[OpenAFS] help -pam_afs.so.1
Russ Allbery
rra@stanford.edu
Thu, 14 Dec 2006 13:08:32 -0800
Michal Gutowski <gumi413@interia.pl> writes:
> HI, i have problem on fedora core5 x86_64 with make:
> /usr/bin/ld: /openafs-1.5.12/lib/libkauth.a(client.o): relocation
> R_X86_64_32 against `a local symbol\' can not be used when making a shared
> object; recompile with -fPIC
> /openafs-1.5.12/lib/libkauth.a: could not read symbols: Bad value
> collect2: ld returned 1 exit status
Yup, you can't build the PAM modules in the current tree on x86_64.
The best solution to this problem is to not use them. Instead, use
Kerberos v5 for your cell and then use a PAM module such as:
<http://www.eyrie.org/~eagle/software/pam-afs-session/>
that calls a v5-aware aklog.
Failing that, you can try the following patch, which I apply for the
Debian builds. It's a horrible ugly hack, but it results in usable PAM
modules on 64-bit Linux.
(Note that the rx_Init changes are no longer necessary; they were left
over from requirements in a previous version of OpenAFS. They don't hurt
anything, though.)
The standard upstream source builds the PAM modules against static
libraries, which means they contain non-PIC code. This isn't allowed by
Debian Policy and doesn't work on some supported platforms.
Two approaches for fixing this have been tried. One is to rebuild the
various object files that are part of the libraries PIC and then link with
those object files. The other, which this implements, is to link with the
object files used to create the libafsauthent and libafsrpc shared
libraries (which can't be shipped since they don't have a stable API or
correct SONAME). The latter means that the PAM modules must also be
linked with libpthread, but that's a feature since that means they'll work
with sshd built threaded.
--- openafs-1.3.87.orig/src/pam/Makefile.in
+++ openafs-1.3.87/src/pam/Makefile.in
@@ -25,7 +25,17 @@
afs_pam_msg.o afs_message.o AFS_component_version_number.o
OBJS = $(SHOBJS) test_pam.o
INCLUDES=-I${TOP_OBJDIR}/src/config -I${TOP_INCDIR}
-CFLAGS = ${DEBUG} ${INCLUDES} ${PAM_CFLAGS}
+CFLAGS = ${DEBUG} ${INCLUDES} ${PAM_CFLAGS} ${MT_CFLAGS}
+
+# For Debian, we link directly with the object files that would have gone
+# into the libafsrpc and libafsauthent shared libraries. The shared libraries
+# themselves cannot be used because the interface isn't stable and they have
+# no SONAME, but this is the easiest way of getting PIC objects built with the
+# pthread API.
+SHLIB_OBJS := `ls ../shlibafsauthent/*.o | grep -v version_num` \
+ `ls ../shlibafsrpc/*.o | grep -v version_num`
+KRB_SHLIB_OBJS := `ls ../shlibafsauthent/*.o | egrep -v 'version_num|ktc.o'` \
+ `ls ../shlibafsrpc/*.o | grep -v version_num`
all: test_pam ${TOP_LIBDIR}/pam_afs.so.1 ${TOP_LIBDIR}/pam_afs.krb.so.1
@@ -39,14 +49,18 @@
${CC} ${CFLAGS} -c ${srcdir}/afs_auth.c -o afs_auth.o
afs_auth_krb.o: afs_auth.c afs_pam_msg.h afs_message.h afs_util.h
- ${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/afs_auth.c -o afs_auth_krb.o
+ ${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/afs_auth.c -o afs_auth_krb.o
afs_util.o: afs_util.c afs_pam_msg.h afs_message.h afs_util.h
${CC} ${CFLAGS} -c ${srcdir}/afs_util.c -o afs_util.o
+
afs_util_krb.o: afs_util.c afs_pam_msg.h afs_message.h afs_util.h
${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/afs_util.c -o afs_util_krb.o
+ktc.o: ${srcdir}/../auth/ktc.c
+ ${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/../auth/ktc.c
+
pam_afs.so.1: $(SHOBJS) afs_setcred.o afs_auth.o afs_util.o
set -x; \
case "$(SYS_NAME)" in \
@@ -59,8 +73,9 @@
afs_setcred.o afs_auth.o afs_util.o \
$(SHOBJS) $(LIBS) ;; \
*linux*) \
- $(CC) $(LDFLAGS) -o $@ afs_setcred.o \
- afs_auth.o afs_util.o $(SHOBJS) $(LIBS) ;;\
+ $(CC) $(LDFLAGS) $(PAM_CFLAGS) -o $@ afs_setcred.o \
+ afs_auth.o afs_util.o $(SHOBJS) $(SHLIB_OBJS) \
+ $(MT_LIBS) -lpam -lresolv;;\
*fbsd*| *nbsd*) \
$(CC) $(LDFLAGS) -o $@ afs_setcred.o \
afs_auth.o afs_util.o $(SHOBJS) $(LIBS) ;;\
@@ -68,7 +83,7 @@
echo No link line for system $(SYS_NAME). ;; \
esac
-pam_afs.krb.so.1: $(SHOBJS) afs_setcred_krb.o afs_auth_krb.o afs_util_krb.o
+pam_afs.krb.so.1: $(SHOBJS) afs_setcred_krb.o afs_auth_krb.o afs_util_krb.o ktc.o
set -x; \
case "$(SYS_NAME)" in \
hp_ux* | ia64_hpux*) \
@@ -81,7 +96,8 @@
$(SHOBJS) $(LDFLAGS) $(KLIBS) ;; \
*linux*) \
$(CC) $(LDFLAGS) -o $@ afs_setcred_krb.o \
- afs_auth_krb.o afs_util_krb.o $(SHOBJS) $(KLIBS) ;;\
+ afs_auth_krb.o afs_util_krb.o ktc.o $(SHOBJS) \
+ $(KRB_SHLIB_OBJS) $(MT_LIBS) -lpam -lresolv;;\
*fbsd*| *nbsd*) \
$(CC) $(LDFLAGS) -o $@ afs_setcred_krb.o \
afs_auth_krb.o afs_util_krb.o $(SHOBJS) $(KLIBS) ;;\
--- openafs-1.3.87.orig/src/pam/afs_setcred.c
+++ openafs-1.3.87/src/pam/afs_setcred.c
@@ -52,7 +52,7 @@
int refresh_token = 0;
int set_expires = 0; /* the default is to not to set the env variable */
int use_klog = 0;
- int i;
+ int i, code;
struct pam_conv *pam_convp = NULL;
char my_password_buf[256];
char *cell_ptr = NULL;
@@ -281,6 +281,11 @@
#endif
}
+ if ((code = rx_Init(0)) != 0) {
+ pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
+ RET(PAM_AUTH_ERR);
+ }
+
if (flags & PAM_REFRESH_CRED) {
if (use_klog) {
auth_ok = !do_klog(user, password, "00:00:01", cell_ptr);
--- openafs-1.3.87.orig/src/pam/afs_auth.c
+++ openafs-1.3.87/src/pam/afs_auth.c
@@ -314,6 +314,10 @@
if (cpid <= 0) { /* The child process */
if (logmask && LOG_MASK(LOG_DEBUG))
syslog(LOG_DEBUG, "in child");
+ if ((code = rx_Init(0)) != 0) {
+ pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
+ exit(0);
+ }
if (refresh_token || set_token)
code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, user, /* kerberos name */
NULL, /* instance */
@@ -363,6 +367,10 @@
pam_afs_syslog(LOG_ERR, PAMAFS_PAMERROR, errno);
}
} else { /* dont_fork, used by httpd */
+ if ((code = rx_Init(0)) != 0) {
+ pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
+ RET(PAM_AUTH_ERR);
+ }
if (logmask && LOG_MASK(LOG_DEBUG))
syslog(LOG_DEBUG, "dont_fork");
if (refresh_token || set_token)
--- openafs-1.3.87.orig/Makefile.in
+++ openafs-1.3.87/Makefile.in
@@ -507,8 +507,6 @@
# pthread based user space RX library
shlibafsrpc: rx rxkad des
case ${SYS_NAME} in \
- amd64_linux24) \
- echo Skipping shlibafsrpc for amd64_linux24 ;; \
alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*) \
${COMPILE_PART1} shlibafsrpc ${COMPILE_PART2} ;; \
*) \
@@ -517,8 +515,6 @@
shlibafsauthent: ubik auth kauth shlibafsrpc
case ${SYS_NAME} in \
- amd64_linux24) \
- echo Skipping shlibafsauthent for amd64_linux24 ;; \
alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*) \
${COMPILE_PART1} shlibafsauthent ${COMPILE_PART2} ;; \
*) \
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>