp
uid=(.*),cn=abc.co.za,cn=gssapi,cn=auth
uid=$1,ou=people,dc=abc,dc=co,dc=za
|
| Quote: | access to dn=".*,dc=abc,dc=co,dc=za" attr="krb5Key,krb5KeyVersionNumber"
by dn="uid=root,ou=people,dc=abc,dc=co,dc=za" write
by dn="uid=kadmin/admin,cn=abc.co.za,cn=gssapi,cn=auth" write
by dn="cn=kadmin/admin@abc.co.za,ou=kerberos,dc=abc,dc=co,dc=za" write
by dn="uid=kadmin/admin,ou=people,dc=abc,dc=co,dc=za" write
by sockurl="^ldapi:///$" write
by anonymous auth
by self write
by users read
by * search
access to *
by dn="uid=root,dc=abc,dc=co,dc=za" write
by dn="uid=kadmin/admin,cn=abc.co.za,cn=gssapi,cn=auth" write
by dn="uid=kadmin/admin,ou=people,dc=abc,dc=co,dc=za" write
by dn="cn=kadmin/admin@abc.co.za,ou=kerberos,dc=abc,dc=co,dc=za" write
by sockurl="^ldapi:///$" write
by users read
by self write
by * none
|
As far as I can tell the "by sockurl =" doesn't work at all. According to the link a ou=kerberos was created to keep principles. The main principle here is kadmin/admin but my sasl-regex will always give this entry a dn under the ou=people sub tree. I think this is where some of my problems are as the only entry for this dn is under ou=kerberos |
|
| Back to top |
|
|
gsurbey
Apprentice
Joined: 24 Mar 2003
Posts: 212
Location: Nashua, NH
|
| Posted: Tue Apr 19, 2005 9:17 pm Post subject: |
|
|
| mxc wrote: | | As far as I can tell the "by sockurl =" doesn't work at all. |
try
| Code: | | access to * by sockname="PATH=/var/lib/ldapi" write |
Apparently something underlying changed how this is done between open ldap versions.
_________________
-Greg Surbey |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
