Re: Heimdal vs MIT KerberosV
On Fri, Feb 27, 2009 at 7:44 PM, Tom McLaughlin tmcla...@sdf.lonestar.orgwrote: Mel wrote: On Thursday 26 February 2009 08:48:35 Tim Judd wrote: Building WITHOUT_KERBEROS and installing MIT-port, is best option to use that implementation. You may need to remove libraries by hand, not sure if make delete-old-libs covers it. Using WITHOUT_KERBEROS to build world IIRC will cause you to lose pam_{krb5,ksu} and GSSAPI support in ssh. Depending on your environment, those might be useful. Other than the kadmin protocol differences why change from Heimdal to MIT? tom -- | tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org | | FreeBSD http://www.FreeBSD.org | Frankly - it's a matter of exploration, learning and understanding of everything all put together. Secondly, it's because MIT offers a windows MIT KerberosV application and I wanted to see them interact with each other. Thirdly, src.conf(5) clearly states that the knob WITH_GSSAPI will re-introduce that back into world. And as a subnote, I don't know how to use GSSAPI, don't know how to administer the API, or enable a service/daemon to utilize GSSAPI. Fourthly -- Loosing the pam_{krb5,ksu} is no sweat. As the first, initial play thing, I'd keep local accounts, enabling K5 and see how they interact. Speaking of the interaction, it's the time to learn DNS SRV records, and K5 seems a useful go at it. I may have forgotten a reason, but it's how my mind works, how I enjoy to learn, and I'm not going to break the Internet doing it. :) LTNS, tmclaugh. Haven't seen you around recently. --TJ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Heimdal vs MIT KerberosV
Mel wrote: On Thursday 26 February 2009 08:48:35 Tim Judd wrote: Building WITHOUT_KERBEROS and installing MIT-port, is best option to use that implementation. You may need to remove libraries by hand, not sure if make delete-old-libs covers it. Using WITHOUT_KERBEROS to build world IIRC will cause you to lose pam_{krb5,ksu} and GSSAPI support in ssh. Depending on your environment, those might be useful. Other than the kadmin protocol differences why change from Heimdal to MIT? tom -- | tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org | | FreeBSD http://www.FreeBSD.org | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Heimdal vs MIT KerberosV
Hello, Experts.. MIT and I are both located in the US -- so the export law from the US/to the US isn't applicable. I can understand why the included KerberosV implementation is the one from Sweeden, due to these export laws. I know there's a knob (WITHOUT_KERBEROS) to exclude it from the base system, but how can I replace the Sweeden-based Heimdal implementation in favor of the MIT implementation. This isn't expected to be a long drawn out process, one that takes world hacking to work. It'd be just as easy for me to build MIT krb5 from ports and let it install into /usr/local. That's fine -- but I wanted to stretch my knowledge on FreeBSD and the building process and would like to know what it would take to drop in MIT in exchange for Heimdal. I'd guess a couple possible ways to do it, but I wanted to ask the experts before I broke FreeBSD. :) Options as I see them: 1) Take the port directory and replace the contents of /usr/src/kerberos5 with security/krb5 from ports 2) Take the tarball from MIT and drop it into /usr/src/kerberos5 If anything were to work, I'd expect #1 to. So what is the expert's opinion, is it really this easy? Thanks, everyone. Appreciate your time and input. --Tim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Heimdal vs MIT KerberosV
On Thursday 26 February 2009 08:48:35 Tim Judd wrote: It'd be just as easy for me to build MIT krb5 from ports and let it install into /usr/local. That's fine -- but I wanted to stretch my knowledge on FreeBSD and the building process and would like to know what it would take to drop in MIT in exchange for Heimdal. I'd guess a couple possible ways to do it, but I wanted to ask the experts before I broke FreeBSD. :) Options as I see them: 1) Take the port directory and replace the contents of /usr/src/kerberos5 with security/krb5 from ports 2) Take the tarball from MIT and drop it into /usr/src/kerberos5 If anything were to work, I'd expect #1 to. So what is the expert's opinion, is it really this easy? Neither will work. The ports build system is a vastly different superset of the src system. Ports core makefiles are in /usr/ports/Mk, and src in /usr/share/mk. Ports take very little from /usr/share/mk, only sys.mk for default flags, bsd.own.mk for default ownerships, the bsd.ports*.mk to point to $PORTSDIR and exclude /etc/src.conf and that's about it. Further more, the base system doesn't use 'configure', patches are applied to make it work for FreeBSD without this hurdle. In short, if you want to learn about the src make system, this isn't a good project. A better project is read the pmake tutorial, the make(1) manpage, comments in /usr/share/mk/*.mk and start writing your own software with this build system. Start with something like: cat EOF BSDmakefile PROG=hello .include bsd.prog.mk EOF cat 'EOF' hello.c #include stdio.h int main(int argc, char **argv) { printf(Hello world!\n); return 0; } EOF make = Building WITHOUT_KERBEROS and installing MIT-port, is best option to use that implementation. You may need to remove libraries by hand, not sure if make delete-old-libs covers it. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Heimdal vs MIT KerberosV
On Thu, Feb 26, 2009 at 3:23 PM, Mel fbsd.questi...@rachie.is-a-geek.netwrote: On Thursday 26 February 2009 08:48:35 Tim Judd wrote: It'd be just as easy for me to build MIT krb5 from ports and let it install into /usr/local. That's fine -- but I wanted to stretch my knowledge on FreeBSD and the building process and would like to know what it would take to drop in MIT in exchange for Heimdal. I'd guess a couple possible ways to do it, but I wanted to ask the experts before I broke FreeBSD. :) Options as I see them: 1) Take the port directory and replace the contents of /usr/src/kerberos5 with security/krb5 from ports 2) Take the tarball from MIT and drop it into /usr/src/kerberos5 If anything were to work, I'd expect #1 to. So what is the expert's opinion, is it really this easy? Neither will work. The ports build system is a vastly different superset of the src system. Ports core makefiles are in /usr/ports/Mk, and src in /usr/share/mk. Ports take very little from /usr/share/mk, only sys.mkfor default flags, bsd.own.mk for default ownerships, the bsd.ports*.mk to point to $PORTSDIR and exclude /etc/src.conf and that's about it. Further more, the base system doesn't use 'configure', patches are applied to make it work for FreeBSD without this hurdle. In short, if you want to learn about the src make system, this isn't a good project. A better project is read the pmake tutorial, the make(1) manpage, comments in /usr/share/mk/*.mk and start writing your own software with this build system. Start with something like: cat EOF BSDmakefile PROG=hello .include bsd.prog.mk EOF cat 'EOF' hello.c #include stdio.h int main(int argc, char **argv) { printf(Hello world!\n); return 0; } EOF make = Building WITHOUT_KERBEROS and installing MIT-port, is best option to use that implementation. You may need to remove libraries by hand, not sure if make delete-old-libs covers it. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. Mel, Thank you very much for the informative reply. It not only gives me a starting point, but it also describes why it won't work in good detail. I always look forward to your posts -- for they're very well done. I will personally archive this off, because it's information is like gold to me, especially when I'm so new to altering OS functions... Thanks again. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org