2013/10/17 Lukas Slebodnik <lsleb...@redhat.com> > On (17/10/13 13:59), Benjamin Franzke wrote: > >2013/10/17 Stephen Gallagher <sgall...@redhat.com> > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> On 10/17/2013 07:35 AM, Benjamin Franzke wrote: > >> > Hi list, > >> > > >> > I've tried to use sssd with heimdal, there were some fixes to be > >> > done. Are you intrested in reviewing and integrating them? > >> > > >> > They are available at: https://git.bnfr.net/sssd/log/?h=heimdal-1 > >> > Note: They are on top of other build fixes i've send to the list > >> > (but thats visible in the log). > >> > > >> > This compiles without warnings and passes all make tests. Actually > >> > i've added alternatives for deprecated (in terms of heimdal) > >> > kerberos functions to avoid warnings there. > >> > > >> > I've tested this in a samba 4 environment (with the sssd-ad > >> > module). > >> > > >> > >> Just for the record, Heimdal support has come up before. Historically, > >> our answer has been this: "SSSD upstream does not officially support > >> using SSSD with Heimdal. This is because the SSSD upstream works > >> closely with the MIT Kerberos upstream to have features that we need > >> incorporated there." > >> > >> In the past, we've allowed the community to contribute patches to work > >> with Heimdal because there are some platforms out there that seem to > >> prefer it, but the people who have contributed this have a habit of > >> disappearing. We've always held to the idea that it's not the > >> responsibility of the core upstream to maintain the Heimdal patches. > >> > >> As move further along and the IPA and AD providers rely on > >> ever-increasing MIT-specific features, I think the value of supporting > >> Heimdal at all upstream continues to decrease. > >> > >> I'd honestly prefer to propose that SSSD drops its Heimdal support > >> entirely and stop giving the impression that it might work. If we > >> don't do this, a secondary option would be to add a new configure flag > >> for Heimdal usage that makes it clear that Heimdal support is largely > >> incomplete. > >> > >> > >> I'd honestly be more interested in taking a samba-like approach here > >> and making it possible to statically build-in a copy of MIT Kerberos > >> for those platforms that only have Heimdal (such as the BSDs), since > >> this would allow those platforms to enjoy all of the advance > >> functionality that SSSD-with-MIT can offer (such as FreeIPA > >> cross-realm trusts). > >> > >> > >> Benjamin: Please do not take this as an attack on you. This is a > >> long-standing issue upstream and one that just keeps coming up. > >> > > > >No problem ;) I understand that position. > >My main motivation was to be able to build it on my > >main machine (gentoo) where i have samba4 installed as well. > >So that i can read the sssd man pages here. > > > >Also I think that if you dont want to support heimdal, maybe there should > >be a configure check > >that errors out if people try to compile against heimdal. > > > > > Or you can try to update samba4 portage with possibility to compile > with MIT krb5 :-) >
Yes, with samba4 client side, but I wanted DC support, and updating heimdal support in sssd was easier than trying to do this: http://gitweb.samba.org/?p=samba.git;a=blob;f=source4/auth/kerberos/kerberos-porting-to-mit-notes.txt > > LS > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel >
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel