directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc de Lignie (JIRA)" <>
Subject [jira] [Commented] (DIRKRB-631) Not compatible with MIT Kerberos 1.11+
Date Tue, 06 Jun 2017 18:26:18 GMT


Marc de Lignie commented on DIRKRB-631:

For people wanting to use Directory Kerby 1.0.0 with MIT Kerberos and a recent Linux distro
right now, the following workaround applies (tested on Ubuntu 16.04LTS). The problem, at least
for me, was to find out how to compile this source, i.e. learning about the extra needed compiler
flags. You will probably need to install some additional Ubuntu packages, like build-essential,
automake and autotools-dev; read the error messages.

$ wget
$ tar -xf krb5-1.10.7-signed.tar
$ tar -xf krb5-1.10.7.tar.gz
$ cd krb5-1.10.7/src
$ ./configure LDFLAGS='-z muldefs' CPPFLAGS='-DCONFIG_SMALL'
$ make
$ sudo make install

In a fresh terminal check:
$ krb5-config --version

If you use python's mit kerberos wrapper from PYPI, reinstall it so that it links to the new
default shared kerberos libraries.

This workaround does not alleviate the necessity to resolve the current issue; kerberos-1.10
is at N-5. Even the gpg key is not valid anymore, so this workaround is at your own risc :)

pub   rsa2048/749D7889 2014-06-16 [SCEA] [ingetrokken op: 2016-08-16]
uid         [ingetrok] Tom Yu <>

Cheers,   Marc

> Not compatible with MIT Kerberos 1.11+
> --------------------------------------
>                 Key: DIRKRB-631
>                 URL:
>             Project: Directory Kerberos
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC2, 1.0.0
>         Environment: Debian, Fedora
>            Reporter: Marc de Lignie
>             Fix For: 1.0.1
> The Kerby kdc does not accept preauthication form a MIT Kerberos client starting from
version 1.11. V1.11 hallmarks the implementation of the FAST OTP standard in MIT Kerberos,
apparently with changes not understood by Kerby.
> More details on stacktraces are available from:
> A failing test is available from:
> Without an update on Mit Kerberos compatibility Directory Kerby is not usable  for testing
kerberos functionality in Apache TInkerpop's gremlin-python module (the more so because the
Mit Kerberos 1.10 source distribution does not compile anymore with the gcc-5.x from recent
LTS Linux distributions).

This message was sent by Atlassian JIRA

View raw message