Re: [gentoo-dev] kerberos, virtuals, rattling cages
On Sun, Feb 24, 2013 at 11:43:06PM -0800, Alec Warner wrote: This is incorrect, or at least, was incorrect last time I looked (circa...uhh..2009?) They work 'ok' together. Heimdal clients could talk to MIT servers at least. and vice-versa. Of course, there were quirks, and incompatible command line syntax, hence my fierce recommendation to 'not do that.' Yes. I don't think samba will support MIT, since it's kinda windows focused. Ugh, no. MIT is not windows focused (although it does ship a windows client for better integration with *nix kdcs). Apple uses heimdal in recent macos'es and employs some main developers of heimdal and samba (hence samba - heimdal tight integration). There was some work from red hat to make samba4 work with mit-krb5 but it stalled and did not go anywhere (yet?) afaik. -- Eray Aslan e...@gentoo.org pgpXAuWmotvL_.pgp Description: PGP signature
Re: [gentoo-dev] kerberos, virtuals, rattling cages
On Mon, Feb 25, 2013 at 2:21 AM, Matthew Thode prometheanf...@gentoo.org wrote: On 02/24/13 20:25, Michael Mol wrote: (I really don't have time to actively participate on this list right now, but I believe that if I bring it up on b.g.o, I'll be directed here, so...) So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to enable kerberos system-wide on my server. No joy, as net-fs/nfs-utils has an explicit dependency on app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on app-crypt/heimdal (for reasons noted in bug 195703, comment 25). Questions: 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 and kerberos demands that things with explicit dependencies on mit-krb5 either be fixed or not used at all. I'm the first activity on bug 231936 in two years...could someone please look into that one? 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them through a virtual? My suspicion is no, but I don't know enough about kerberos to say whether or not it would work, even as a hack. I'm sure explicit dependencies on mit-krb5 and heimdal will continue to crop up, so (and forgive the nausea this might cause) it might help to slot mit and heimdal, and have virtual/krb5 depend on the presence of at least one. so, read the thread so far, and I think you are over-complicating things with slotting. I use kerberos at home (more or less just to learn it, worksforme, etc). I chose MIT. From what I understand MIT and heimdal are mutually exclusive (can not operate with eachother) and that heimdal is what windows uses. I think they're effectively the same on the wire, but I'm not sure. I'm studying the issue. What this seems to be is a simple case of blockers. So, the quesiton is, are you going to be using kerberos in nfs? if not, masking the flag may be what works for you (in the short term at least). Longer term it sounds like maybe seperate use flags are in order (or something, dunno). It's the longer-term thing is what I'm interested in solving...and smoothness of kerberos in Gentoo in general. SSO for a family network would be very, very nice. I don't think samba will support MIT, since it's kinda windows focused. On another note, I can't find bug 231936. Typo. Or dyslexia. Who know... https://bugs.gentoo.org/show_bug.cgi?id=231396 -- :wq
Re: [gentoo-dev] kerberos, virtuals, rattling cages
On 02/25/2013 12:48 PM, Michael Mol wrote: On Mon, Feb 25, 2013 at 2:21 AM, Matthew Thode prometheanf...@gentoo.org wrote: On 02/24/13 20:25, Michael Mol wrote: (I really don't have time to actively participate on this list right now, but I believe that if I bring it up on b.g.o, I'll be directed here, so...) So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to enable kerberos system-wide on my server. No joy, as net-fs/nfs-utils has an explicit dependency on app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on app-crypt/heimdal (for reasons noted in bug 195703, comment 25). Questions: 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 and kerberos demands that things with explicit dependencies on mit-krb5 either be fixed or not used at all. I'm the first activity on bug 231936 in two years...could someone please look into that one? 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them through a virtual? My suspicion is no, but I don't know enough about kerberos to say whether or not it would work, even as a hack. I'm sure explicit dependencies on mit-krb5 and heimdal will continue to crop up, so (and forgive the nausea this might cause) it might help to slot mit and heimdal, and have virtual/krb5 depend on the presence of at least one. so, read the thread so far, and I think you are over-complicating things with slotting. I use kerberos at home (more or less just to learn it, worksforme, etc). I chose MIT. From what I understand MIT and heimdal are mutually exclusive (can not operate with eachother) and that heimdal is what windows uses. I think they're effectively the same on the wire, but I'm not sure. I'm studying the issue. For the record: On my system, the only two changes I had to make to enable kerberos (largely) system-wide were: 1) mask net-fs/nfs-utils (it was only being brought in by the kerberos flag, anyway) 2) mask dev-libs/openssl[kerberos]. See https://bugs.gentoo.org/show_bug.cgi?id=459220 Both of those had explicit dependencies on app-crypt/mit-krb5. After that, everything built fine for app-crypt/heimdal. (No idea how well it works; I've still got a ways to go to prove/disprove any of that.) My purpose in originating this thread isn't (and hasn't been) all about getting AD operating correctly and pervasively. My purpose is in getting the package dependencies for kerberos sanified and cleaned up. If that means there are upstream issues, I can prod them, too, I suppose. (I do still wonder what all breaks if assumption is allow mit-krb5 to be installed, rather than heimdal.) signature.asc Description: OpenPGP digital signature
[gentoo-dev] kerberos, virtuals, rattling cages
(I really don't have time to actively participate on this list right now, but I believe that if I bring it up on b.g.o, I'll be directed here, so...) So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to enable kerberos system-wide on my server. No joy, as net-fs/nfs-utils has an explicit dependency on app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on app-crypt/heimdal (for reasons noted in bug 195703, comment 25). Questions: 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 and kerberos demands that things with explicit dependencies on mit-krb5 either be fixed or not used at all. I'm the first activity on bug 231936 in two years...could someone please look into that one? 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them through a virtual? My suspicion is no, but I don't know enough about kerberos to say whether or not it would work, even as a hack. I'm sure explicit dependencies on mit-krb5 and heimdal will continue to crop up, so (and forgive the nausea this might cause) it might help to slot mit and heimdal, and have virtual/krb5 depend on the presence of at least one. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] kerberos, virtuals, rattling cages
On Sun, Feb 24, 2013 at 6:25 PM, Michael Mol mike...@gmail.com wrote: (I really don't have time to actively participate on this list right now, but I believe that if I bring it up on b.g.o, I'll be directed here, so...) So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to enable kerberos system-wide on my server. No joy, as net-fs/nfs-utils has an explicit dependency on app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on app-crypt/heimdal (for reasons noted in bug 195703, comment 25). I'm not familiar with anyone using Kerberos on Gentoo. I use it on Ubuntu; but we do not use it with Samba (or at least, if we do, I am not aware of it.) Questions: 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 and kerberos demands that things with explicit dependencies on mit-krb5 either be fixed or not used at all. I'm fairly sure samba supports either kerberos implementation; is there something that makes you think differently? I'm the first activity on bug 231936 in two years...could someone please look into that one? 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them through a virtual? My suspicion is no, but I don't know enough about kerberos to say whether or not it would work, even as a hack. I'm not following you here. 'slot' means a very specific thing. You are not actually suggesting we use SLOT, you simply want both versions of the library to be installed in one ROOT? I would not advocate this approach. You should strive to have only one kerberos implementation on a given machine. I'm sure explicit dependencies on mit-krb5 and heimdal will continue to crop up, so (and forgive the nausea this might cause) it might help to slot mit and heimdal, and have virtual/krb5 depend on the presence of at least one. It is likely that explicit dependencies are wrong, and are just bugs. -A
Re: [gentoo-dev] kerberos, virtuals, rattling cages
On 02/24/2013 09:48 PM, Alec Warner wrote: On Sun, Feb 24, 2013 at 6:25 PM, Michael Mol mike...@gmail.com wrote: (I really don't have time to actively participate on this list right now, but I believe that if I bring it up on b.g.o, I'll be directed here, so...) So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to enable kerberos system-wide on my server. No joy, as net-fs/nfs-utils has an explicit dependency on app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on app-crypt/heimdal (for reasons noted in bug 195703, comment 25). I'm not familiar with anyone using Kerberos on Gentoo. I use it on Ubuntu; but we do not use it with Samba (or at least, if we do, I am not aware of it.) It's one of the core components of Active Directory, so anyone who puts a Gentoo machine on an AD domain will likely be using it. I'm playing around with Samba 4, which is supposed to have full support as a standalone AD controller. An AD controller is effectively a central box that manages and directs domain members to DNS (the host directory), LDAP (the user and authorization directory) and Kerberos (the authentication mechanism). Questions: 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 and kerberos demands that things with explicit dependencies on mit-krb5 either be fixed or not used at all. I'm fairly sure samba supports either kerberos implementation; is there something that makes you think differently? The explicit dependency on app-crypt/heimdal in the ebuild, and comment 25 attached to b.g.o bug 195703. I've taken those at face value; I haven't followed up on them myself. I'm the first activity on bug 231936 in two years...could someone please look into that one? 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them through a virtual? My suspicion is no, but I don't know enough about kerberos to say whether or not it would work, even as a hack. I'm not following you here. 'slot' means a very specific thing. You are not actually suggesting we use SLOT, you simply want both versions of the library to be installed in one ROOT? I would not advocate this approach. You should strive to have only one kerberos implementation on a given machine. I'm really not certain, to be honest. It was my impression that slots allow for two different versions of a thing to be present on the same system, and that their different sonames on the system would lead to correct symbol resolution. (Although it would require that the soname being sought be adjusted in a dependent program to target the version required.) Even if it works, I acknowledge it's a nauseating hack for the circumstance. I'm sure explicit dependencies on mit-krb5 and heimdal will continue to crop up, so (and forgive the nausea this might cause) it might help to slot mit and heimdal, and have virtual/krb5 depend on the presence of at least one. It is likely that explicit dependencies are wrong, and are just bugs. This is what I found in the ebuild for net-fs/nfs-utils: # kth-krb doesn't provide the right include # files, and nfs-utils doesn't build against heimdal either, # so don't depend on virtual/krb. # (04 Feb 2005 agriffis) Which I noted in a comment I attached to bug 231936 (relating to net-fs/nfs-util). In bug 195703 (relating to the samba-4 version bump), there's this: Since samba 4 doesn't support mit-krb5, I think we shouldn't depend on virtual/krb5 but instead directly on heimdal after the com_err.h problem is fixed. in comment 25, dated 2009-11-24 23:07:18 UTC. Directly responded to later by this: Agreed. in comment 26, dated 2009-11-25 10:01:48 UTC signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] kerberos, virtuals, rattling cages
On Sun, Feb 24, 2013 at 7:17 PM, Michael Mol mike...@gmail.com wrote: On 02/24/2013 09:48 PM, Alec Warner wrote: On Sun, Feb 24, 2013 at 6:25 PM, Michael Mol mike...@gmail.com wrote: (I really don't have time to actively participate on this list right now, but I believe that if I bring it up on b.g.o, I'll be directed here, so...) So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to enable kerberos system-wide on my server. No joy, as net-fs/nfs-utils has an explicit dependency on app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on app-crypt/heimdal (for reasons noted in bug 195703, comment 25). I'm not familiar with anyone using Kerberos on Gentoo. I use it on Ubuntu; but we do not use it with Samba (or at least, if we do, I am not aware of it.) It's one of the core components of Active Directory, so anyone who puts a Gentoo machine on an AD domain will likely be using it. I'm playing around with Samba 4, which is supposed to have full support as a standalone AD controller. An AD controller is effectively a central box that manages and directs domain members to DNS (the host directory), LDAP (the user and authorization directory) and Kerberos (the authentication mechanism). Don't misunderstand, I know what all these things are ;) Questions: 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 and kerberos demands that things with explicit dependencies on mit-krb5 either be fixed or not used at all. I'm fairly sure samba supports either kerberos implementation; is there something that makes you think differently? The explicit dependency on app-crypt/heimdal in the ebuild, and comment 25 attached to b.g.o bug 195703. I've taken those at face value; I haven't followed up on them myself. I'm the first activity on bug 231936 in two years...could someone please look into that one? 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them through a virtual? My suspicion is no, but I don't know enough about kerberos to say whether or not it would work, even as a hack. I'm not following you here. 'slot' means a very specific thing. You are not actually suggesting we use SLOT, you simply want both versions of the library to be installed in one ROOT? I would not advocate this approach. You should strive to have only one kerberos implementation on a given machine. I'm really not certain, to be honest. It was my impression that slots allow for two different versions of a thing to be present on the same system, and that their different sonames on the system would lead to correct symbol resolution. (Although it would require that the soname being sought be adjusted in a dependent program to target the version required.) mit-krb5 and heimdal are separate packages. They both provide krb headers and kerb libraries. You could easily patch them to be on the same system. The problem with doing so is that packages are expecting only one set of kerberos headers and kerberos shared libraries. We have the 'eselect' framework for switching between 'providers' which we could use in this case (similar to say, the opengl libraries your system might use.) It is not clear to me if switching providers is at all safe in the kerberos instance, or if software built against mit-krb5 would crash if you pointed the loader at some heimdal shared objects. Even if it works, I acknowledge it's a nauseating hack for the circumstance. I'm sure explicit dependencies on mit-krb5 and heimdal will continue to crop up, so (and forgive the nausea this might cause) it might help to slot mit and heimdal, and have virtual/krb5 depend on the presence of at least one. It is likely that explicit dependencies are wrong, and are just bugs. This is what I found in the ebuild for net-fs/nfs-utils: # kth-krb doesn't provide the right include # files, and nfs-utils doesn't build against heimdal either, # so don't depend on virtual/krb. # (04 Feb 2005 agriffis) Which I noted in a comment I attached to bug 231936 (relating to net-fs/nfs-util). In bug 195703 (relating to the samba-4 version bump), there's this: Since samba 4 doesn't support mit-krb5, I think we shouldn't depend on virtual/krb5 but instead directly on heimdal after the com_err.h problem is fixed. in comment 25, dated 2009-11-24 23:07:18 UTC. Directly responded to later by this: Agreed. in comment 26, dated 2009-11-25 10:01:48 UTC So nothing recent then ;p I think just 'eras' is the only person in the kerberos herd at this point. I only have a passing interest in it myself (and I'm not looking to maintain it in Gentoo ;)) -A
Re: [gentoo-dev] kerberos, virtuals, rattling cages
On 02/24/2013 10:46 PM, Alec Warner wrote: On Sun, Feb 24, 2013 at 7:17 PM, Michael Mol mike...@gmail.com wrote: On 02/24/2013 09:48 PM, Alec Warner wrote: On Sun, Feb 24, 2013 at 6:25 PM, Michael Mol mike...@gmail.com wrote: (I really don't have time to actively participate on this list right now, but I believe that if I bring it up on b.g.o, I'll be directed here, so...) So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to enable kerberos system-wide on my server. No joy, as net-fs/nfs-utils has an explicit dependency on app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on app-crypt/heimdal (for reasons noted in bug 195703, comment 25). I'm not familiar with anyone using Kerberos on Gentoo. I use it on Ubuntu; but we do not use it with Samba (or at least, if we do, I am not aware of it.) It's one of the core components of Active Directory, so anyone who puts a Gentoo machine on an AD domain will likely be using it. I'm playing around with Samba 4, which is supposed to have full support as a standalone AD controller. An AD controller is effectively a central box that manages and directs domain members to DNS (the host directory), LDAP (the user and authorization directory) and Kerberos (the authentication mechanism). Don't misunderstand, I know what all these things are ;) Questions: 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 and kerberos demands that things with explicit dependencies on mit-krb5 either be fixed or not used at all. I'm fairly sure samba supports either kerberos implementation; is there something that makes you think differently? The explicit dependency on app-crypt/heimdal in the ebuild, and comment 25 attached to b.g.o bug 195703. I've taken those at face value; I haven't followed up on them myself. I'm the first activity on bug 231936 in two years...could someone please look into that one? 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them through a virtual? My suspicion is no, but I don't know enough about kerberos to say whether or not it would work, even as a hack. I'm not following you here. 'slot' means a very specific thing. You are not actually suggesting we use SLOT, you simply want both versions of the library to be installed in one ROOT? I would not advocate this approach. You should strive to have only one kerberos implementation on a given machine. I'm really not certain, to be honest. It was my impression that slots allow for two different versions of a thing to be present on the same system, and that their different sonames on the system would lead to correct symbol resolution. (Although it would require that the soname being sought be adjusted in a dependent program to target the version required.) mit-krb5 and heimdal are separate packages. They both provide krb headers and kerb libraries. You could easily patch them to be on the same system. The problem with doing so is that packages are expecting only one set of kerberos headers and kerberos shared libraries. We have the 'eselect' framework for switching between 'providers' which we could use in this case (similar to say, the opengl libraries your system might use.) It is not clear to me if switching providers is at all safe in the kerberos instance, or if software built against mit-krb5 would crash if you pointed the loader at some heimdal shared objects. Don't misunderstand, I know about eselect. ;) And, yeah, I don't know if thunking/shimming/redirecting is safe in the kerberos context. If it was, there should never have been any question of compatibility. Even if it works, I acknowledge it's a nauseating hack for the circumstance. I'm sure explicit dependencies on mit-krb5 and heimdal will continue to crop up, so (and forgive the nausea this might cause) it might help to slot mit and heimdal, and have virtual/krb5 depend on the presence of at least one. It is likely that explicit dependencies are wrong, and are just bugs. This is what I found in the ebuild for net-fs/nfs-utils: # kth-krb doesn't provide the right include # files, and nfs-utils doesn't build against heimdal either, # so don't depend on virtual/krb. # (04 Feb 2005 agriffis) Which I noted in a comment I attached to bug 231936 (relating to net-fs/nfs-util). In bug 195703 (relating to the samba-4 version bump), there's this: Since samba 4 doesn't support mit-krb5, I think we shouldn't depend on virtual/krb5 but instead directly on heimdal after the com_err.h problem is fixed. in comment 25, dated 2009-11-24 23:07:18 UTC. Directly responded to later by this: Agreed. in comment 26, dated 2009-11-25 10:01:48 UTC So nothing recent then ;p Which is exactly why I bring it up; the net-fs/nfs-utils bug is stale, and the reference in the samba package is ancient. (Things directly partaining to samba-4 get bounced into that bug, which really means a stale
Re: [gentoo-dev] kerberos, virtuals, rattling cages
On 02/24/13 20:25, Michael Mol wrote: (I really don't have time to actively participate on this list right now, but I believe that if I bring it up on b.g.o, I'll be directed here, so...) So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to enable kerberos system-wide on my server. No joy, as net-fs/nfs-utils has an explicit dependency on app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on app-crypt/heimdal (for reasons noted in bug 195703, comment 25). Questions: 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 and kerberos demands that things with explicit dependencies on mit-krb5 either be fixed or not used at all. I'm the first activity on bug 231936 in two years...could someone please look into that one? 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them through a virtual? My suspicion is no, but I don't know enough about kerberos to say whether or not it would work, even as a hack. I'm sure explicit dependencies on mit-krb5 and heimdal will continue to crop up, so (and forgive the nausea this might cause) it might help to slot mit and heimdal, and have virtual/krb5 depend on the presence of at least one. so, read the thread so far, and I think you are over-complicating things with slotting. I use kerberos at home (more or less just to learn it, worksforme, etc). I chose MIT. From what I understand MIT and heimdal are mutually exclusive (can not operate with eachother) and that heimdal is what windows uses. What this seems to be is a simple case of blockers. So, the quesiton is, are you going to be using kerberos in nfs? if not, masking the flag may be what works for you (in the short term at least). Longer term it sounds like maybe seperate use flags are in order (or something, dunno). I don't think samba will support MIT, since it's kinda windows focused. On another note, I can't find bug 231936. -- -- Matthew Thode (prometheanfire) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] kerberos, virtuals, rattling cages
On Sun, Feb 24, 2013 at 09:25:37PM -0500, Michael Mol wrote: 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them through a virtual? My suspicion is no, but I don't know enough about kerberos to say whether or not it would work, even as a hack. You can't eselect the kerberos implementation under an application. These two packages do provide different symbols. And you can't just make both packages installable concurrently and hope everything works out. There are too many assumptions built into too many applications about what library from which package provides what symbol. That way lies madness. The bugs you mantion are old ones. I suggest you (and net-fs and samba herds) to check if they still apply and if they do see what prevents the said package from using the alternative implementation and solve it there - where it really belongs anyway. -- Eray Aslan e...@gentoo.org pgpAQ4UcXnyKi.pgp Description: PGP signature
Re: [gentoo-dev] kerberos, virtuals, rattling cages
On Sun, Feb 24, 2013 at 11:21 PM, Matthew Thode prometheanf...@gentoo.org wrote: On 02/24/13 20:25, Michael Mol wrote: (I really don't have time to actively participate on this list right now, but I believe that if I bring it up on b.g.o, I'll be directed here, so...) So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to enable kerberos system-wide on my server. No joy, as net-fs/nfs-utils has an explicit dependency on app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on app-crypt/heimdal (for reasons noted in bug 195703, comment 25). Questions: 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 and kerberos demands that things with explicit dependencies on mit-krb5 either be fixed or not used at all. I'm the first activity on bug 231936 in two years...could someone please look into that one? 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them through a virtual? My suspicion is no, but I don't know enough about kerberos to say whether or not it would work, even as a hack. I'm sure explicit dependencies on mit-krb5 and heimdal will continue to crop up, so (and forgive the nausea this might cause) it might help to slot mit and heimdal, and have virtual/krb5 depend on the presence of at least one. so, read the thread so far, and I think you are over-complicating things with slotting. I use kerberos at home (more or less just to learn it, worksforme, etc). I chose MIT. From what I understand MIT and heimdal are mutually exclusive (can not operate with eachother) and that heimdal is what windows uses. This is incorrect, or at least, was incorrect last time I looked (circa...uhh..2009?) They work 'ok' together. Heimdal clients could talk to MIT servers at least. Of course, there were quirks, and incompatible command line syntax, hence my fierce recommendation to 'not do that.' What this seems to be is a simple case of blockers. So, the quesiton is, are you going to be using kerberos in nfs? if not, masking the flag may be what works for you (in the short term at least). Longer term it sounds like maybe seperate use flags are in order (or something, dunno). Do not use Kerberized NFSv3. I'm unsure if nfsv4 is any better :/ -A I don't think samba will support MIT, since it's kinda windows focused. On another note, I can't find bug 231936. -- -- Matthew Thode (prometheanfire)
Re: [gentoo-dev] kerberos, virtuals, rattling cages
On 02/25/13 01:43, Alec Warner wrote: On Sun, Feb 24, 2013 at 11:21 PM, Matthew Thode prometheanf...@gentoo.org wrote: On 02/24/13 20:25, Michael Mol wrote: (I really don't have time to actively participate on this list right now, but I believe that if I bring it up on b.g.o, I'll be directed here, so...) So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to enable kerberos system-wide on my server. No joy, as net-fs/nfs-utils has an explicit dependency on app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on app-crypt/heimdal (for reasons noted in bug 195703, comment 25). Questions: 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 and kerberos demands that things with explicit dependencies on mit-krb5 either be fixed or not used at all. I'm the first activity on bug 231936 in two years...could someone please look into that one? 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them through a virtual? My suspicion is no, but I don't know enough about kerberos to say whether or not it would work, even as a hack. I'm sure explicit dependencies on mit-krb5 and heimdal will continue to crop up, so (and forgive the nausea this might cause) it might help to slot mit and heimdal, and have virtual/krb5 depend on the presence of at least one. so, read the thread so far, and I think you are over-complicating things with slotting. I use kerberos at home (more or less just to learn it, worksforme, etc). I chose MIT. From what I understand MIT and heimdal are mutually exclusive (can not operate with eachother) and that heimdal is what windows uses. This is incorrect, or at least, was incorrect last time I looked (circa...uhh..2009?) well, that was right around the time I installed it, so guess that makes sense. They work 'ok' together. Heimdal clients could talk to MIT servers at least. Of course, there were quirks, and incompatible command line syntax, hence my fierce recommendation to 'not do that.' What this seems to be is a simple case of blockers. So, the quesiton is, are you going to be using kerberos in nfs? if not, masking the flag may be what works for you (in the short term at least). Longer term it sounds like maybe seperate use flags are in order (or something, dunno). Do not use Kerberized NFSv3. I'm unsure if nfsv4 is any better :/ -A I don't think samba will support MIT, since it's kinda windows focused. On another note, I can't find bug 231936. -- -- Matthew Thode (prometheanfire) -- -- Matthew Thode (prometheanfire) signature.asc Description: OpenPGP digital signature
