[PROPOSAL] Require builtin or system krb5 libs
Andrew Bartlett
abartlet at samba.org
Fri Jan 6 04:19:55 MST 2012
On Thu, 2012-01-05 at 14:01 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
>
> >>>> Why not? We have a large amount of code and complexity created by
> >>>> trying (and failing, see 3.5.11, recent master) to support building
> >>>> without Kerberos. As nobody noticed until now, clearly our users accept
> >>>> the need for a Kerberos library to build Samba.
> >>>
> >>> Recently I fixed a master build without Kerberos. See
> >>> 48804e4. At least the compile went fine..
> >>
> >> And I do thank you for doing that.
> >>
> >> My point here is to avoid us needing to keep doing this in future, and
> >> to remove some small part of Samba's complexity that having optional
> >> kerberos brings.
> >
> > And my point is to object to that. I am perfectly happy with
> > us requiring a certain recent Kerberos library level if we
> > do Kerberos, but we need to run without Kerberos as well.
>
> I also think we should build without any kerberos support, I'm
> happy to use only HAVE_ADS (--with-ads=no) for that,
> instead of HAVE_ADS, HAVE_KRB5 and HAVE_GSSAPI wildly mixed.
OK. On the basis of everyone's feedback, I've prepared a new branch:
https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/raise-krb5-minimum
In this branch krb5 support remains optional, but the minimum version
has been increased to MIT krb5 1.8 or a reasonably modern Heimdal
version. If this is acceptable, we can also investigate using
pkg-config to detect package versions, to provide a simpler and more
user-friendly overall check.
Please let me know what you think. It just passed a full autobuild on
sn-devel.
> When we have hidden most of the krb5/gssapi stuff behind the gensec
> abstraction,
> it shouldn't be that complex to maintain.
I'll do my best to hide as much as possible behind gensec, certainly.
> Most of the pain is really to work around incomplete/incompatible
> krb5/gssapi libraries.
I'm happy to take one step at a time here. Moving to a MIT 1.8 minimum
will certainly make things easier.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
libcli/auth/krb5_wrap.c | 113 +++++---------------------------
source3/Makefile.in | 2
source3/configure.in | 92 +++++++++++++++++++++-----
source3/include/krb5_protos.h | 4 -
source3/libads/kerberos.c | 4 -
source3/libsmb/clikrb5.c | 112 +------------------------------
source3/wscript | 59 ++++++++++++----
source4/auth/kerberos/kerberos.h | 4 -
source4/heimdal_build/wscript_configure | 4 -
9 files changed, 149 insertions(+), 245 deletions(-)
More information about the samba-technical
mailing list