[PROPOSAL] Require builtin or system krb5 libs

simo idra at samba.org
Thu Jan 5 07:18:39 MST 2012 

On Thu, 2012-01-05 at 14:01 +0100, Stefan (metze) Metzmacher wrote: 
> Hi Andrew,
> 
> >>>> Why not?  We have a large amount of code and complexity created by
> >>>> trying (and failing, see 3.5.11, recent master) to support building
> >>>> without Kerberos.  As nobody noticed until now, clearly our users accept
> >>>> the need for a Kerberos library to build Samba.
> >>>
> >>> Recently I fixed a master build without Kerberos. See
> >>> 48804e4. At least the compile went fine..
> >>
> >> And I do thank you for doing that.  
> >>
> >> My point here is to avoid us needing to keep doing this in future, and
> >> to remove some small part of Samba's complexity that having optional
> >> kerberos brings.
> > 
> > And my point is to object to that. I am perfectly happy with
> > us requiring a certain recent Kerberos library level if we
> > do Kerberos, but we need to run without Kerberos as well.
> 
> I also think we should build without any kerberos support, I'm
> happy to use only HAVE_ADS (--with-ads=no) for that,
> instead of HAVE_ADS, HAVE_KRB5 and HAVE_GSSAPI wildly mixed.

Well theoretically HAVE_ADS would be a wrong characterization as you can
run samba with kerberos without any AD domain around (which I do), but I
do not really care what's the name used. We could perhaps start by
dropping HAVE_KRB5 and keeping only HAVE_GSSAPI, assuming we can move
every krb interaction to use only gssapi.

> When we have hidden most of the krb5/gssapi stuff behind the gensec
> abstraction,
> it shouldn't be that complex to maintain.

And I totally agree here.

> Most of the pain is really to work around incomplete/incompatible
> krb5/gssapi libraries.

Yup.

There is one thing we do here and there that is still not covered by
GSSAPI interfaces (initialization of credentials froma  keytab), but on
the MIT side we should get that sometime in 1.10 or 1.11, so when that
will be available also kinit style stuff will be possible through
GSSAPI.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list