1 |
On 02/24/2013 10:46 PM, Alec Warner wrote: |
2 |
> On Sun, Feb 24, 2013 at 7:17 PM, Michael Mol <mikemol@×××××.com> wrote: |
3 |
>> On 02/24/2013 09:48 PM, Alec Warner wrote: |
4 |
>>> On Sun, Feb 24, 2013 at 6:25 PM, Michael Mol <mikemol@×××××.com> wrote: |
5 |
>>>> (I really don't have time to actively participate on this list right |
6 |
>>>> now, but I believe that if I bring it up on b.g.o, I'll be directed |
7 |
>>>> here, so...) |
8 |
>>>> |
9 |
>>>> So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to |
10 |
>>>> enable kerberos system-wide on my server. |
11 |
>>>> |
12 |
>>>> No joy, as net-fs/nfs-utils has an explicit dependency on |
13 |
>>>> app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on |
14 |
>>>> app-crypt/heimdal (for reasons noted in bug 195703, comment 25). |
15 |
>>> |
16 |
>>> I'm not familiar with anyone using Kerberos on Gentoo. I use it on |
17 |
>>> Ubuntu; but we do not use it with Samba (or at least, if we do, I am |
18 |
>>> not aware of it.) |
19 |
>> |
20 |
>> It's one of the core components of Active Directory, so anyone who puts |
21 |
>> a Gentoo machine on an AD domain will likely be using it. I'm playing |
22 |
>> around with Samba 4, which is supposed to have full support as a |
23 |
>> standalone AD controller. An AD controller is effectively a central box |
24 |
>> that manages and directs domain members to DNS (the host directory), |
25 |
>> LDAP (the user and authorization directory) and Kerberos (the |
26 |
>> authentication mechanism). |
27 |
> |
28 |
> Don't misunderstand, I know what all these things are ;) |
29 |
> |
30 |
>> |
31 |
>>> |
32 |
>>>> |
33 |
>>>> Questions: |
34 |
>>>> |
35 |
>>>> 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 |
36 |
>>>> and kerberos demands that things with explicit dependencies on mit-krb5 |
37 |
>>>> either be fixed or not used at all. |
38 |
>>> |
39 |
>>> I'm fairly sure samba supports either kerberos implementation; is |
40 |
>>> there something that makes you think differently? |
41 |
>> |
42 |
>> The explicit dependency on app-crypt/heimdal in the ebuild, and comment |
43 |
>> 25 attached to b.g.o bug 195703. I've taken those at face value; I |
44 |
>> haven't followed up on them myself. |
45 |
>> |
46 |
>>> |
47 |
>>>> |
48 |
>>>> I'm the first activity on bug 231936 in two years...could someone please |
49 |
>>>> look into that one? |
50 |
>>>> |
51 |
>>>> 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them |
52 |
>>>> through a virtual? My suspicion is "no", but I don't know enough about |
53 |
>>>> kerberos to say whether or not it would work, even as a hack. |
54 |
>>>> |
55 |
>>> |
56 |
>>> I'm not following you here. 'slot' means a very specific thing. You |
57 |
>>> are not actually suggesting we use SLOT, you simply want both versions |
58 |
>>> of the library to be installed in one ROOT? |
59 |
>>> |
60 |
>>> I would not advocate this approach. You should strive to have only one |
61 |
>>> kerberos implementation on a given machine. |
62 |
>> |
63 |
>> I'm really not certain, to be honest. It was my impression that slots |
64 |
>> allow for two different versions of a thing to be present on the same |
65 |
>> system, and that their different sonames on the system would lead to |
66 |
>> correct symbol resolution. (Although it would require that the soname |
67 |
>> being sought be adjusted in a dependent program to target the version |
68 |
>> required.) |
69 |
> |
70 |
> mit-krb5 and heimdal are separate packages. They both provide krb |
71 |
> headers and kerb libraries. You could easily patch them to be on the |
72 |
> same system. The problem with doing so is that packages are expecting |
73 |
> only one set of kerberos headers and kerberos shared libraries. |
74 |
> |
75 |
> We have the 'eselect' framework for switching between 'providers' |
76 |
> which we could use in this case (similar to say, the opengl libraries |
77 |
> your system might use.) It is not clear to me if switching providers |
78 |
> is at all safe in the kerberos instance, or if software built against |
79 |
> mit-krb5 would crash if you pointed the loader at some heimdal shared |
80 |
> objects. |
81 |
|
82 |
Don't misunderstand, I know about eselect. ;) |
83 |
|
84 |
And, yeah, I don't know if thunking/shimming/redirecting is safe in the |
85 |
kerberos context. If it was, there should never have been any question |
86 |
of compatibility. |
87 |
|
88 |
> |
89 |
>> |
90 |
>> Even if it works, I acknowledge it's a nauseating hack for the circumstance. |
91 |
>> |
92 |
>>> |
93 |
>>>> I'm sure explicit dependencies on mit-krb5 and heimdal will continue to |
94 |
>>>> crop up, so (and forgive the nausea this might cause) it might help to |
95 |
>>>> slot mit and heimdal, and have virtual/krb5 depend on the presence of at |
96 |
>>>> least one. |
97 |
>>>> |
98 |
>>> |
99 |
>>> It is likely that explicit dependencies are wrong, and are just bugs. |
100 |
>> |
101 |
>> This is what I found in the ebuild for net-fs/nfs-utils: |
102 |
>> |
103 |
>> # kth-krb doesn't provide the right include |
104 |
>> # files, and nfs-utils doesn't build against heimdal either, |
105 |
>> # so don't depend on virtual/krb. |
106 |
>> # (04 Feb 2005 agriffis) |
107 |
>> |
108 |
>> Which I noted in a comment I attached to bug 231936 (relating to |
109 |
>> net-fs/nfs-util). |
110 |
>> |
111 |
>> In bug 195703 (relating to the samba-4 version bump), there's this: |
112 |
>> |
113 |
>> "Since samba 4 doesn't support mit-krb5, I think we shouldn't depend on |
114 |
>> virtual/krb5 but instead directly on heimdal after the com_err.h problem |
115 |
>> is fixed." in comment 25, dated 2009-11-24 23:07:18 UTC. |
116 |
>> |
117 |
>> Directly responded to later by this: |
118 |
>> |
119 |
>> "Agreed." in comment 26, dated 2009-11-25 10:01:48 UTC |
120 |
>> |
121 |
>> |
122 |
>> |
123 |
> |
124 |
> So nothing recent then ;p |
125 |
|
126 |
Which is exactly why I bring it up; the net-fs/nfs-utils bug is stale, |
127 |
and the reference in the samba package is ancient. (Things directly |
128 |
partaining to samba-4 get bounced into that bug, which really means a |
129 |
stale comment is roughly the same as a stale bug...) |
130 |
|
131 |
> |
132 |
> I think just 'eras' is the only person in the kerberos herd at this |
133 |
> point. I only have a passing interest in it myself (and I'm not |
134 |
> looking to maintain it in Gentoo ;)) |
135 |
|
136 |
Yeah, I know, "if you want it fixed in Gentoo, fix it yourself." I would |
137 |
if I had time. I may have time some day, but I wouldn't bet in that |
138 |
direction. But it'd have been foolish not to at least try to shake the |
139 |
dust off the issue. Apologies if I triggered any allergies... :) |