Re-forwarding to krb5-bugs since this is a bug and I inadvertently sent to the wrong list initially (krbdev)…
Kerberos Release: 1.9.1 (but I can also confirm the bug is present in 1.8.2 and possibly other releases).
Synopsis: Cannot compile sources using static library configuration
./configure --enable-static --disable-shared
Platform: Linux (x86_64)
make: Entering directory `/home/probe/src/krb5/krb5-1.9.1/src/kdc'
gcc -L../lib -Wl,--enable-new-dtags -Wl,-rpath -Wl,/usr/local/lib -g -O2 -o krb5kdc kdc5_err.o dispatch.o do_as_req.o do_tgs_req.o fast_util.o kdc_util.o kdc_preauth.o main.o policy.o extern.o replay.o kdc_authdata.o -lapputils -lkadm5srv_mit -lkdb5 -lkrb5_db2 -lgssrpc -lgssapi_krb5 -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lkeyutils -lresolv -ldl
../lib/libkrb5_db2.a(hash.o): In function `hdestroy':
/home/probe/src/krb5/krb5-1.9.1/src/plugins/kdb/db2/libdb2/hash/hash.c:549: warning: the use of `tmpnam' is dangerous, better use `mkstemp'
../lib/libkdb5.a(kdb_default.o): In function `krb5_def_store_mkey_list':
/home/probe/src/krb5/krb5-1.9.1/src/lib/kdb/kdb_default.c:189: warning: the use of `mktemp' is dangerous, better use `mkstemp'
../lib/libkrb5_db2.a(lockout.o): In function `lookup_lockout_policy':
/home/probe/src/krb5/krb5-1.9.1/src/plugins/kdb/db2/lockout.c:69: undefined reference to `xdr_osa_princ_ent_rec'
/home/probe/src/krb5/krb5-1.9.1/src/plugins/kdb/db2/lockout.c:89: undefined reference to `xdr_osa_princ_ent_rec'
collect2: ld returned 1 exit status
make: *** [krb5kdc] Error 1
make: Leaving directory `/home/probe/src/krb5/krb5-1.9.1/src/kdc'
make: *** [all-recurse] Error 1
When I did a Google search for this, it appears there was a conversation between Ken Raeburn & Greg Hudson on 2011-01-12 regarding this very topic, but it appears it was not fixed in the sources since, but the specifics were not covered. The issue is –lkrb5_db2 references a module which is located in –lkadm5srv_mit. If you use shared libraries, the library order is not important as there is lazy dependency resolution. However, if you use static libraries, each object/library’s undeclared references must be present in one of the subsequent libraries in the link list (and in this case, the function was present in an earlier library but not previously pulled in because it wasn’t previously required to satisfy prior dependencies). In general, it is safe to repeat –l<library> references (shared or static), so the fix is simply to list –lkadm5srv_mit again.
Anyway, here is a patch which addresses the issue:
--- aclocal.m4 2011-08-28 19:05:41.000000000 -0400
+++ aclocal.m4.new 2011-08-28 18:51:23.000000000 -0400
@@ -1190,7 +1190,7 @@
AC_DEFINE([STATIC_PLUGINS], 1, [Define for static plugin linkage])
+ KDB5_PLUGIN_LIBS='-lkrb5_db2 -lkadm5srv_mit'
if test "x$OPENLDAP_PLUGIN" = xyes; then