On (17/10/13 13:59), Benjamin Franzke wrote: >2013/10/17 Stephen Gallagher <[email protected]> > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 10/17/2013 07:35 AM, Benjamin Franzke wrote: >> > Hi list, >> > >> > I've tried to use sssd with heimdal, there were some fixes to be >> > done. Are you intrested in reviewing and integrating them? >> > >> > They are available at: https://git.bnfr.net/sssd/log/?h=heimdal-1 >> > Note: They are on top of other build fixes i've send to the list >> > (but thats visible in the log). >> > >> > This compiles without warnings and passes all make tests. Actually >> > i've added alternatives for deprecated (in terms of heimdal) >> > kerberos functions to avoid warnings there. >> > >> > I've tested this in a samba 4 environment (with the sssd-ad >> > module). >> > >> >> Just for the record, Heimdal support has come up before. Historically, >> our answer has been this: "SSSD upstream does not officially support >> using SSSD with Heimdal. This is because the SSSD upstream works >> closely with the MIT Kerberos upstream to have features that we need >> incorporated there." >> >> In the past, we've allowed the community to contribute patches to work >> with Heimdal because there are some platforms out there that seem to >> prefer it, but the people who have contributed this have a habit of >> disappearing. We've always held to the idea that it's not the >> responsibility of the core upstream to maintain the Heimdal patches. >> >> As move further along and the IPA and AD providers rely on >> ever-increasing MIT-specific features, I think the value of supporting >> Heimdal at all upstream continues to decrease. >> >> I'd honestly prefer to propose that SSSD drops its Heimdal support >> entirely and stop giving the impression that it might work. If we >> don't do this, a secondary option would be to add a new configure flag >> for Heimdal usage that makes it clear that Heimdal support is largely >> incomplete. >> >> >> I'd honestly be more interested in taking a samba-like approach here >> and making it possible to statically build-in a copy of MIT Kerberos >> for those platforms that only have Heimdal (such as the BSDs), since >> this would allow those platforms to enjoy all of the advance >> functionality that SSSD-with-MIT can offer (such as FreeIPA >> cross-realm trusts). >> >> >> Benjamin: Please do not take this as an attack on you. This is a >> long-standing issue upstream and one that just keeps coming up. >> > >No problem ;) I understand that position. >My main motivation was to be able to build it on my >main machine (gentoo) where i have samba4 installed as well. >So that i can read the sssd man pages here. > >Also I think that if you dont want to support heimdal, maybe there should >be a configure check >that errors out if people try to compile against heimdal. > > Or you can try to update samba4 portage with possibility to compile with MIT krb5 :-)
LS _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
