1 |
On 02/25/2013 12:48 PM, Michael Mol wrote: |
2 |
> On Mon, Feb 25, 2013 at 2:21 AM, Matthew Thode |
3 |
> <prometheanfire@g.o> wrote: |
4 |
>> On 02/24/13 20:25, Michael Mol wrote: |
5 |
>>> (I really don't have time to actively participate on this list right |
6 |
>>> now, but I believe that if I bring it up on b.g.o, I'll be directed |
7 |
>>> here, so...) |
8 |
>>> |
9 |
>>> So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to |
10 |
>>> enable kerberos system-wide on my server. |
11 |
>>> |
12 |
>>> No joy, as net-fs/nfs-utils has an explicit dependency on |
13 |
>>> app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on |
14 |
>>> app-crypt/heimdal (for reasons noted in bug 195703, comment 25). |
15 |
>>> |
16 |
>>> Questions: |
17 |
>>> |
18 |
>>> 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 |
19 |
>>> and kerberos demands that things with explicit dependencies on mit-krb5 |
20 |
>>> either be fixed or not used at all. |
21 |
>>> |
22 |
>>> I'm the first activity on bug 231936 in two years...could someone please |
23 |
>>> look into that one? |
24 |
>>> |
25 |
>>> 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them |
26 |
>>> through a virtual? My suspicion is "no", but I don't know enough about |
27 |
>>> kerberos to say whether or not it would work, even as a hack. |
28 |
>>> |
29 |
>>> I'm sure explicit dependencies on mit-krb5 and heimdal will continue to |
30 |
>>> crop up, so (and forgive the nausea this might cause) it might help to |
31 |
>>> slot mit and heimdal, and have virtual/krb5 depend on the presence of at |
32 |
>>> least one. |
33 |
>>> |
34 |
>> so, read the thread so far, and I think you are over-complicating things |
35 |
>> with slotting. I use kerberos at home (more or less just to learn it, |
36 |
>> worksforme, etc). I chose MIT. From what I understand MIT and heimdal |
37 |
>> are mutually exclusive (can not operate with eachother) and that heimdal |
38 |
>> is what windows uses. |
39 |
> |
40 |
> I think they're effectively the same on the wire, but I'm not sure. |
41 |
> I'm studying the issue. |
42 |
|
43 |
For the record: On my system, the only two changes I had to make to |
44 |
enable kerberos (largely) system-wide were: |
45 |
|
46 |
1) mask net-fs/nfs-utils (it was only being brought in by the kerberos |
47 |
flag, anyway) |
48 |
2) mask dev-libs/openssl[kerberos]. See |
49 |
https://bugs.gentoo.org/show_bug.cgi?id=459220 |
50 |
|
51 |
Both of those had explicit dependencies on app-crypt/mit-krb5. After |
52 |
that, everything built fine for app-crypt/heimdal. (No idea how well it |
53 |
works; I've still got a ways to go to prove/disprove any of that.) |
54 |
|
55 |
My purpose in originating this thread isn't (and hasn't been) all about |
56 |
getting AD operating correctly and pervasively. My purpose is in getting |
57 |
the package dependencies for kerberos sanified and cleaned up. If that |
58 |
means there are upstream issues, I can prod them, too, I suppose. |
59 |
|
60 |
(I do still wonder what all breaks if assumption is "allow mit-krb5 to |
61 |
be installed, rather than heimdal".) |