On 02/24/2013 09:48 PM, Alec Warner wrote: > On Sun, Feb 24, 2013 at 6:25 PM, Michael Mol <mike...@gmail.com> wrote: >> (I really don't have time to actively participate on this list right >> now, but I believe that if I bring it up on b.g.o, I'll be directed >> here, so...) >> >> So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to >> enable kerberos system-wide on my server. >> >> No joy, as net-fs/nfs-utils has an explicit dependency on >> app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on >> app-crypt/heimdal (for reasons noted in bug 195703, comment 25). > > I'm not familiar with anyone using Kerberos on Gentoo. I use it on > Ubuntu; but we do not use it with Samba (or at least, if we do, I am > not aware of it.)
It's one of the core components of Active Directory, so anyone who puts a Gentoo machine on an AD domain will likely be using it. I'm playing around with Samba 4, which is supposed to have full support as a standalone AD controller. An AD controller is effectively a central box that manages and directs domain members to DNS (the host directory), LDAP (the user and authorization directory) and Kerberos (the authentication mechanism). > >> >> Questions: >> >> 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 >> and kerberos demands that things with explicit dependencies on mit-krb5 >> either be fixed or not used at all. > > I'm fairly sure samba supports either kerberos implementation; is > there something that makes you think differently? The explicit dependency on app-crypt/heimdal in the ebuild, and comment 25 attached to b.g.o bug 195703. I've taken those at face value; I haven't followed up on them myself. > >> >> I'm the first activity on bug 231936 in two years...could someone please >> look into that one? >> >> 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them >> through a virtual? My suspicion is "no", but I don't know enough about >> kerberos to say whether or not it would work, even as a hack. >> > > I'm not following you here. 'slot' means a very specific thing. You > are not actually suggesting we use SLOT, you simply want both versions > of the library to be installed in one ROOT? > > I would not advocate this approach. You should strive to have only one > kerberos implementation on a given machine. I'm really not certain, to be honest. It was my impression that slots allow for two different versions of a thing to be present on the same system, and that their different sonames on the system would lead to correct symbol resolution. (Although it would require that the soname being sought be adjusted in a dependent program to target the version required.) Even if it works, I acknowledge it's a nauseating hack for the circumstance. > >> I'm sure explicit dependencies on mit-krb5 and heimdal will continue to >> crop up, so (and forgive the nausea this might cause) it might help to >> slot mit and heimdal, and have virtual/krb5 depend on the presence of at >> least one. >> > > It is likely that explicit dependencies are wrong, and are just bugs. This is what I found in the ebuild for net-fs/nfs-utils: # kth-krb doesn't provide the right include # files, and nfs-utils doesn't build against heimdal either, # so don't depend on virtual/krb. # (04 Feb 2005 agriffis) Which I noted in a comment I attached to bug 231936 (relating to net-fs/nfs-util). In bug 195703 (relating to the samba-4 version bump), there's this: "Since samba 4 doesn't support mit-krb5, I think we shouldn't depend on virtual/krb5 but instead directly on heimdal after the com_err.h problem is fixed." in comment 25, dated 2009-11-24 23:07:18 UTC. Directly responded to later by this: "Agreed." in comment 26, dated 2009-11-25 10:01:48 UTC
signature.asc
Description: OpenPGP digital signature
