On Sun, Feb 24, 2013 at 11:21 PM, Matthew Thode <prometheanf...@gentoo.org> wrote: > On 02/24/13 20:25, Michael Mol wrote: >> (I really don't have time to actively participate on this list right >> now, but I believe that if I bring it up on b.g.o, I'll be directed >> here, so...) >> >> So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to >> enable kerberos system-wide on my server. >> >> No joy, as net-fs/nfs-utils has an explicit dependency on >> app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on >> app-crypt/heimdal (for reasons noted in bug 195703, comment 25). >> >> Questions: >> >> 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 >> and kerberos demands that things with explicit dependencies on mit-krb5 >> either be fixed or not used at all. >> >> I'm the first activity on bug 231936 in two years...could someone please >> look into that one? >> >> 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them >> through a virtual? My suspicion is "no", but I don't know enough about >> kerberos to say whether or not it would work, even as a hack. >> >> I'm sure explicit dependencies on mit-krb5 and heimdal will continue to >> crop up, so (and forgive the nausea this might cause) it might help to >> slot mit and heimdal, and have virtual/krb5 depend on the presence of at >> least one. >> > so, read the thread so far, and I think you are over-complicating things > with slotting. I use kerberos at home (more or less just to learn it, > worksforme, etc). I chose MIT. From what I understand MIT and heimdal > are mutually exclusive (can not operate with eachother) and that heimdal > is what windows uses.
This is incorrect, or at least, was incorrect last time I looked (circa...uhh..2009?) They work 'ok' together. Heimdal clients could talk to MIT servers at least. Of course, there were quirks, and incompatible command line syntax, hence my fierce recommendation to 'not do that.' > > What this seems to be is a simple case of blockers. So, the quesiton > is, are you going to be using kerberos in nfs? if not, masking the flag > may be what works for you (in the short term at least). Longer term it > sounds like maybe seperate use flags are in order (or something, dunno). Do not use Kerberized NFSv3. I'm unsure if nfsv4 is any better :/ -A > > I don't think samba will support MIT, since it's kinda windows focused. > > On another note, I can't find bug 231936. > > -- > -- Matthew Thode (prometheanfire) >
