samba/kerberos compile question on Mac OS X Server 10.2.6

Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="=-FrTx70PVTOATHQqlQ80Z"

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

My apologies if this is the wrong forum for this question, but I have been =
asked to=20
relay this question to the kerberos list, having already contacted both the=
 samba and UM macsig lists.
I'm trying to get samba compiled on mac os x server With active directory s=
upport. =20
Samba 3 with active directory will in theory let somebody authenticate thro=
ugh AD,=20
so users on machines connected to a samba 3 PDC could in theory login with=20
their Kerberos credentials.  I am getting several kerberos related errors i=
getting samba to compile properly.  One of the problems is that I'm not exa=
ctly sure
what version of kerberos is installed on mac os x server, nor if it is poss=
ible to upgrade
it.  Any information you might have on recognizing and/or fixing this error=
 would be appreciated.

I've managed to get samba 3_0 (still in late beta) to compile cleanly as=20
long as I disable AD, by passing the --disable-ads flag to ./configure.=20
While this has allowed me to get samba to act as a PDC that then=20
authenticates to the OpenLDAP server built-in to Mac OS X Server, it=20
doesn't achieve my goal of kerberized logins from windows with samba, and I=
don't want to have to run my own Win{2k,2k3} server.

If anybody's compiled samba 3 on the mac successfully, would you mind=20
letting me know if you've gotten it to work properly, and how?  Have any of=
you tried Panther Server DP?  Does it connect to AD successfully?

The word on the street is that Mac OS X Server Panther will have samba 3=20
installed (well, at least the samba source released with panther server DP=20
is from samba 3.0 alpha 22, but that's probably too early to have sound AD=20

I'm compiling samba SAMBA_3_0 pulled just now from cvs on Mac OS X Server=20
(10.2.6) and I'm getting this error when compiling with ads:

libsmb/clikrb5.c:137: #error UNKNOWN_GET_ENCTYPES_FUNCTIONS
libsmb/clikrb5.c:121: illegal external declaration, missing `;' after
libsmb/clikrb5.c:186: undefined type, found `krb5_krbhst_handle'
libsmb/clikrb5.c:187: undefined type, found `krb5_krbhst_info'
cpp-precomp: warning: errors during smart preprocessing, retrying in
basic mode
make: *** [libsmb/clikrb5.o] Error 1

Compiling with --disable-ads works fine.  Is there anything I can do to
enable samba with ads on mac os x server?

Here's what I've done with the compilation:

cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login
cvs -z5 -d :pserver:cvs@pserver.samba.org:/cvsroot co -r SAMBA_3_0 samba
cd samba/source

(I've compiled & installed my own version of autoconf > 2.53)
eniac:source {138} /usr/local/bin/autoconf
eniac:source {146} ./configure --with-privatedir=3D"/var/db/samba"
--libdir=3D"/etc" --with-ldapsam --with-acl-support --disable-cups
--with-tdbsam --with-krb5 --with-spinlocks --with-libiconv
--with-winbind  --with-logfilebase=3D"/var/log/samba"

checking for Active Directory and krb5 support... auto
checking for krb5-config... no
checking for working krb5-config... no. Fallback to previous krb5
detection strategy
checking for kerberos 5 install path... /usr
checking krb5.h usability... yes
checking krb5.h presence... yes
checking for krb5.h... yes
checking gssapi.h usability... no
checking gssapi.h presence... no
checking for gssapi.h... no
checking gssapi/gssapi_generic.h usability... yes
checking gssapi/gssapi_generic.h presence... yes
checking for gssapi/gssapi_generic.h... yes
checking gssapi/gssapi.h usability... yes
checking gssapi/gssapi.h presence... yes
checking for gssapi/gssapi.h... yes
checking com_err.h usability... yes
checking com_err.h presence... yes
checking for com_err.h... yes
checking for _et_list in -lcom_err... no
checking for krb5_encrypt_data in -lk5crypto... no
checking for des_set_key in -lcrypto... yes
checking for copy_Authenticator in -lasn1... no
checking for roken_getaddrinfo_hostspec in -lroken... no
checking for gss_display_status in -lgssapi... no
checking for krb5_mk_req_extended in -lkrb5... yes
checking for gss_display_status in -lgssapi_krb5... yes
checking for krb5_set_real_time... no
checking for krb5_set_default_in_tkt_etypes... no
checking for krb5_set_default_tgs_ktypes... no
checking for krb5_principal2salt... no
checking for krb5_use_enctype... yes
checking for krb5_string_to_key... yes
checking for krb5_get_pw_salt... no
checking for krb5_string_to_key_salt... no
checking for krb5_auth_con_setkey... no
checking for krb5_auth_con_setuseruserkey... yes
checking for krb5_locate_kdc... no
checking for krb5_get_permitted_enctypes... no
checking for krb5_get_default_in_tkt_etypes... no
checking for krb5_free_ktypes... no
checking for krb5_principal_get_comp_string... no
checking for addrtype in krb5_address... yes
checking for addr_type in krb5_address... no
checking for enc_part2 in krb5_ticket... yes
checking for keyvalue in krb5_keyblock... no
checking for ENCTYPE_ARCFOUR_HMAC_MD5... no
checking for the krb5_princ_component macro... yes
checking whether Active Directory and krb5 support is used... yes

Using libraries:
    LIBS =3D   -liconv
    KRB5_LIBS =3D   -lcrypto -lkrb5 -lgssapi_krb5
    LDAP_LIBS =3D  -llber -lldap

eniac:source {147} make


Compiling libsmb/clifile.c
Compiling libsmb/clikrb5.c
libsmb/clikrb5.c:137: #error UNKNOWN_GET_ENCTYPES_FUNCTIONS
libsmb/clikrb5.c:121: illegal external declaration, missing `;' after
libsmb/clikrb5.c:186: undefined type, found `krb5_krbhst_handle'
libsmb/clikrb5.c:187: undefined type, found `krb5_krbhst_info'
cpp-precomp: warning: errors during smart preprocessing, retrying in
basic mode
make: *** [libsmb/clikrb5.o] Error 1

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.2 (GNU/Linux)



Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Kerberos mailing list           Kerberos@mit.edu


satadru (1)
8/9/2003 8:55:43 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies

Similar Articles

[PageSpeed] 14

>Content-Type: multipart/signed; micalg=pgp-sha1;
>	protocol="application/pgp-signature"; boundary="=-XpZY/wF3MBSAA38UaRRv"
>I'm attempting to compile kerberos 1.3.1 on a Mac OS X Server system.
>I did a clean configure with no special flags, and then did a make.
>The compile fails with the following error.  What am I doing wrong?
>making all in lib/rpc/unit-test...
>gcc -L../../../lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual
>-Wcast-align -Wconversion -Wshadow -Wno-comment -pedantic  -o client
>client.o rpc_test_clnt.o \
>         -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
>ld: Undefined symbols:
>make[3]: *** [client] Error 1
>make[2]: *** [all-recurse] Error 1
>make[1]: *** [all-recurse] Error 1
>make: *** [all-recurse] Error 1

This is not really a problem with the MIT Kerberos build system.  The 
problem is that Apple's ld behaves differently than ld on most other 
Unix platforms.  On Mac OS X, shared libraries are always chosen over 
static libraries even if there is a static library in an earlier 
search path than the shared library.  This causes the Kerberos which 
ships with Mac OS X to interfere with the MIT krb5 build system's use 
of the -l option.

There are two workarounds:

1) When running configure, pass the option: 
"LDFLAGS=-Wl,-search_paths_first"  This option turns on the more 
common library search order for Mac OS X's ld and is only supported 
in Panther.

2) Move the following symlinks out of the way (to another directory), 
build, and then move them back.  This works on both Jaguar and 


Note that a stock krb5-1.3 build will not be able to share 
credentials with the Kerberos that ships with Mac OS X (KfM) because 
it does not support the in-memory credentials cache used by the Mac 
and Windows MIT Kerberos releases.

Hope this helps,

Alexandra Ellwood                                               <lxs@mit.edu>
MIT Information Systems                               http://mit.edu/lxs/www/
Kerberos mailing list           Kerberos@mit.edu

lxs (19)
8/11/2003 9:01:30 PM