./configure --with-berkeley-db --with-x --enable-pthread-support --enable-kcm
compiles & passes make check on SUSE Leap 4.2 However the -aklog switch isn't working. Cab someone verify the specifiv krb5.conf swirches to enable afskog? I have 7.0.1 up in IBM's eclipse IDE which seems to work fine tedc ________________________________________ From: Heimdal-discuss <heimdal-discuss-boun...@h5l.org> on behalf of heimdal-discuss-requ...@h5l.org <heimdal-discuss-requ...@h5l.org> Sent: Thursday, December 29, 2016 1:10 AM To: heimdal-discuss@h5l.org Subject: Heimdal-discuss Digest, Vol 8, Issue 10 Send Heimdal-discuss mailing list submissions to heimdal-discuss@h5l.org To subscribe or unsubscribe via the World Wide Web, visit https://www.h5l.org/mailman/listinfo/heimdal-discuss or, via email, send a message with subject or body 'help' to heimdal-discuss-requ...@h5l.org You can reach the person managing the list at heimdal-discuss-ow...@h5l.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Heimdal-discuss digest..." Today's Topics: 1. Re: Heimdal 7.1 and the sqlite backend (Harald Barth) 2. Re: Heimdal 7.1 no success with database backend (sqlite and others) (Harald Barth) 3. KDC tests fail when unrelated ticket with time skew is at the default location (Harald Barth) 4. Re: KDC tests fail when unrelated ticket with time skew is at the default location (Ken Dreyer) 5. Re: KDC tests fail when unrelated ticket with time skew is at the default location (Harald Barth) ---------------------------------------------------------------------- Message: 1 Date: Wed, 28 Dec 2016 14:17:01 +0100 (CET) From: Harald Barth <h...@kth.se> To: n...@cryptonector.com Cc: heimdal-disc...@sics.se Subject: Re: Heimdal 7.1 and the sqlite backend Message-ID: <20161228.141701.198933457262321705.h...@habook.pdc.kth.se> Content-Type: Text/Plain; charset=us-ascii > So, in /etc/krb5.conf you should have this: > > [hdb] > db-dir = /var/heimdal > > (or wherever you put your HDB) Sure, and then it gets more and more confusing. I now start the kdc and the kadmin with -c /etc/krb5.conf and have a symlink in /var/heimdal/kdc.conf pointing to /etc/krb5.conf. # /usr/heimdal-7.1.0/libexec/kdc -c /etc/krb5.conf& [1] 80459 # /usr/heimdal-7.1.0/bin/kadmin -l -c /etc/krb5.conf kadmin> get * kadmin: opening database: dbm_open(/var/heimdal/heimdal): No such file or directory kadmin: kadm5_get_principals: dbm_open(/var/heimdal/heimdal): No such file or directory kadmin> init TEST.PDC.KTH.SE kadmin: hdb_open: hdb_open: failed initialize database /var/heimdal/heimdal kadmin> So kadmin is sure doing the wrong thing here # cat /etc/krb5.conf [hdb] db-dir = /var/heimdal dbname = sqlite:/var/heimdal/mydb.sqlite [kdc] database = { dbname = sqlite:/var/heimdal/mydb.sqlite realm = TEST.PDC.KTH.SE } require_preauth = true enable-http = true tgt-use-strongest-session-key = true svc-use-strongest-session-key = true preauth-use-strongest-session-key = true use-strongest-server-key = true kdc_warn_pwexpire = 1w [logging] kdc = 0-/FILE:/var/heimdal/kdc.log kdc = 0-/SYSLOG:INFO:USER default = 0-/FILE:/var/log/heimdal.log Then I get the following logging from the kdc startup: 2016-12-28T13:57:20 label: default 2016-12-28T13:57:20 dbname: sqlite:/var/heimdal/mydb.sqlite 2016-12-28T13:57:20 mkey_file: sqlite:/var/heimdal/mydb.mkey 2016-12-28T13:57:20 acl_file: /var/heimdal/kadmind.acl So the problem seems to be that I can not convince kadmin to open the same database because I don't know what to write in the krb5.conf to make that happen. I can verify with ktrace that /etc/krb5.conf (see above) actually is read but then what logic is applied when parsing - I have not found out how to follow that. Harald. ------------------------------ Message: 2 Date: Wed, 28 Dec 2016 17:13:48 +0100 (CET) From: Harald Barth <h...@kth.se> To: heimdal-disc...@sics.se Subject: Re: Heimdal 7.1 no success with database backend (sqlite and others) Message-ID: <20161228.171348.1317098851444232743.h...@habook.pdc.kth.se> Content-Type: Text/Plain; charset=us-ascii Well, not even when I unconfigure sqlite support it does not pass make check. Error message: "kadmin: No database support for /var/heimdal/heimdal" So I suspect that with # ./configure --with-libintl --with-libintl-include=/usr/local/include --with-libintl-lib=/usr/local/lib --prefix=/usr/heimdal-7.1.0-lmdb --disable-kcm --with-openssl --with-openssl-include=/usr/include --with-openssl-lib=/usr/lib --disable-otp --enable-pthread-support --with-readline=/usr/local --with-hdbdir=/var/heimdal --without-berkeley-db --enable-digest --with-ipv6 --enable-kx509 --without-openldap --enable-pk-init --without-sqlite3 --with-x --x-libraries=/usr/local/lib --x-includes=/usr/local/include --localstatedir=/var --disable-silent-rules --disable-ndbm-db --enable-mdb-db "CFLAGS=-I/usr/local/include" LDFLAGS="-L/usr/local/lib -Wl,-rpath -Wl,/usr/local/lib -lintl" it does produce some kind of broken hdb library that will not pass make check, at least not om FreeBSD11 :-( I'll continue in the search for a configure line that actually makes something that passes make check to start with. Harald. ------------------------------ Message: 3 Date: Wed, 28 Dec 2016 20:48:46 +0100 (CET) From: Harald Barth <h...@kth.se> To: heimdal-disc...@sics.se Subject: KDC tests fail when unrelated ticket with time skew is at the default location Message-ID: <20161228.204846.336360576392363946.h...@habook.pdc.kth.se> Content-Type: Text/Plain; charset=us-ascii If there is an unrelated ticket with time skew at the default location # klist -v Credentials cache: FILE:/tmp/krb5cc_0 Principal: h...@stacken.kth.se Cache version: 4 KDC time offset: -23 minutes 22 seconds Server: krbtgt/stacken.kth...@stacken.kth.se Client: h...@stacken.kth.se Ticket etype: aes256-cts-hmac-sha1-96, kvno 1 Ticket length: 328 Auth time: Dec 22 13:33:51 2016 End time: Dec 29 13:33:51 2016 Ticket flags: pre-authent, initial, forwardable Addresses: addressless the following tests fail for that reason (shouldn't the tests be independent of such stuff like unrelated old tickets?) FAIL: check-kdc FAIL: check-kdc-weak When I remove the offending ticket: PASS: check-kdc PASS: check-kdc-weak Now I "only" have to find the reason why these still fail in the kdc tests: FAIL: check-pkinit FAIL: check-iprop Harald. ------------------------------ Message: 4 Date: Wed, 28 Dec 2016 17:35:40 -0700 From: Ken Dreyer <ktdre...@ktdreyer.com> To: Harald Barth <h...@kth.se> Cc: heimdal-disc...@sics.se Subject: Re: KDC tests fail when unrelated ticket with time skew is at the default location Message-ID: <CAD3FbMWFpgCcT67Gtfw4zdL+Tf84v4=fmo99wyvhn7uw416...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 On Wed, Dec 28, 2016 at 12:48 PM, Harald Barth <h...@kth.se> wrote: > the following tests fail for that reason (shouldn't the tests be > independent of such stuff like unrelated old tickets?) It would be nice to use EXAMPLE.ORG realms or something that will never resolve to a real realm. > Now I "only" have to find the reason why these still fail in the kdc tests: > > FAIL: check-pkinit > FAIL: check-iprop Typically the build system leaves some logs behind during "make check" in each test directory (eg tests/kdc/test-suite.log). You can look through the tests/kdc code and identify what exact command fails, then run that command by hand to get more details (is it a crash?) - Ken ------------------------------ Message: 5 Date: Thu, 29 Dec 2016 10:10:22 +0100 (CET) From: Harald Barth <h...@kth.se> To: ktdre...@ktdreyer.com Cc: heimdal-disc...@sics.se Subject: Re: KDC tests fail when unrelated ticket with time skew is at the default location Message-ID: <20161229.101022.612786380250033907.h...@habook.pdc.kth.se> Content-Type: Text/Plain; charset=us-ascii > It would be nice to use EXAMPLE.ORG realms or something that will > never resolve to a real realm. It _does_ use a test realm, but the test never the less is disturbed by a completely unrelated ticket at the default ticket location. That is a bug in the testing framework or in some utility which does not obide setting KRB5CCNAME and looks at other locations anyway. > Typically the build system leaves some logs behind during "make check" > in each test directory (eg tests/kdc/test-suite.log). Yesss, thanks, now next workday and now I continue the hunt for bugs with new coffee and bash -x. >> FAIL: check-pkinit This seems to be one more bug in the test-suite. What I get is + /usr/local/src/heimdal-7.1.0-build-lmdb/kuser/kinit -c FILE:../../tests/kdc/c\ ache.krb5 --no-afslog -C PKCS11:../../tests/kdc/../../lib/hx509/.libs/libhx509.\ so f...@test.h5l.se kinit: Password incorrect Which is from check-pkinit around these lines: for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do if [ -f $dir/$a ] ; then file=$dir/$a break fi done if [ X"$file" != X -a true ] ; then echo "Trying pk-init (principal in pki-mapping file) "; > messages.log ${kinit} -C PKCS11:${file} foo@${R} || \ { ec=1 ; eval "${testfailed}"; } ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } ${kdestroy} fi The "-C PKCS11:${file}" seems broken. I guess the -C flag should take a cert and not a library as an argument. BTW, the -C flag is not documented in the kinit manual page and it would be good if the messages "Trying..." would be unique. >> FAIL: check-iprop This error was due to wc not being compatible between Linux and FreeBSD: linux$ echo foo | wc -l 1 freebsd$ echo foo | wc -l 1 Note the extra spaces which blow up in the following expr which can not handle that. Patch: --- check-iprop.in.orig 2016-12-29 10:25:05.379171000 +0100 +++ check-iprop.in 2016-12-29 10:25:47.205435000 +0100 @@ -384,7 +384,7 @@ # and LMDB levels. # echo "checking that principals in DB == entries in LMDB" - princs=`${kadmin} -l list '*' | wc -l` + princs=`${kadmin} -l list '*' | wc -l | awk '{print $1}'` entries=`mdb_stat -n current-db.mdb | grep 'Entries:' | awk '{print $2}'` [ "`expr 1 + "$princs"`" -eq "$entries" ] || exit 1 fi I think it's OK to use awk to get rid of the whitespace as awk already is used in the script. Other alternative to get rid of spaces would be + set `${kadmin} -l list '*' | wc -l` + princs=$1 Now back to testing different database backends, Harald. ------------------------------ Subject: Digest Footer _______________________________________________ Heimdal-discuss mailing list Heimdal-discuss@h5l.org https://www.h5l.org/mailman/listinfo/heimdal-discuss ------------------------------ End of Heimdal-discuss Digest, Vol 8, Issue 10 **********************************************