Macintosh Development

[Home] [About Us] [People] [Information Systems]
[Kerberos for Macintosh] [Applications] [Miscellaneous Documentation]

Kerberos 5 Build Instructions for Mac OS X Server

Here are build instructions for the Kerberos 5 port to Rhapsody DR1, DR2 and Mac OS X Server.

About the Port:

The patches to make V5 build on Mac OS X Server are only in the krb5-current source tree and not in the 1.0 distribution or the beta releases. However, these changes will be in the next full release of Kerberos 5.
The current kerberos 5 port to Mac OS X builds the entire kerberos distribution with static libraries and statically linked clients. We have at least partially tested most of the clients, and the kerberos server. This isn't to say that there aren't bugs.
Now before you do lots of work on the krb5-current tree, you should know that the Kerberos 5 and MacDev teams at MIT are currently working with a couple people at Apple on krb5 support for Mac OS X. (Note that I'm not implying that Apple has any official plans for krb5 in Mac OS X, just that there are a few developers in Apple who are interested in it.) So, since there is a substantial amount of Mac OS X work already going on, if you are planning on integrating krb5 into Mac OS X somehow, you should contact us so that we don't end up duplicating each other's work.

Getting the Source Tree:

You can get a snapshot of the current krb5 source tree by going to ftp://athena-dist.mit.edu/pub/kerberos/, reading the entire file "README.KRB5-CURRENT" and following the directions.
Please note that since krb5-current is a daily snapshot, depending on when you download it the source tree may not build. If it fails, try getting another copy the next day. If you have a lot of trouble getting it to build at all, please contact the krb5 team at krbdev@mit.edu.
If you find bugs, please report them!

Build Instructions:

Get the distribution, gunzip it, and use gnutar to uncompress it. You should do this as some user other than root (in general, it's a bad idea to give "configure" and "make" root permissions). For the purposes of these instructions, I will refer to this user as "builder" but it can be "me" or any other user you want. Here is an example of how to do this at a Terminal.app prompt:
```
> cd /tmp/
> ftp athena-dist.mit.edu
```
[ get the src, crypto and doc tarballs here ]
```
> gunzip *.gz
> gnutar -xf krb5-current.src.tar.gz 
> gnutar -xf krb5-current.doc.tar.gz 
> gnutar -xf krb5-current.crypto.tar.gz 
```
As "builder", run util/reconf to create all the configure scripts and configure to set up the Makefiles. If you want to see what configure options exist, run "./configure --help". The option you absolutely need is "--with-ccopts='-fno-common'". If you do not specify this flag, the build will fail. Chances are that you will just do the following:
```
> cd /tmp/krb5-current/src/
> ./util/reconf
```
[ wait about a minute or so while it generates all the configure scripts ]
```
> ./configure --with-ccopts='-fno-common'
```
[ configure investigates your operating system for about 10-15 mins ]
```
> make
```
[ wait about 30 mins to an hour while it builds ]
Now you need to test your DNS resolver. This is the sucky part because depending on whether you can fix this, you may not be able to run the servers which use kerberos 5, such as telnetd.
```
> cd /tmp/krb5-current/src/tests/resolve
> ./resolve
```
[ will say you either passed or failed the FQDN test ]
If the test passed, go on to the next step. If the test failed, you will need to change the caching strategy for lookupd so that it uses DNS first, rather than NetInfo.
As root do the following:
```
> niutil -create . /locations/lookupd/hosts
> niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent NIAgent NILAgent
```
Now after this change, you will need to either reboot or "kill -HUP" lookupd's pid. You should definitely avoid killing lookupd without the "-HUP" argument because your machine will lock up hard (hmm, now did someone learn this empirically? :-)
If the test still fails, you can turn off lookupd's caching by doing the following as root (and then killing lookupd in the same way you did above):
```
> niutil -create . /locations/lookupd/hosts
> niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent CacheAgent NIAgent NILAgent
```
After you get the resolver working, you can install the binaries. As root, do the following:
```
> cd /tmp/krb5-current/src
> make install
```
[ wait while the binaries get installed ]

Now you need to add services to the "/etc/services" equivalent in NetInfo. You can do this by running the following commands (we will be adding this as a script in the krb5 tree soon). As root, do the following:

> niutil -create . /services/kerberos
> niutil -createprop . /services/kerberos name kerberos kdc
> niutil -createprop . /services/kerberos port 750
> niutil -createprop . /services/kerberos protocol tcp udp
> niutil -create . /services/krbupdate
> niutil -createprop . /services/krbupdate name krbupdate kreg
> niutil -createprop . /services/krbupdate port 760
> niutil -createprop . /services/krbupdate protocol tcp
> niutil -create . /services/kpasswd
> niutil -createprop . /services/kpasswd name kpasswd kpwd
> niutil -createprop . /services/kpasswd port 761
> niutil -createprop . /services/kpasswd protocol tcp
> niutil -create . /services/klogin
> niutil -createprop . /services/klogin port 543
> niutil -createprop . /services/klogin protocol tcp
> niutil -create . /services/eklogin
> niutil -createprop . /services/eklogin port 2105
> niutil -createprop . /services/eklogin protocol tcp
> niutil -create . /services/kshell
> niutil -createprop . /services/kshell name kshell krcmd
> niutil -createprop . /services/kshell port 544
> niutil -createprop . /services/kshell protocol tcp

Now you should have a working set of installed krb5 binaries. Make sure to get a krb5.keytab if you want to be able to use krb5 servers like ftpd and eklogind.

Questions or comments? Send mail to macdev@mit.edu
Last updated on $Date: 2003/11/18 21:57:13 $
Last modified by $Author: smcguire $