[PROPOSAL] Require builtin or system krb5 libs

Jeremy Allison jra at samba.org
Thu Jan 5 10:36:57 MST 2012


On Thu, Jan 05, 2012 at 11:08:08PM +1100, Andrew Bartlett wrote:
> On Thu, 2012-01-05 at 11:30 +0100, Stefan (metze) Metzmacher wrote:
> > Hi Andrew,
> > 
> > >>> For MIT Kerberos, what minimum would work for you?  
> > >>
> > >> I would probably choose to set the bar at MIT 1.9.2 but some others may
> > >> find this a bit aggressive I guess.
> > > 
> > > I think the latest MIT version that would be practical in the short-term
> > > would be 1.8.1 as that is what is running on sn-devel. 
> > > 
> > > Even moving this far would allow us to rely on the PAC-from-GSSAPI
> > > support, which will make moving to always using GSSAPI possible at
> > > session setup.  
> > > 
> > > I've prepared a patch series for this (on top of my s3-rpc-gensec work)
> > > at
> > > https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/krb5-unifdef 
> > > 
> > > This was created using unifdef http://dotat.at/prog/unifdef/ to safely
> > > remove the #ifdef macros.
> > > 
> > > To decide what functions to remove from the compatibility layer, a diff
> > > of the config.h from an autoconf and waf build on sn-devel was made.
> > > Any entry that was identical was selected, the configure test removed
> > > and the fallback code removed from the abstraction layer. 
> > > 
> > > This was one one API at at time, to allow a selective revert if that
> > > becomes required in future. 
> > > 
> > > Most of the functions being removed were compatibility layers for
> > > ancient Heimdal releases.  (Heimdal now has a number of these MIT APIs
> > > natively).
> > > 
> > > It has just passed a full test autobuild on sn-devel.
> > > 
> > > Attached is the diffstat showing the code removed, please let me know
> > > what you think,
> > 
> > Does this still build without any kerberos support?
> 
> No, that is the point.  
> 
> The original proposal was to require that we have, by one means or
> other, access to a krb5 library (the top level build of course has
> internal kerberos).  Following up to this I supported Simo's
> recommendation that we move to requiring a modern kerberos library. 

When we build with kerberos yes, but not for when krb5 isn't
required. We still need to be able to do a minimal build with
no krb5 on the box. I'm thinking of Samba running on something
like Android here.

Jeremy.


More information about the samba-technical mailing list