[LON-CAPA-admin] kerberos conf

Stuart Peter Raeburn raeburn at msu.edu
Mon Feb 11 14:28:55 EST 2008


Starting with version 1.7, a perl module for Authen::Krb5 has begun to be 
included in standard repositories for Fedora 7 and 8 (previously rpms have 
come from the LON-CAPA repositories).  The get_in_tkt_with_password() 
function seg faults in Authen::Krb rev 1.7 (the corresponding interface is 
deprecated in the Kerberos C libraries, but the Perl module docs indicate 
that it should continue to work). 

A new version of lond (rev 1.394) uses the function 
get_init_creds_password(), where it exists, to validate a user's login 
credentials.  This function does not seg fault in 1.7. 

The new version of lond continues to support perl-Authen-Krb5 version 1.6, 
and earlier by continuing to use the get_in_tkt_with_password() function if 
the newer get_init_creds_password() function is unavailable. 

Domains using Kerberos 5 authentication with Fedora 7 or 8, and running 
LON-CAPA version 2.6, have two options, 

(a) Do not update perl-Authen-Krb5
(Adding the following line to /etc/yum.conf, will stop CHECKRPMS from 
sending e-mail to the sytem administrator suggesting the RPM should be 


If perl-Authen-Krb5 has already been updated:
rpm -e --nodeps perl-Authen-Krb5 

Then for 64 bit machines using Fedora 7

rpm -ivh perl-Authen-Krb5-1.6-1.0.fc7.lc.x86_64.rpm 

And for 32 bit machines using Fedora 7 


rpm -ivh perl-Authen-Krb5-1.6-1.0.fc7.lc.i386.rpm 


(b) Replace the lond (rev. 1.393) shipped with 2.6.X with lond rev 1.394. 


 -O /home/httpd/perl/lond

/etc/init.d/loncontrol restart
/etc/init.d/httpd restart 

Stuart Raeburn

Gerd Kortemeyer writes: 

> Hi, 
> I would suggest to downgrade the package. 
> LON-CAPA uses the standard calls for the package, so there is nothing  we 
> can change on the LON-CAPA end of things ... looks like the new  version 
> of the package has a bug. 
> - Gerd. 
> On Feb 7, 2008, at 11:47 AM, cansu başak wrote: 
>> i found out it is related with perl-Authen-Krb5 - 1.7-3.fc7.i386  update. 
>> But
>> what is required to do for lon capa works with new package  properly. 
>> (update to
>> 2.6.2 version after kerberos update; but still there is problem) 
>> Cansu Başak 

More information about the LON-CAPA-admin mailing list