Macintosh Development

[Home] [About Us] [People] [Information Systems]
[Kerberos for Macintosh] [Applications] [Miscellaneous Documentation]

Known Bugs in Mac OS X 10.1 Kerberos

Most of these bugs have been fixed by the Kerberos for Macintosh 4.0 release; if these bugs are affecting you, you should upgrade. Kerberos for Macintosh 4.0 will be included in a future version of Mac OS X.

Behavior Workaround

I tried to link my program against the libraries in /usr/lib (ie: linking with -lkrb5) and get a link error similar to:

/usr/bin/ld: /var/tmp/cccAgaaa.o illegal reference to symbol: [a Kerberos symbol] defined in indirectly referenced dynamic library /System/Library/Frameworks/Kerberos.framework/[...]" Fixed in Kerberos for Macintosh 4.0.
By default, Mac OS X 10.1 does not allow indirect linking via re-export libraries. There are two possible workarounds:

1) Use the -flat_namespace option at link time to allow indirect linking.

2) Link directly against the Kerberos framework with -prebind -framework Kerberos .

In /usr/lib there is a libdes524.dylib instead of libdes425.dylib. Fixed in Kerberos for Macintosh 4.0.
Since we have fixed this name in KfM 4.0 and it will be correct in future visions of Mac OS X, be sure to design your build systems to look for the correct name on Mac OS X.

I cannot get tickets at my Kerberos v4-only site, even though I can get tickets on Mac OS X 10.0.x and/or Mac OS 9. Fixed in Kerberos for Macintosh 4.0.
Under Mac OS X 10.1, our Kerberos 4 library incorrectly defaults to port 88 for the Kerberos 4 protocol. Edit your Kerberos preferences ("edu.mit.Kerberos") file to specify the correct port (750). For example, the line "kdc = myserver.mydomain.com" would become "kdc = myserver.mydomain.com:750".

When a non-admin user logs in using the Kerberos authenticator, they do not get v4 tickets. Fixed in Kerberos for Macintosh 4.0.
After the user logs in, get tickets using kinit or the Kerberos Login dialog.

I tried to get tickets and got an error.
For example, kinit said "kinit(v5): Unknown error while initializing Kerberos 5 library", or the Kerberos application told me "A fatal error has occurred. Condition: !(klErr == klNoErr), File: CKrbSession.cp, Line # 619." The Kerberos preferences ("edu.mit.Kerberos") file is missing. You must install one with information pertaining to your site's Kerberos configuration. See the Kerberos Preferences documentation for information on creating the Kerberos preferences file.

Carbon Eudora or other applications unexpectedly quit or give errors when I try use them with Kerberos. Mac OS X 10.1 Kerberos as shipped does not include CFM support.
To use the Mac OS X 10.1 Kerberos with Eudora and other existing CFM-based GUI applications, either install the Kerberos for Macintosh 4.0 release or the Mac OS X 10.1 Kerberos Extras .

Any Kerberos operation that would display UI will not work from a controlling terminal, such as SSH or Telnet connections. Fixed in Kerberos for Macintosh 4.0.

If the same user is logged in more than once (for example, on the console and using SSH) the credential cache may behave incorrectly. Fixed in Kerberos for Macintosh 4.0.

I didn't specify a principal for kinit, and it didn't assume my current login name. Specify your username.
Fixed in Kerberos for Macintosh 4.0.

If there are characters with diacritical marks (e.g. ö, é) in my startup disk's volume name, the Kerberos application will not run, and kinit gives an error when I try to log in. Rename the volume to remove the characters with diacritical marks.

I am having problems with the /usr/lib support. Please write us telling us what you are trying to do, and what problems you are experiencing.

I can't drag the ticket lifetime slider in the Kerberos Options dialog all the way to the left. (e.g.: When the minimum lifetime is set to 10 minutes, I can only drag the slider down to 15 minutes.) None. We believe this is a Carbon bug.

Behavior	Workaround
I tried to link my program against the libraries in `/usr/lib` (ie: linking with `-lkrb5`) and get a link error similar to: `/usr/bin/ld: /var/tmp/cccAgaaa.o illegal reference to symbol: [a Kerberos symbol] defined in indirectly referenced dynamic library /System/Library/Frameworks/Kerberos.framework/[...]"`	Fixed in Kerberos for Macintosh 4.0. By default, Mac OS X 10.1 does not allow indirect linking via re-export libraries. There are two possible workarounds: 1) Use the `-flat_namespace` option at link time to allow indirect linking. 2) Link directly against the Kerberos framework with `-prebind -framework Kerberos` .
In `/usr/lib` there is a `libdes524.dylib` instead of `libdes425.dylib`.	Fixed in Kerberos for Macintosh 4.0. Since we have fixed this name in KfM 4.0 and it will be correct in future visions of Mac OS X, be sure to design your build systems to look for the correct name on Mac OS X.
I cannot get tickets at my Kerberos v4-only site, even though I can get tickets on Mac OS X 10.0.x and/or Mac OS 9.	Fixed in Kerberos for Macintosh 4.0. Under Mac OS X 10.1, our Kerberos 4 library incorrectly defaults to port 88 for the Kerberos 4 protocol. Edit your Kerberos preferences ("edu.mit.Kerberos") file to specify the correct port (750). For example, the line `"kdc = myserver.mydomain.com"` would become `"kdc = myserver.mydomain.com:750"`.
When a non-admin user logs in using the Kerberos authenticator, they do not get v4 tickets.	Fixed in Kerberos for Macintosh 4.0. After the user logs in, get tickets using kinit or the Kerberos Login dialog.
I tried to get tickets and got an error. For example, kinit said "kinit(v5): Unknown error while initializing Kerberos 5 library", or the Kerberos application told me "A fatal error has occurred. Condition: !(klErr == klNoErr), File: CKrbSession.cp, Line # 619."	The Kerberos preferences ("edu.mit.Kerberos") file is missing. You must install one with information pertaining to your site's Kerberos configuration. See the Kerberos Preferences documentation for information on creating the Kerberos preferences file.
Carbon Eudora or other applications unexpectedly quit or give errors when I try use them with Kerberos.	Mac OS X 10.1 Kerberos as shipped does not include CFM support. To use the Mac OS X 10.1 Kerberos with Eudora and other existing CFM-based GUI applications, either install the Kerberos for Macintosh 4.0 release or the Mac OS X 10.1 Kerberos Extras .
Any Kerberos operation that would display UI will not work from a controlling terminal, such as SSH or Telnet connections.	Fixed in Kerberos for Macintosh 4.0.
If the same user is logged in more than once (for example, on the console and using SSH) the credential cache may behave incorrectly.	Fixed in Kerberos for Macintosh 4.0.
I didn't specify a principal for kinit, and it didn't assume my current login name.	Specify your username. Fixed in Kerberos for Macintosh 4.0.
If there are characters with diacritical marks (e.g. ö, é) in my startup disk's volume name, the Kerberos application will not run, and kinit gives an error when I try to log in.	Rename the volume to remove the characters with diacritical marks.
I am having problems with the /usr/lib support.	Please write us telling us what you are trying to do, and what problems you are experiencing.
I can't drag the ticket lifetime slider in the Kerberos Options dialog all the way to the left. (e.g.: When the minimum lifetime is set to 10 minutes, I can only drag the slider down to 15 minutes.)	None. We believe this is a Carbon bug.

Questions or comments? Send mail to macdev@mit.edu
Last updated on $Date: 2003/11/18 22:02:31 $
Last modified by $Author: smcguire $