The standard upstream source builds the PAM modules against static
libraries, which means they contain non-PIC code.  This isn't allowed by
Debian Policy and doesn't work on some supported platforms.

Two approaches for fixing this have been tried.  One is to rebuild the
various object files that are part of the libraries PIC and then link with
those object files.  The other, which this implements, is to link with the
object files used to create the libafsauthent and libafsrpc shared
libraries (which can't be shipped since they don't have a stable API or
correct SONAME).  The latter means that the PAM modules must also be
linked with libpthread, but that's a feature since that means they'll work
with sshd built threaded.

Not submitted upstream yet.  The call to rx_Init should be submitted
upstream and would probably be accepted.  Upstream would probably rather
link the PAM modules against the shared libraries rather than accepting
this hack, which is unsuitable for Debian until the shared libraries are
handled more consistently.

--- openafs-1.3.87.orig/src/pam/Makefile.in
+++ openafs-1.3.87/src/pam/Makefile.in
@@ -25,7 +25,17 @@
 	  afs_pam_msg.o afs_message.o AFS_component_version_number.o
    OBJS = $(SHOBJS) test_pam.o
 INCLUDES=-I${TOP_OBJDIR}/src/config -I${TOP_INCDIR} 
-CFLAGS =  ${DEBUG} ${INCLUDES} ${PAM_CFLAGS}
+CFLAGS =  ${DEBUG} ${INCLUDES} ${PAM_CFLAGS} ${MT_CFLAGS}
+
+# For Debian, we link directly with the object files that would have gone
+# into the libafsrpc and libafsauthent shared libraries.  The shared libraries
+# themselves cannot be used because the interface isn't stable and they have
+# no SONAME, but this is the easiest way of getting PIC objects built with the
+# pthread API.
+SHLIB_OBJS	:= `ls ../shlibafsauthent/*.o | grep -v version_num` \
+		   `ls ../shlibafsrpc/*.o | grep -v version_num`
+KRB_SHLIB_OBJS	:= `ls ../shlibafsauthent/*.o | egrep -v 'version_num|ktc.o'` \
+		   `ls ../shlibafsrpc/*.o | grep -v version_num`
 
 all: test_pam ${TOP_LIBDIR}/pam_afs.so.1 ${TOP_LIBDIR}/pam_afs.krb.so.1
 
@@ -39,14 +49,18 @@
 	${CC} ${CFLAGS} -c ${srcdir}/afs_auth.c -o afs_auth.o
 
 afs_auth_krb.o: afs_auth.c afs_pam_msg.h afs_message.h afs_util.h
-	${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/afs_auth.c -o afs_auth_krb.o
+	${CC} ${CFLAGS} -DAFS_KERBEROS_ENV  -c ${srcdir}/afs_auth.c -o afs_auth_krb.o
 
 afs_util.o: afs_util.c afs_pam_msg.h afs_message.h afs_util.h
 	${CC} ${CFLAGS} -c ${srcdir}/afs_util.c -o afs_util.o
 
+
 afs_util_krb.o: afs_util.c afs_pam_msg.h afs_message.h afs_util.h
 	${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/afs_util.c -o afs_util_krb.o
 
+ktc.o: ${srcdir}/../auth/ktc.c
+	${CC} ${CFLAGS} -DAFS_KERBEROS_ENV -c ${srcdir}/../auth/ktc.c
+
 pam_afs.so.1: $(SHOBJS) afs_setcred.o afs_auth.o afs_util.o
 	set -x; \
 	case "$(SYS_NAME)" in \
@@ -59,8 +73,9 @@
 			afs_setcred.o afs_auth.o afs_util.o \
 			$(SHOBJS) $(LIBS) ;; \
 	*linux*) \
-		$(CC) $(LDFLAGS) -o $@ afs_setcred.o \
-			afs_auth.o afs_util.o $(SHOBJS) $(LIBS) ;;\
+		$(CC) $(LDFLAGS) $(PAM_CFLAGS) -o $@ afs_setcred.o \
+			afs_auth.o afs_util.o $(SHOBJS) $(SHLIB_OBJS) \
+			$(MT_LIBS) -lpam -lresolv;;\
 	*fbsd*| *nbsd*) \
 		$(CC) $(LDFLAGS) -o $@ afs_setcred.o \
 			afs_auth.o afs_util.o $(SHOBJS) $(LIBS) ;;\
@@ -68,7 +83,7 @@
 		echo No link line for system $(SYS_NAME). ;; \
 	esac
 
-pam_afs.krb.so.1: $(SHOBJS) afs_setcred_krb.o afs_auth_krb.o afs_util_krb.o
+pam_afs.krb.so.1: $(SHOBJS) afs_setcred_krb.o afs_auth_krb.o afs_util_krb.o ktc.o
 	set -x; \
 	case "$(SYS_NAME)" in \
 	hp_ux* | ia64_hpux*) \
@@ -81,7 +96,8 @@
 			$(SHOBJS) $(LDFLAGS) $(KLIBS) ;; \
 	*linux*) \
 		$(CC) $(LDFLAGS) -o $@ afs_setcred_krb.o \
-			afs_auth_krb.o afs_util_krb.o $(SHOBJS) $(KLIBS) ;;\
+			afs_auth_krb.o afs_util_krb.o ktc.o $(SHOBJS) \
+			$(KRB_SHLIB_OBJS) $(MT_LIBS) -lpam -lresolv;;\
 	*fbsd*| *nbsd*) \
 		$(CC) $(LDFLAGS) -o $@ afs_setcred_krb.o \
 			afs_auth_krb.o afs_util_krb.o $(SHOBJS) $(KLIBS) ;;\
--- openafs-1.3.87.orig/src/pam/afs_setcred.c
+++ openafs-1.3.87/src/pam/afs_setcred.c
@@ -52,7 +52,7 @@
     int refresh_token = 0;
     int set_expires = 0;	/* the default is to not to set the env variable */
     int use_klog = 0;
-    int i;
+    int i, code;
     struct pam_conv *pam_convp = NULL;
     char my_password_buf[256];
     char *cell_ptr = NULL;
@@ -281,6 +281,11 @@
 #endif
 	}
 
+	if ((code = rx_Init(0)) != 0) {
+	    pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
+	    RET(PAM_AUTH_ERR);
+	}
+
 	if (flags & PAM_REFRESH_CRED) {
 	    if (use_klog) {
 		auth_ok = !do_klog(user, password, "00:00:01", cell_ptr);
--- openafs-1.3.87.orig/src/pam/afs_auth.c
+++ openafs-1.3.87/src/pam/afs_auth.c
@@ -314,6 +314,10 @@
 	    if (cpid <= 0) {	/* The child process */
 		if (logmask && LOG_MASK(LOG_DEBUG))
 		    syslog(LOG_DEBUG, "in child");
+		if ((code = rx_Init(0)) != 0) {
+		    pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
+		    exit(0);
+		}
 		if (refresh_token || set_token)
 		    code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, user,	/* kerberos name */
 						      NULL,	/* instance */
@@ -363,6 +367,10 @@
 	    pam_afs_syslog(LOG_ERR, PAMAFS_PAMERROR, errno);
 	}
     } else {			/* dont_fork, used by httpd */
+	if ((code = rx_Init(0)) != 0) {
+	    pam_afs_syslog(LOG_ERR, PAMAFS_KAERROR, code);
+	    RET(PAM_AUTH_ERR);
+	}
 	if (logmask && LOG_MASK(LOG_DEBUG))
 	    syslog(LOG_DEBUG, "dont_fork");
 	if (refresh_token || set_token)
--- openafs-1.3.87.orig/Makefile.in
+++ openafs-1.3.87/Makefile.in
@@ -507,8 +507,6 @@
 # pthread based user space RX library
 shlibafsrpc: rx rxkad des
 	case ${SYS_NAME} in \
-	amd64_linux24) \
-		echo Skipping shlibafsrpc for amd64_linux24 ;; \
 	alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*) \
 	${COMPILE_PART1} shlibafsrpc ${COMPILE_PART2} ;; \
 	*) \
@@ -517,8 +515,6 @@
 
 shlibafsauthent: ubik auth kauth shlibafsrpc
 	case ${SYS_NAME} in \
-	amd64_linux24) \
-		echo Skipping shlibafsauthent for amd64_linux24 ;; \
 	alpha_dux*|sgi_*|sun4x_*|sunx86_*|rs_aix*|*linux*|hp_ux11*|ia64_hpux*) \
 	${COMPILE_PART1} shlibafsauthent ${COMPILE_PART2} ;; \
 	*) \
