[PROPOSAL] Require builtin or system krb5 libs

[Stefan (metze) Metzmacher]

Hi Andrew,

>>> For MIT Kerberos, what minimum would work for you?  
>>
>> I would probably choose to set the bar at MIT 1.9.2 but some others may
>> find this a bit aggressive I guess.
> 
> I think the latest MIT version that would be practical in the short-term
> would be 1.8.1 as that is what is running on sn-devel. 
> 
> Even moving this far would allow us to rely on the PAC-from-GSSAPI
> support, which will make moving to always using GSSAPI possible at
> session setup.  
> 
> I've prepared a patch series for this (on top of my s3-rpc-gensec work)
> at
> https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/krb5-unifdef 
> 
> This was created using unifdef http://dotat.at/prog/unifdef/ to safely
> remove the #ifdef macros.
> 
> To decide what functions to remove from the compatibility layer, a diff
> of the config.h from an autoconf and waf build on sn-devel was made.
> Any entry that was identical was selected, the configure test removed
> and the fallback code removed from the abstraction layer. 
> 
> This was one one API at at time, to allow a selective revert if that
> becomes required in future. 
> 
> Most of the functions being removed were compatibility layers for
> ancient Heimdal releases.  (Heimdal now has a number of these MIT APIs
> natively).
> 
> It has just passed a full test autobuild on sn-devel.
> 
> Attached is the diffstat showing the code removed, please let me know
> what you think,

Does this still build without any kerberos support?

I think we can avoid older kerberos libraries, but we should not force
the need of a new kerberos library.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120105/26a2ecb2/attachment.pgp>