1 |
On 02/24/2013 09:48 PM, Alec Warner wrote: |
2 |
> On Sun, Feb 24, 2013 at 6:25 PM, Michael Mol <mikemol@×××××.com> wrote: |
3 |
>> (I really don't have time to actively participate on this list right |
4 |
>> now, but I believe that if I bring it up on b.g.o, I'll be directed |
5 |
>> here, so...) |
6 |
>> |
7 |
>> So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to |
8 |
>> enable kerberos system-wide on my server. |
9 |
>> |
10 |
>> No joy, as net-fs/nfs-utils has an explicit dependency on |
11 |
>> app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on |
12 |
>> app-crypt/heimdal (for reasons noted in bug 195703, comment 25). |
13 |
> |
14 |
> I'm not familiar with anyone using Kerberos on Gentoo. I use it on |
15 |
> Ubuntu; but we do not use it with Samba (or at least, if we do, I am |
16 |
> not aware of it.) |
17 |
|
18 |
It's one of the core components of Active Directory, so anyone who puts |
19 |
a Gentoo machine on an AD domain will likely be using it. I'm playing |
20 |
around with Samba 4, which is supposed to have full support as a |
21 |
standalone AD controller. An AD controller is effectively a central box |
22 |
that manages and directs domain members to DNS (the host directory), |
23 |
LDAP (the user and authorization directory) and Kerberos (the |
24 |
authentication mechanism). |
25 |
|
26 |
> |
27 |
>> |
28 |
>> Questions: |
29 |
>> |
30 |
>> 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 |
31 |
>> and kerberos demands that things with explicit dependencies on mit-krb5 |
32 |
>> either be fixed or not used at all. |
33 |
> |
34 |
> I'm fairly sure samba supports either kerberos implementation; is |
35 |
> there something that makes you think differently? |
36 |
|
37 |
The explicit dependency on app-crypt/heimdal in the ebuild, and comment |
38 |
25 attached to b.g.o bug 195703. I've taken those at face value; I |
39 |
haven't followed up on them myself. |
40 |
|
41 |
> |
42 |
>> |
43 |
>> I'm the first activity on bug 231936 in two years...could someone please |
44 |
>> look into that one? |
45 |
>> |
46 |
>> 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them |
47 |
>> through a virtual? My suspicion is "no", but I don't know enough about |
48 |
>> kerberos to say whether or not it would work, even as a hack. |
49 |
>> |
50 |
> |
51 |
> I'm not following you here. 'slot' means a very specific thing. You |
52 |
> are not actually suggesting we use SLOT, you simply want both versions |
53 |
> of the library to be installed in one ROOT? |
54 |
> |
55 |
> I would not advocate this approach. You should strive to have only one |
56 |
> kerberos implementation on a given machine. |
57 |
|
58 |
I'm really not certain, to be honest. It was my impression that slots |
59 |
allow for two different versions of a thing to be present on the same |
60 |
system, and that their different sonames on the system would lead to |
61 |
correct symbol resolution. (Although it would require that the soname |
62 |
being sought be adjusted in a dependent program to target the version |
63 |
required.) |
64 |
|
65 |
Even if it works, I acknowledge it's a nauseating hack for the circumstance. |
66 |
|
67 |
> |
68 |
>> I'm sure explicit dependencies on mit-krb5 and heimdal will continue to |
69 |
>> crop up, so (and forgive the nausea this might cause) it might help to |
70 |
>> slot mit and heimdal, and have virtual/krb5 depend on the presence of at |
71 |
>> least one. |
72 |
>> |
73 |
> |
74 |
> It is likely that explicit dependencies are wrong, and are just bugs. |
75 |
|
76 |
This is what I found in the ebuild for net-fs/nfs-utils: |
77 |
|
78 |
# kth-krb doesn't provide the right include |
79 |
# files, and nfs-utils doesn't build against heimdal either, |
80 |
# so don't depend on virtual/krb. |
81 |
# (04 Feb 2005 agriffis) |
82 |
|
83 |
Which I noted in a comment I attached to bug 231936 (relating to |
84 |
net-fs/nfs-util). |
85 |
|
86 |
In bug 195703 (relating to the samba-4 version bump), there's this: |
87 |
|
88 |
"Since samba 4 doesn't support mit-krb5, I think we shouldn't depend on |
89 |
virtual/krb5 but instead directly on heimdal after the com_err.h problem |
90 |
is fixed." in comment 25, dated 2009-11-24 23:07:18 UTC. |
91 |
|
92 |
Directly responded to later by this: |
93 |
|
94 |
"Agreed." in comment 26, dated 2009-11-25 10:01:48 UTC |