[PROPOSAL] Require builtin or system krb5 libs
Andrew Bartlett
abartlet at samba.org
Thu Jan 5 00:11:40 MST 2012
On Tue, 2012-01-03 at 01:37 -0500, simo wrote:
> On Tue, 2012-01-03 at 14:06 +1100, Andrew Bartlett wrote:
> > For MIT Kerberos, what minimum would work for you?
>
> I would probably choose to set the bar at MIT 1.9.2 but some others may
> find this a bit aggressive I guess.
I think the latest MIT version that would be practical in the short-term
would be 1.8.1 as that is what is running on sn-devel.
Even moving this far would allow us to rely on the PAC-from-GSSAPI
support, which will make moving to always using GSSAPI possible at
session setup.
I've prepared a patch series for this (on top of my s3-rpc-gensec work)
at
https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/krb5-unifdef
This was created using unifdef http://dotat.at/prog/unifdef/ to safely
remove the #ifdef macros.
To decide what functions to remove from the compatibility layer, a diff
of the config.h from an autoconf and waf build on sn-devel was made.
Any entry that was identical was selected, the configure test removed
and the fallback code removed from the abstraction layer.
This was one one API at at time, to allow a selective revert if that
becomes required in future.
Most of the functions being removed were compatibility layers for
ancient Heimdal releases. (Heimdal now has a number of these MIT APIs
natively).
It has just passed a full test autobuild on sn-devel.
Attached is the diffstat showing the code removed, please let me know
what you think,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
auth/kerberos/gssapi_pac.c | 2
auth/kerberos/kerberos_pac.c | 2
docs-xml/Samba3-ByExample/SBE-AddingUNIXClients.xml | 2
lib/addns/dns.h | 10 -
lib/addns/dnsgss.c | 2
lib/replace/system/kerberos.h | 6
libcli/auth/krb5_wrap.c | 119 +++--------------
libcli/smb/smb_seal.c | 10 -
libcli/smb/smb_seal.h | 10 -
libcli/smb/wscript_build | 2
nsswitch/wbinfo.c | 2
nsswitch/winbind_krb5_locator.c | 4
packaging/RHEL-CTDB/samba.spec.tmpl | 2
source3/auth/auth_generic.c | 8 -
source3/auth/user_krb5.c | 30 ----
source3/configure.in | 86 +-----------
source3/include/includes.h | 7 -
source3/include/krb5_protos.h | 6
source3/include/smb_krb5.h | 2
source3/lib/popt_common.c | 5
source3/libads/ads_status.c | 8 -
source3/libads/authdata.c | 2
source3/libads/kerberos.c | 6
source3/libads/kerberos_keytab.c | 2
source3/libads/kerberos_util.c | 2
source3/libads/kerberos_verify.c | 2
source3/libads/krb5_errs.c | 2
source3/libads/krb5_setpw.c | 2
source3/libads/sasl.c | 24 ---
source3/libads/util.c | 2
source3/libnet/libnet_keytab.c | 2
source3/libnet/libnet_keytab.h | 2
source3/librpc/crypto/gse.c | 2
source3/librpc/crypto/gse_krb5.c | 2
source3/librpc/crypto/gse_krb5.h | 2
source3/libsmb/auth_generic.c | 2
source3/libsmb/cliconnect.c | 4
source3/libsmb/clifsinfo.c | 9 -
source3/libsmb/clikrb5.c | 133 +-------------------
source3/libsmb/errormap.c | 2
source3/libsmb/namequery_dc.c | 2
source3/smbd/seal.c | 12 -
source3/smbd/sesssetup.c | 8 -
source3/smbd/smb2_sesssetup.c | 6
source3/torture/locktest.c | 5
source3/torture/torture.c | 5
source3/utils/net_lookup.c | 5
source3/utils/ntlm_auth.c | 21 ---
source3/winbindd/winbindd_cred_cache.c | 16 --
source3/winbindd/winbindd_pam.c | 14 --
source3/wscript | 54 +-------
source4/auth/kerberos/kerberos.c | 2
source4/auth/kerberos/kerberos.h | 6
source4/heimdal_build/wscript_configure | 20 ---
54 files changed, 53 insertions(+), 652 deletions(-)
More information about the samba-technical
mailing list