[PROPOSAL] Require builtin or system krb5 libs

Andrew Bartlett abartlet at samba.org
Thu Jan 5 05:08:08 MST 2012

On Thu, 2012-01-05 at 11:30 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> >>> For MIT Kerberos, what minimum would work for you?  
> >>
> >> I would probably choose to set the bar at MIT 1.9.2 but some others may
> >> find this a bit aggressive I guess.
> > 
> > I think the latest MIT version that would be practical in the short-term
> > would be 1.8.1 as that is what is running on sn-devel. 
> > 
> > Even moving this far would allow us to rely on the PAC-from-GSSAPI
> > support, which will make moving to always using GSSAPI possible at
> > session setup.  
> > 
> > I've prepared a patch series for this (on top of my s3-rpc-gensec work)
> > at
> > https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/krb5-unifdef 
> > 
> > This was created using unifdef http://dotat.at/prog/unifdef/ to safely
> > remove the #ifdef macros.
> > 
> > To decide what functions to remove from the compatibility layer, a diff
> > of the config.h from an autoconf and waf build on sn-devel was made.
> > Any entry that was identical was selected, the configure test removed
> > and the fallback code removed from the abstraction layer. 
> > 
> > This was one one API at at time, to allow a selective revert if that
> > becomes required in future. 
> > 
> > Most of the functions being removed were compatibility layers for
> > ancient Heimdal releases.  (Heimdal now has a number of these MIT APIs
> > natively).
> > 
> > It has just passed a full test autobuild on sn-devel.
> > 
> > Attached is the diffstat showing the code removed, please let me know
> > what you think,
> Does this still build without any kerberos support?

No, that is the point.  

The original proposal was to require that we have, by one means or
other, access to a krb5 library (the top level build of course has
internal kerberos).  Following up to this I supported Simo's
recommendation that we move to requiring a modern kerberos library. 

These patches back up both proposals with something concrete to actually

> I think we can avoid older kerberos libraries, but we should not force
> the need of a new kerberos library.

Why not?  We have a large amount of code and complexity created by
trying (and failing, see 3.5.11, recent master) to support building
without Kerberos.  As nobody noticed until now, clearly our users accept
the need for a Kerberos library to build Samba.

As to what new minimum to set, in terms of MIT Simo suggested 1.9 and I
suggest 1.8.  Both are quite new, but MIT krb5 1.8 and above gives us
the great advantage of being able to move to a pure GSSAPI handling of
the session setup, which would in turn reduce much of our most complex
krb5 code even further. 

What minimum version would you recommend?  It seems reasonable to be
aggressive (as Simo put it) in requiring a recent version, given that
users always have the option of building with the top level build to
access our bundled Heimdal.

Even if we cannot agree on a minimum version at this stage, I would like
to at least agree to require a krb5 lib of some kind.  


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list