From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-58814-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 8A34C198005
	for <garchives@archives.gentoo.org>; Mon, 25 Feb 2013 23:59:14 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id EE287E092F;
	Mon, 25 Feb 2013 23:59:10 +0000 (UTC)
Received: from mail-ob0-f170.google.com (mail-ob0-f170.google.com [209.85.214.170])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 18BB4E0921
	for <gentoo-dev@lists.gentoo.org>; Mon, 25 Feb 2013 23:59:09 +0000 (UTC)
Received: by mail-ob0-f170.google.com with SMTP id wc20so4830obb.29
        for <gentoo-dev@lists.gentoo.org>; Mon, 25 Feb 2013 15:59:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:message-id:date:from:user-agent:mime-version:to:subject
         :references:in-reply-to:x-enigmail-version:content-type;
        bh=fxJFLtlIcXaOPr0/AZC9sNsdFx1MFvMjdDvYb6qoRwo=;
        b=MvZ4fYHvSvuvOF/+OarsfXXfXgcIjjYFnE8OzjGRaBgOku7fOuXauUhDcLP+l11EYz
         DMpDH/jQwx/Ha26sq1kCSCo9HwkV0s8EZO02xRyzdrcqK8mclUrnp5FN3oEZPj7xw12G
         /XUTwe8FtRef/ago5Ht8VPKSY10lUWM1esefEpQKvw2hmuG2PY4EHb0UXfbXI6x6HTQh
         QGPdmszZ/ElfiX0ddvSGdMsnW5AN107Lt7MYYqszXhOsY5bXT/io+++e4AOrleHEVKpk
         Mz49uoNdGow7R3WijEGoJ782Y2B3NkxIJPoKC+lyNbYNxD+naEmsA6ZqCFyqIknPs2fk
         yHsQ==
X-Received: by 10.182.146.42 with SMTP id sz10mr9563993obb.83.1361836749107;
        Mon, 25 Feb 2013 15:59:09 -0800 (PST)
Received: from ?IPv6:2001:5c0:1000:a::af? ([2001:5c0:1000:a::af])
        by mx.google.com with ESMTPS id v3sm16999438oev.5.2013.02.25.15.59.07
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Mon, 25 Feb 2013 15:59:08 -0800 (PST)
Message-ID: <512BFAC7.6070202@gmail.com>
Date: Mon, 25 Feb 2013 18:59:03 -0500
From: Michael Mol <mikemol@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130222 Thunderbird/17.0.2
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] kerberos, virtuals, rattling cages
References: <512ACBA1.7090209@gmail.com> <512B10E5.5080408@gentoo.org> <CA+czFiDGrM78wT38D_YKvpr7JrVWxW4BJ6JOBTE-WSsEDtSpFg@mail.gmail.com>
In-Reply-To: <CA+czFiDGrM78wT38D_YKvpr7JrVWxW4BJ6JOBTE-WSsEDtSpFg@mail.gmail.com>
X-Enigmail-Version: 1.5
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="----enig2WXMIWFINNCDVJLJUUNMH"
X-Archives-Salt: f621260b-e460-41c5-808a-a79eb7e274c4
X-Archives-Hash: bc40741ac718162d9a3099bfdfc2deb4

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2WXMIWFINNCDVJLJUUNMH
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 02/25/2013 12:48 PM, Michael Mol wrote:
> On Mon, Feb 25, 2013 at 2:21 AM, Matthew Thode
> <prometheanfire@gentoo.org> wrote:
>> On 02/24/13 20:25, Michael Mol wrote:
>>> (I really don't have time to actively participate on this list right
>>> now, but I believe that if I bring it up on b.g.o, I'll be directed
>>> here, so...)
>>>
>>> So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to=

>>> enable kerberos system-wide on my server.
>>>
>>> No joy, as net-fs/nfs-utils has an explicit dependency on
>>> app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on
>>> app-crypt/heimdal (for reasons noted in bug 195703, comment 25).
>>>
>>> Questions:
>>>
>>> 1) If upstream isn't going to support mit-krb5, then use of samba-4.0=
=2E3
>>> and kerberos demands that things with explicit dependencies on mit-kr=
b5
>>> either be fixed or not used at all.
>>>
>>> I'm the first activity on bug 231936 in two years...could someone ple=
ase
>>> look into that one?
>>>
>>> 2) Is it possible to slot mit-krb5 and heimdal instead of pulling the=
m
>>> through a virtual? My suspicion is "no", but I don't know enough abou=
t
>>> kerberos to say whether or not it would work, even as a hack.
>>>
>>> I'm sure explicit dependencies on mit-krb5 and heimdal will continue =
to
>>> crop up, so (and forgive the nausea this might cause) it might help t=
o
>>> slot mit and heimdal, and have virtual/krb5 depend on the presence of=
 at
>>> least one.
>>>
>> so, read the thread so far, and I think you are over-complicating thin=
gs
>> with slotting.  I use kerberos at home (more or less just to learn it,=

>> worksforme, etc).  I chose MIT.  From what I understand MIT and heimda=
l
>> are mutually exclusive (can not operate with eachother) and that heimd=
al
>> is what windows uses.
>=20
> I think they're effectively the same on the wire, but I'm not sure.
> I'm studying the issue.

For the record: On my system, the only two changes I had to make to
enable kerberos (largely) system-wide were:

1) mask net-fs/nfs-utils (it was only being brought in by the kerberos
flag, anyway)
2) mask dev-libs/openssl[kerberos]. See
https://bugs.gentoo.org/show_bug.cgi?id=3D459220

Both of those had explicit dependencies on app-crypt/mit-krb5. After
that, everything built fine for app-crypt/heimdal. (No idea how well it
works; I've still got a ways to go to prove/disprove any of that.)

My purpose in originating this thread isn't (and hasn't been) all about
getting AD operating correctly and pervasively. My purpose is in getting
the package dependencies for kerberos sanified and cleaned up. If that
means there are upstream issues, I can prod them, too, I suppose.

(I do still wonder what all breaks if assumption is "allow mit-krb5 to
be installed, rather than heimdal".)


------enig2WXMIWFINNCDVJLJUUNMH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRK/rKAAoJED5TcEBdxYwQqCUH/3NxgaeFFIic1utjdaGtEKHF
WhyeL8+tZ4/uUrVD90k7J3U9NAqN2Bw83ERRUEqK3nfPuAi6DoDA0EOsmiVLPWxW
dhpu/z0rkVHPkJgqnbQ27CXeCi9p24D/927Uhi4A+JjGN2mlYxUb1UtbmquyVoK2
jbLJE9lLiPtlMAgU4LK3H+zK+17r4ImN58MDOkcXo9Lp5lGkrU5v5vA+K0pOa2Bj
HEVl2x70US9BvoK0ZzAHdFLk3hA4Wxi0MA4h6JZw5mGu5g9ZoHxxzRoODG89Qo4B
kTlQ5IEcZrpZ31kr2DfTzApvpUNKKNl8tCgdNA/4KzIqGbTA8DUNz7rw9SKo+gM=
=LM9B
-----END PGP SIGNATURE-----

------enig2WXMIWFINNCDVJLJUUNMH--