working long-term with the MIT KRB5 codebase in the AD DC

Uri Simchoni uri at samba.org
Sun Oct 22 13:07:51 UTC 2017 

I tried building Samba against master MIT, to get a sense of what it
takes, and and failed in a quite puzzling way. The failure doesn't seem
related to AD-DC. My steps were:

1. Build git-cloned MIT with --prefix=/home/uri/krb5inst:
a. autoreconf
b. configure --prefix=/home/uri/krb5inst
c. make
d. make install
2. Run an autobuild-ish samba configure:

./configure.developer --with-selftest-prefix=./bin/ab --picky-developer
--with-profiling-data --prefix=/home/uri/s2/bin/samba/prefix
--with-system-mitkrb5 /home/uri/krb5inst --with-system-mitkdc
/home/uri/krb5inst/sbin/krb5kdc

The resulting build failed at lib/krb5_wrap/krb5_samba.c with:

/home/uri/krb5inst/include/profile.h:343:33: error: unused variable
‘et_prof_error_table’ [-Werror=unused-variable]
 extern const struct error_table et_prof_error_table;
                                 ^~~~~~~~~~~~~~~~~~~
/home/uri/krb5inst/include/profile.h:40:15: error: typedef
‘profile_filespec_t’ locally defined but not used
[-Werror=unused-local-typedefs]
 typedef char* profile_filespec_t; /* path as C string */
               ^~~~~~~~~~~~~~~~~~
/home/uri/krb5inst/include/profile.h:41:15: error: typedef
‘profile_filespec_list_t’ locally defined but not used
[-Werror=unused-local-typedefs]
 typedef char* profile_filespec_list_t; /* list of : separated paths, C
string */
               ^~~~~~~~~~~~~~~~~~~~~~~
/home/uri/krb5inst/include/profile.h:288:3: error: typedef
‘profile_module_init_fn’ locally defined but not used
[-Werror=unused-local-typedefs]
 (*profile_module_init_fn)(const char *residual, struct profile_vtable
*vtable,
   ^~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

I repeated this with Fedora 27 beta - success with system MIT Kerberos,
failure with master MIT.

Usually I'm able to figure out these things but this time I was left
puzzled - same compile switches, "offensive" typedefs and variables in
both versions (as seen in pre-processed code), yet the system krb5
succeeds and my own-built one fails. The only difference in compiler
flags is -I/home/vagrant/krb5inst/include

Thanks,
Uri.

On 10/20/2017 09:56 PM, Jeremy Allison via samba-technical wrote:
> So there's a tension here between the needs of distro's and the needs
> of vendors (I'm considering Catalyst via Andrew as a specific Samba
> vendor here).
> 
> Distros need Samba to work with the libraries shipped with the distro.
> An "upstream first" policy for all dependent libraries is a must.
> 
> Vendors need flexibility to add new features to both libraries and
> Samba to work with them. That sometimes means prototyping features
> and after customer approval getting the changes pushed upstream.
> 
> I don't want a fork of MIT. No one wants to fork important security
> libraries anymore. I don't want to keep a copy of Heimdal anymore. I
> think we can all agree on this :-).
> 
> Moving both Heimdal and MIT to a git reference to an external tree is
> a good idea.
> 
> My guess is the difficulty comes from this statement in Andrew's
> email:
> 
>> What I propose is:
>> - Our build system uses a git reference (via a submodule or otherwise)
>> to check out and build MIT krb5
>> - In Samba master, this tracks either:
>>   - MIT master
>>   - a "
>> - In Samba release branches this tracks:
>>   - the release branch, the released version of MIT krb5 that we will
>> support
>> - This occur in parallel to the Heimdal build
> 
> what we need to determine is what "Samba vendor fork of
> MIT in limited circumstances" actually means.
> 
> So long as this *doesn't* mean "a copy of MIT in our tree on samba.org"
> I hope we can come to some compromise we can agree on.
> 
> I see some hope in Andreas's reply here:
> 
>>> What I propose is:
>>>  - Our build system uses a git reference (via a submodule or otherwise)
>>> to check out and build MIT krb5
>>
>> That's fine just for development!
> 
>>>  - In Samba master, this tracks either:
>>>    - MIT master
>>>    - a Samba vendor fork of MIT in limited circumstances
>>
>> That's extremly bad! An enterprise distribution will not allow a vendor fork
>> of MIT Kerberos. You use what is in the system or not.
> 
> Can we get some consensus on what "is fine for development" means
> to both of you ?
> 
> Andreas, how do you see Andrew being able to add needed features
> to AD+MIT to move our MIT implementation forward ?
> 
> Andrew, how do you see being able to separate this out from
> master so the distros can keep a supported Samba running against
> the default shipped and supported crypto libraries ?
> 
> Jeremy.
>

More information about the samba-technical mailing list