[Samba] Solaris 9 --with-krb5 problems

ww m-pubsyssamba pubsyssamba at bbc.co.uk
Mon Mar 8 11:18:25 GMT 2004

Hi Diego,

	I think we broadly agree, but I might not be making myself very clear. Sun Kerberos will not break
or interfere with Samba but Sun have not made a krb5.h header file available so you cannot use Sun
Kerberos to compile Samba with Kerberos support. You will not need to uninstall Sun Kerberos to install
MIT or Heimdal Kerberos.
What I was surprised by was that you have two gssapi.h files on your system, but this was my ignorance
as when I checked my MIT kerberos seems also to have installed its own gssapi.h. But I checked some of
your definition errors against my files, and for example "gss_uint32" is defined identically in both the
Sun and MIT header file. So this doesn't answer why you have a problem, my system might work because it
is correctly ignoring the Sun header file or maybe because they do not have any conflicting
If I was you I'd try renaming the Sun header file for the duration of you're compile and see if it works
then, although I don't know if this would have any undesirable side effects,

	cheers Andy.

Hi Andy,

> ## Ok as far as I'm aware the following is true, you must use MIT or Heimdal Kerberos with
> ## Solaris because Solaris Kerberos is not available with header files (Sun have no plans
> ## to include headers with their bundled distribution). Sun/MIT/Heimdal implementations of
> ## Kerberos are all gssapi compliant authentication mechanisms.

I think the above is not correct, as you can see from the following
commands; the header files for gssapi are part of the package SUNWhea:

oak:/etc/openldap/ldif # pkgchk -lp /usr/include/gssapi/gssapi.h
Pathname: /usr/include/gssapi/gssapi.h
Type: regular file
Expected mode: 0644
Expected owner: root
Expected group: bin
Expected file size (bytes): 22478
Expected sum(1) of contents: 31395
Expected last modification: Apr 06 14:12:32 2002
Referenced by the following packages:
Current status: installed

oak:/etc/openldap/ldif # pkginfo -l SUNWhea
      NAME:  SunOS Header Files
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.9.0,REV=2002.
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  SunOS C/C++ header files for general development of software
    PSTAMP:  leo20030527173442
  INSTDATE:  Dec 30 2003 16:31
   HOTLINE:  Please contact your local service provider
    STATUS:  completely installed
     FILES:     1323 installed pathnames
                  32 shared pathnames
                  85 directories
               16086 blocks used (approx)

> ## You appear to have installed what looks like a second version of gssapi (I assume also Heimdal)
> ## which Samba make is not liking. I'm sorry I haven't tried installing Heimdal Kerberos myself,
> ## can you check whether it is possible to install/compile it without installing a duplicate
> ## implementation of gssapi? Or maybe someone else on the list can help?
> ## thanks Andy.

I am using heimdal because it is thread safe while mit kerberos is not.
This is very important for my openldap server.  Would you please check if
your system has the package SUNWhea installed? If it is then you should
have some header files like /usr/include/gssapi/gssapi.h

The conflicting header files are not part of any of Sun's kerberos
packages SUNWkrbr, SUNWkrbu or SUNWkrbux which I have installed since
those provide authentication.  I did not want to have to remove all the
Sun kerberos packages since I am using the pam_krb5.so from those packages
in my pam stack to authenticate users.  Even if I remove the kerberos
packages the header files will remain there so I do not think removing
those kerberos packages will help.

Have a good weekend,


> The problem is with the header files.  It tries to use the ones from
> Solaris 9 kerberos implementatoin which are located in /usr/include as
> opposed to the ones from heimdal in /opt/local/include).  This happens
> using both cc and gcc.
> configure works  fine but make fails.
> I also changed /var/ld/ld.config, but the problem is not the libraries, is
> the include files. This is what crle shows:
> oak:/tmp/samba-3.0.2a/source % crle
> Configuration file [3]: /var/ld/ld.config
>   Default Library Path (ELF):   /opt/local/lib:/usr/lib
>   Trusted Directories (ELF):    /usr/lib/secure  (system default)
> Command line:
>   crle -c /var/ld/ld.config -l /opt/local/lib:/usr/lib
> The last few lines of configure are:
> ----------------snip------------
> checking how to build vfs_cap... shared
> Using libraries:
>     LIBS = -lsendfile -lsec -lgen -lresolv -lsocket -lnsl  -liconv
>     KRB5_LIBS = -lcom_err  -L/opt/local/encap/heimdal-0.6/lib -lgssapi
> -lkrb5 -lasn1 -L/opt/local/lib -lcrypto -lroken
>     LDAP_LIBS = -lldap -llber
>     AUTH_LIBS =
> checking configure summary... yes
> configure: creating ./config.status
> config.status: creating include/stamp-h
> config.status: creating Makefile
> config.status: creating script/findsmb
> config.status: creating smbadduser
> config.status: creating script/gen-8bit-gap.sh
> config.status: creating include/config.h
> Then when I type make:
> oak:/tmp/samba-3.0.2a/source % make
> Using FLAGS =  -O -I/opt/local/encap/heimdal-0.6/include
> -I/opt/local/include  -Iinclude -I/tmp/samba-3.0.2a/source/include
> -I/tmp/samba-3.0.2a/source/ubiqx -I/tmp/samba-3.0.2a/source/smbwrapper
> -I/opt/local/encap/heimdal-0.6/include -I/opt/local/include
> -I/tmp/samba-3.0.2a/source
>       LIBS = -lsendfile -lsec -lgen -lresolv -lsocket -lnsl -liconv
>       LDSHFLAGS = -G
>       LDFLAGS =
> Generating smbd/build_options.c
> Building include/proto.h
> creating /tmp/samba-3.0.2a/source/include/proto.h
> Building include/wrepld_proto.h
> creating /tmp/samba-3.0.2a/source/include/wrepld_proto.h
> Building include/build_env.h
> creating /tmp/samba-3.0.2a/source/nsswitch/winbindd_proto.h
> creating /tmp/samba-3.0.2a/source/web/swat_proto.h
> creating /tmp/samba-3.0.2a/source/client/client_proto.h
> creating /tmp/samba-3.0.2a/source/utils/net_proto.h
> Compiling dynconfig.c
> In file included from include/includes.h:421,
>                  from dynconfig.c:21:
> /opt/local/encap/heimdal-0.6/include/gssapi.h:50: warning: redefinition of
> `OM_uint32'
> /usr/include/gssapi/gssapi.h:87: warning: `OM_uint32' previously declared
> here
> /opt/local/encap/heimdal-0.6/include/gssapi.h:52: warning: redefinition of
> `gss_uint32'
> /usr/include/gssapi/gssapi.h:64: warning: `gss_uint32' previously declared
> here
> /opt/local/encap/heimdal-0.6/include/gssapi.h:64: error: conflicting types
> for `gss_name_t'
> /usr/include/gssapi/gssapi.h:57: error: previous declaration of
> `gss_name_t'
> /opt/local/encap/heimdal-0.6/include/gssapi.h:76: error: conflicting types
> for `gss_ctx_id_t'
> .
> .
> .  keeps going.. it is a long list
> .
> .
> /usr/include/gssapi/gssapi.h:695: error: previous declaration of
> `gss_seal'
> /opt/local/encap/heimdal-0.6/include/gssapi.h:765: error: conflicting
> types for `gss_unseal'
> /usr/include/gssapi/gssapi.h:704: error: previous declaration of
> `gss_unseal'
> make: *** [dynconfig.o] Error 1
> Any ideas?
> ----------------------------------
> Diego Julian Remolina
> System Administrator
> School of Mathematics
> Georgia Institute of Technology
> (404) 894-7385
> (404) 894-1309
> ----------------------------------
> On Fri, 5 Mar 2004, ww m-pubsyssamba wrote:
> > Hi,
> >
> > I am running configure with the option --with-krb5=/opt/local which is
> > where I have heimdal installed.  The problem is that after running make,
> > it still tries to use the include files from SUN that are in /usr/ and this
> > screws up the compile.
> >
> > ## Mmm strange, I've not had any problems on Solaris 9 with MIT Kerberos...
> > ## What files is it accidentally using, and in what way does this screw up your compile?
> >
> > Since I only need samba to be a PDC for my windows workstations,
> > Should I just build it without kerberos support?  I will store all samba
> > user information in ldap and so authentication will be done against the
> > ldap LMpasswd and NTpasswd entries and not through kerberos.  This is my
> > understanding so please correct me if I am wrong.
> >
> > ## I think there are some ways of implementing MIT KDC server with Samba as a PDC but this is not a normal configuration.
> > ## If all you want is a Samba PDC using NTLM authentication then I do not beleive you need any Kerberos support
> > ## hope this helps, Andy.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

More information about the samba mailing list