From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8BAF0198005 for ; Mon, 25 Feb 2013 03:46:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 25406E0655; Mon, 25 Feb 2013 03:46:52 +0000 (UTC) Received: from mail-ve0-f177.google.com (mail-ve0-f177.google.com [209.85.128.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3E789E064A for ; Mon, 25 Feb 2013 03:46:51 +0000 (UTC) Received: by mail-ve0-f177.google.com with SMTP id m1so1853585ves.22 for ; Sun, 24 Feb 2013 19:46:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:sender:x-originating-ip:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:x-gm-message-state; bh=tNRaOl6pm2Whs5wFQItIG0HyJW4f03/ZgumPlPv8r4Q=; b=a1s1//ixs+BxJxsZzWw/Fr+sCCED0RRRAH2T55w9vJuzfQIKuIkvcwDFOYRQAi7gCv Rh9jxmgr8wsO02X9careuHFSkADzFoJ8QsJiPEIa5bCpPNJLk+mQuY6jF8Rfp36asw4i ScF9OiJGLaAgiEDzaimB8LUbuzd7Z5gbbrs3/uheyXMK32eQ8CURCwbXRCDQSoRXTJZ3 dJc++v/plAbRIfi+AsDc72+KDSQGYSxyyBOwMmjtFOvx+IPZm7SCruiZBJcxv3ZjQ9wM ecJ45JMFde14xYBilq6d39fDAPcV5BuUdG1Mc3C7IB6he1S8FUT9PdpHYzTufGlTPN4j qV5w== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.58.45.168 with SMTP id o8mr6164112vem.3.1361764010376; Sun, 24 Feb 2013 19:46:50 -0800 (PST) Sender: antarus@scriptkitty.com Received: by 10.220.124.2 with HTTP; Sun, 24 Feb 2013 19:46:50 -0800 (PST) X-Originating-IP: [208.54.39.241] In-Reply-To: <512AD7E4.5000107@gmail.com> References: <512ACBA1.7090209@gmail.com> <512AD7E4.5000107@gmail.com> Date: Sun, 24 Feb 2013 19:46:50 -0800 X-Google-Sender-Auth: wh1urTYdaZT9gEhDjeTSoK-Hh38 Message-ID: Subject: Re: [gentoo-dev] kerberos, virtuals, rattling cages From: Alec Warner To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQmUkXfZmbCVvQCB4ElG0tFcpC5PirhkMh/UqODOwG0B0vaShH0qyBJRxhW7fMdTJE9mshk4 X-Archives-Salt: 22b4c6ac-684c-44f4-a79f-1617eee46ada X-Archives-Hash: 92196a63bc00f759ad85e1623adaa7f0 On Sun, Feb 24, 2013 at 7:17 PM, Michael Mol wrote: > On 02/24/2013 09:48 PM, Alec Warner wrote: >> On Sun, Feb 24, 2013 at 6:25 PM, Michael Mol wrote: >>> (I really don't have time to actively participate on this list right >>> now, but I believe that if I bring it up on b.g.o, I'll be directed >>> here, so...) >>> >>> So I'm playing with net-fs/samba-4.0.3, AD and kerberos, and tried to >>> enable kerberos system-wide on my server. >>> >>> No joy, as net-fs/nfs-utils has an explicit dependency on >>> app-crypt/mit-krb5 (bug 231936) and net-fs/samba-4.0.3 depends on >>> app-crypt/heimdal (for reasons noted in bug 195703, comment 25). >> >> I'm not familiar with anyone using Kerberos on Gentoo. I use it on >> Ubuntu; but we do not use it with Samba (or at least, if we do, I am >> not aware of it.) > > It's one of the core components of Active Directory, so anyone who puts > a Gentoo machine on an AD domain will likely be using it. I'm playing > around with Samba 4, which is supposed to have full support as a > standalone AD controller. An AD controller is effectively a central box > that manages and directs domain members to DNS (the host directory), > LDAP (the user and authorization directory) and Kerberos (the > authentication mechanism). Don't misunderstand, I know what all these things are ;) > >> >>> >>> Questions: >>> >>> 1) If upstream isn't going to support mit-krb5, then use of samba-4.0.3 >>> and kerberos demands that things with explicit dependencies on mit-krb5 >>> either be fixed or not used at all. >> >> I'm fairly sure samba supports either kerberos implementation; is >> there something that makes you think differently? > > The explicit dependency on app-crypt/heimdal in the ebuild, and comment > 25 attached to b.g.o bug 195703. I've taken those at face value; I > haven't followed up on them myself. > >> >>> >>> I'm the first activity on bug 231936 in two years...could someone please >>> look into that one? >>> >>> 2) Is it possible to slot mit-krb5 and heimdal instead of pulling them >>> through a virtual? My suspicion is "no", but I don't know enough about >>> kerberos to say whether or not it would work, even as a hack. >>> >> >> I'm not following you here. 'slot' means a very specific thing. You >> are not actually suggesting we use SLOT, you simply want both versions >> of the library to be installed in one ROOT? >> >> I would not advocate this approach. You should strive to have only one >> kerberos implementation on a given machine. > > I'm really not certain, to be honest. It was my impression that slots > allow for two different versions of a thing to be present on the same > system, and that their different sonames on the system would lead to > correct symbol resolution. (Although it would require that the soname > being sought be adjusted in a dependent program to target the version > required.) mit-krb5 and heimdal are separate packages. They both provide krb headers and kerb libraries. You could easily patch them to be on the same system. The problem with doing so is that packages are expecting only one set of kerberos headers and kerberos shared libraries. We have the 'eselect' framework for switching between 'providers' which we could use in this case (similar to say, the opengl libraries your system might use.) It is not clear to me if switching providers is at all safe in the kerberos instance, or if software built against mit-krb5 would crash if you pointed the loader at some heimdal shared objects. > > Even if it works, I acknowledge it's a nauseating hack for the circumstance. > >> >>> I'm sure explicit dependencies on mit-krb5 and heimdal will continue to >>> crop up, so (and forgive the nausea this might cause) it might help to >>> slot mit and heimdal, and have virtual/krb5 depend on the presence of at >>> least one. >>> >> >> It is likely that explicit dependencies are wrong, and are just bugs. > > This is what I found in the ebuild for net-fs/nfs-utils: > > # kth-krb doesn't provide the right include > # files, and nfs-utils doesn't build against heimdal either, > # so don't depend on virtual/krb. > # (04 Feb 2005 agriffis) > > Which I noted in a comment I attached to bug 231936 (relating to > net-fs/nfs-util). > > In bug 195703 (relating to the samba-4 version bump), there's this: > > "Since samba 4 doesn't support mit-krb5, I think we shouldn't depend on > virtual/krb5 but instead directly on heimdal after the com_err.h problem > is fixed." in comment 25, dated 2009-11-24 23:07:18 UTC. > > Directly responded to later by this: > > "Agreed." in comment 26, dated 2009-11-25 10:01:48 UTC > > > So nothing recent then ;p I think just 'eras' is the only person in the kerberos herd at this point. I only have a passing interest in it myself (and I'm not looking to maintain it in Gentoo ;)) -A