On Thu, 6 Dec 2012, Rainer Müller wrote:
Hello,
Cc: maintainers of depends:kerberos5
At the moment, several ports depend directly on kerberos5 in their
default variant set. Most important for me are cyrus-sasl2 and openssh.
As I want to use kerberos authentication against servers, I currently
have to maintain two independent sets of kerberos tickets using both
/usr/bin/kinit and ${prefix}/bin/kinit. This is the case as Mac OS X >=
10.7 no longer uses MIT Kerberos, but switched to Heimdal and the ticket
stores are not compatible.
Actually, the FILE-type credential caches are compatible between Heimdal
and MIT. I regularly use MIT kinit to get tickets requiring preauth that
Heimdal doesn't support, and then use them with system utilities.
In [1] Leo Singer (aronnax@) proposed to default to heimdal instead of
kerberos5 on Mac OS X >= 10.7. This would resolve my problem as the
ticket stores appear to be compatible.
Does this mean that the heimdal port is capable of using API-style
credential caches created by the system?
Therefore, I would like to ask to add +kerberos5 and +heimdal variants
to these ports and make the default variant selection based on the
version of Mac OS X this is installed to.
Should we add a kerberos_select port for the kinit, klist, etc. tools?
heimdal already installs them to ${prefix}/libexec/heimdal/bin/, while
kerberos5 puts them into ${prefix}/bin directly.
The route I've gone down myself is to allow MIT and Heimdal to be
installed side-by-side, with the MIT utilities prefixed by "mit-"; so
"mit-kinit", etc.
I have an open bug with a patch to do this:
http://trac.macports.org/ticket/34230
--Quentin
As this affects multiple ports I did not want to open yet another ticket
against these ports, but bring attention from a wider audience to this
issue.
Rainer
[1] https://trac.macports.org/ticket/36781
_______________________________________________
macports-dev mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo/macports-dev
