What would it take to remove Heimdal?

Andrew Bartlett abartlet at samba.org
Sun Jul 13 21:46:13 MDT 2014

On Fri, 2014-07-11 at 16:16 +0200, Jelmer Vernooij wrote:
> On Fri, Jul 11, 2014 at 03:57:56PM +0200, Stefan (metze) Metzmacher wrote:
> > Am 11.07.2014 15:43, schrieb Jelmer Vernooij:
> > >>  Heimdal isn't possible today due to the AD DC, but when it IS possible to
> > >> build a working AD DC without Heimdal, it no longer belongs in tree.
> > > It already is possible to build a working AD DC without the bundled 
> > > Heimdal, using the system Heimdal. We do this for the Debian/Ubuntu packages,
> > > and Samba has supported this for a long time.
> > 
> > But there're still some patches only in our copy of heimdal.
> > 
> > https://git.samba.org/?p=lorikeet-heimdal.git;a=commitdiff;h=70a1b4d8eb710e15ff7a1c8068500dd62f3a3426
> > https://git.samba.org/?p=lorikeet-heimdal.git;a=commitdiff;h=f307cd00f4b14cf14f6fcae9c93378967972a15d
> These are the only two relevant ones I see looking at
> git://git.samba.org/lorikeet-heimdal.

Sadly lorikeet-heimdal isn't up to date.  I've changed things again for
the password lockout stuff.  We won't be able to release Samba 4.2 on
debian without a coordinated Heimdal update.  Indeed, we should actually
put a strict version dependency on Heimdal, not only to ensure we have a
version that will respect lockouts, but also because Heimdal has changed
the ABIs we use (inside the KDC in particular) without warning. 

> > And looking at
> > https://git.samba.org/?p=abartlet/lorikeet-heimdal.git/.git;a=shortlog;h=refs/heads/lorikeet-heimdal-201402190928
> > show a few more.
> The others in this branch seem to be generic improvements for Heimdal that
> are unrelated to Samba, like build fixes for AIX. 
> > The external heimdal versions are also not verified to work completely.
> > The last import attempt failed because something broke and didn't pass our
> > tests anymore.
> Can you elaborate on that? I don't remember seeing problems.

When I last tried to update it, I broke my wintest against Win2008R2 SP0
or something like that.  It was weird, and subtle and I never finished
doing the ttt trace with Microsoft to fully understand it.

I was a couple of months ago in the process of updating Heimdal, and
would love to instead just boot it out of the tree, once patched, as
over the years a *lot* of waf updates have been required.  

But to do that would put us in a difficult spot when we do need changes
- we would require users to get a new/patched Heimdal for their
distribution.  It would also cut off users of systems without MIT Krb5
1.9, who currently get full Kerberos support without needing to install
additional libraries.  It was this facility that allowed us to move the
minimum required version and remove a lot of hand-written gssapi-krb5

An alternative might be to have a waf rule that downloads and builds
zlib, Heimdal (patched) and other packages each with their own native
build systems, and installs those into a prefix.  We would then build
against that, much as we do python.  

As always, these things are not as easy to carry out as they are to
propose :-(

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list