From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 61417198005 for ; Mon, 25 Feb 2013 03:18:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BF784E05FA; Mon, 25 Feb 2013 03:18:04 +0000 (UTC) Received: from mail-oa0-f42.google.com (mail-oa0-f42.google.com [209.85.219.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C05FEE0459 for ; Mon, 25 Feb 2013 03:18:03 +0000 (UTC) Received: by mail-oa0-f42.google.com with SMTP id i18so2474512oag.15 for ; Sun, 24 Feb 2013 19:18:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; bh=br9Ha83C7S2IMyYPxpfhyFZ+6YsluV4fgjj019yTAnE=; b=tTgZm3ccnq2TuC/wzdkQaAYywEZiowIrJUTuCALY/zDqfqUk5LZ07aB4ZmhTwmETAA lIGmLfd0F4mbqVo6owsR1AF/nu8/aKagryoaqib3ieiRuA+s1w1y3RjFbIoj1V3Ph8IB 8+EmH4C3qbbCXGHjIZPiKqGuNvTqQopptvEEWGicFQp96jjKEF4pA0SB047rO5yNKlUr 4PbuAsStTG757BDOb8OLXjLQSUPzahts6TYBjUwtxmOdDjc0PmPO7vkPnL4G12bfmylI gOFhSejQdjH3CVWVDgeWNULIQh7fKE4YUd3VuyYxg/drxDgyb9GEwOoxWLDt0pcmbS+y yxdQ== X-Received: by 10.60.19.3 with SMTP id a3mr6089089oee.11.1361762282896; Sun, 24 Feb 2013 19:18:02 -0800 (PST) Received: from ?IPv6:2001:5c0:1400:a::673? ([2001:5c0:1400:a::673]) by mx.google.com with ESMTPS id ka6sm10937290obb.3.2013.02.24.19.18.01 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 24 Feb 2013 19:18:02 -0800 (PST) Message-ID: <512AD7E4.5000107@gmail.com> Date: Sun, 24 Feb 2013 22:17:56 -0500 From: Michael Mol User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130222 Thunderbird/17.0.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] kerberos, virtuals, rattling cages References: <512ACBA1.7090209@gmail.com> In-Reply-To: X-Enigmail-Version: 1.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2CSRDBCRVEXFAGCUVTPWD" X-Archives-Salt: 373f13a4-48f2-4cb0-a44c-0d783c09674a X-Archives-Hash: 85e19e9db6b506792b89fdd2d18d9383 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2CSRDBCRVEXFAGCUVTPWD Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 02/24/2013 09:48 PM, Alec Warner wrote: > On Sun, Feb 24, 2013 at 6:25 PM, Michael Mol wrote:= >> (I really don't have time to actively participate on this list right >> now, but I believe that if I bring it up on b.g.o, I'll be directed >> here, so...) >> >> So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to >> enable kerberos system-wide on my server. >> >> No joy, as net-fs/nfs-utils has an explicit dependency on >> app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on >> app-crypt/heimdal (for reasons noted in bug 195703, comment 25). >=20 > I'm not familiar with anyone using Kerberos on Gentoo. I use it on > Ubuntu; but we do not use it with Samba (or at least, if we do, I am > not aware of it.) It's one of the core components of Active Directory, so anyone who puts a Gentoo machine on an AD domain will likely be using it. I'm playing around with Samba 4, which is supposed to have full support as a standalone AD controller. An AD controller is effectively a central box that manages and directs domain members to DNS (the host directory), LDAP (the user and authorization directory) and Kerberos (the authentication mechanism). >=20 >> >> Questions: >> >> 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.= 3 >> and kerberos demands that things with explicit dependencies on mit-krb= 5 >> either be fixed or not used at all. >=20 > I'm fairly sure samba supports either kerberos implementation; is > there something that makes you think differently? The explicit dependency on app-crypt/heimdal in the ebuild, and comment 25 attached to b.g.o bug 195703. I've taken those at face value; I haven't followed up on them myself. >=20 >> >> I'm the first activity on bug 231936 in two years...could someone plea= se >> look into that one? >> >> 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them= >> through a virtual? My suspicion is "no", but I don't know enough about= >> kerberos to say whether or not it would work, even as a hack. >> >=20 > I'm not following you here. 'slot' means a very specific thing. You > are not actually suggesting we use SLOT, you simply want both versions > of the library to be installed in one ROOT? >=20 > I would not advocate this approach. You should strive to have only one > kerberos implementation on a given machine. I'm really not certain, to be honest. It was my impression that slots allow for two different versions of a thing to be present on the same system, and that their different sonames on the system would lead to correct symbol resolution. (Although it would require that the soname being sought be adjusted in a dependent program to target the version required.) Even if it works, I acknowledge it's a nauseating hack for the circumstan= ce. >=20 >> I'm sure explicit dependencies on mit-krb5 and heimdal will continue t= o >> crop up, so (and forgive the nausea this might cause) it might help to= >> slot mit and heimdal, and have virtual/krb5 depend on the presence of = at >> least one. >> >=20 > It is likely that explicit dependencies are wrong, and are just bugs. This is what I found in the ebuild for net-fs/nfs-utils: # kth-krb doesn't provide the right include # files, and nfs-utils doesn't build against heimdal either, # so don't depend on virtual/krb. # (04 Feb 2005 agriffis) Which I noted in a comment I attached to bug 231936 (relating to net-fs/nfs-util). In bug 195703 (relating to the samba-4 version bump), there's this: "Since samba 4 doesn't support mit-krb5, I think we shouldn't depend on virtual/krb5 but instead directly on heimdal after the com_err.h problem is fixed." in comment 25, dated 2009-11-24 23:07:18 UTC. Directly responded to later by this: "Agreed." in comment 26, dated 2009-11-25 10:01:48 UTC ------enig2CSRDBCRVEXFAGCUVTPWD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRKtfnAAoJED5TcEBdxYwQ+moH/1AY7XIeeZZyEB54nk9b0oFg A9QZzZXzYetPRg8jiAUAxmMa2lCNTHBrAvsnSoW0LjOZwjBUeRHo2H50mcOrsJTT AVCeWY7kdY1qsAC4pZwDwHRZUX/PAhEy+BUdpti1MvvM+pOLN2lOf6yB23l4Sa3l A+YMu0Ol4FLSJ93iJpYcHahhG7xlDSzQRt2VSnJsGCdoerjba2BknUtm8kKW1OK2 vwIb5UB3GNV6lqjUV5GeF1ZPgKGyh/0vREReTLZuwTAlWxqJePIeFnIX3KcYSIpD NcYvibKNz4buZMn34CWv1gCVsrBlsGKkf5kZvmPWoBgN4v3JDd4bQ+CwWB5UYA4= =5h3P -----END PGP SIGNATURE----- ------enig2CSRDBCRVEXFAGCUVTPWD--