[PROPOSAL] Require builtin or system krb5 libs

[Andrew Bartlett]

On Thu, 2012-01-05 at 14:01 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> 
> >>>> Why not?  We have a large amount of code and complexity created by
> >>>> trying (and failing, see 3.5.11, recent master) to support building
> >>>> without Kerberos.  As nobody noticed until now, clearly our users accept
> >>>> the need for a Kerberos library to build Samba.
> >>>
> >>> Recently I fixed a master build without Kerberos. See
> >>> 48804e4. At least the compile went fine..
> >>
> >> And I do thank you for doing that.  
> >>
> >> My point here is to avoid us needing to keep doing this in future, and
> >> to remove some small part of Samba's complexity that having optional
> >> kerberos brings.
> > 
> > And my point is to object to that. I am perfectly happy with
> > us requiring a certain recent Kerberos library level if we
> > do Kerberos, but we need to run without Kerberos as well.
> 
> I also think we should build without any kerberos support, I'm
> happy to use only HAVE_ADS (--with-ads=no) for that,
> instead of HAVE_ADS, HAVE_KRB5 and HAVE_GSSAPI wildly mixed.

OK.  On the basis of everyone's feedback, I've prepared a new branch: 

https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/raise-krb5-minimum

In this branch krb5 support remains optional, but the minimum version
has been increased to MIT krb5 1.8 or a reasonably modern Heimdal
version.  If this is acceptable, we can also investigate using
pkg-config to detect package versions, to provide a simpler and more
user-friendly overall check.

Please let me know what you think.  It just passed a full autobuild on
sn-devel.

> When we have hidden most of the krb5/gssapi stuff behind the gensec
> abstraction,
> it shouldn't be that complex to maintain.

I'll do my best to hide as much as possible behind gensec, certainly.

> Most of the pain is really to work around incomplete/incompatible
> krb5/gssapi libraries.

I'm happy to take one step at a time here. Moving to a MIT 1.8 minimum
will certainly make things easier.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
 libcli/auth/krb5_wrap.c                 |  113 +++++---------------------------
 source3/Makefile.in                     |    2 
 source3/configure.in                    |   92 +++++++++++++++++++++-----
 source3/include/krb5_protos.h           |    4 -
 source3/libads/kerberos.c               |    4 -
 source3/libsmb/clikrb5.c                |  112 +------------------------------
 source3/wscript                         |   59 ++++++++++++----
 source4/auth/kerberos/kerberos.h        |    4 -
 source4/heimdal_build/wscript_configure |    4 -
 9 files changed, 149 insertions(+), 245 deletions(-)