-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/17/2013 07:35 AM, Benjamin Franzke wrote: > Hi list, > > I've tried to use sssd with heimdal, there were some fixes to be > done. Are you intrested in reviewing and integrating them? > > They are available at: https://git.bnfr.net/sssd/log/?h=heimdal-1 > Note: They are on top of other build fixes i've send to the list > (but thats visible in the log). > > This compiles without warnings and passes all make tests. Actually > i've added alternatives for deprecated (in terms of heimdal) > kerberos functions to avoid warnings there. > > I've tested this in a samba 4 environment (with the sssd-ad > module). >
Just for the record, Heimdal support has come up before. Historically, our answer has been this: "SSSD upstream does not officially support using SSSD with Heimdal. This is because the SSSD upstream works closely with the MIT Kerberos upstream to have features that we need incorporated there." In the past, we've allowed the community to contribute patches to work with Heimdal because there are some platforms out there that seem to prefer it, but the people who have contributed this have a habit of disappearing. We've always held to the idea that it's not the responsibility of the core upstream to maintain the Heimdal patches. As move further along and the IPA and AD providers rely on ever-increasing MIT-specific features, I think the value of supporting Heimdal at all upstream continues to decrease. I'd honestly prefer to propose that SSSD drops its Heimdal support entirely and stop giving the impression that it might work. If we don't do this, a secondary option would be to add a new configure flag for Heimdal usage that makes it clear that Heimdal support is largely incomplete. I'd honestly be more interested in taking a samba-like approach here and making it possible to statically build-in a copy of MIT Kerberos for those platforms that only have Heimdal (such as the BSDs), since this would allow those platforms to enjoy all of the advance functionality that SSSD-with-MIT can offer (such as FreeIPA cross-realm trusts). Benjamin: Please do not take this as an attack on you. This is a long-standing issue upstream and one that just keeps coming up. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJfzsoACgkQeiVVYja6o6OWPgCcCkEjBvjhQBaZgjr6RAmYJTpv zc8Anj140fym0/O1SHT7kFIKL0cRTx4o =KyJ4 -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
