[16274] in Kerberos_V5_Development
Re: Project Review: kinit -C
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Sep 15 09:02:38 2010
From: Sam Hartman <hartmans@mit.edu>
To: Simo Sorce <ssorce@redhat.com>
Date: Wed, 15 Sep 2010 09:02:14 -0400
In-Reply-To: <20100915001329.GB3661@sun.com> (Will Fiveash's message of "Tue,
14 Sep 2010 19:13:29 -0500")
Message-ID: <tsl8w33ma7d.fsf@live.mit.edu>
MIME-Version: 1.0
Cc: Tom Yu <tlyu@mit.edu>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>>>> "Will" == Will Fiveash <will.fiveash@oracle.com> writes:
Will> On Tue, Sep 14, 2010 at 05:03:02PM -0400, Sam Hartman wrote:
>> >>>>> "Simo" == Simo Sorce <ssorce@redhat.com> writes:
>>
Simo> On Tue, 14 Sep 2010 14:54:35 -0400
Simo> Sam Hartman <hartmans@MIT.EDU> wrote:
>>
> > >>>>> "Tom" == Tom Yu <tlyu@MIT.EDU> writes:
>> >>
Tom> Sam Hartman <hartmans@MIT.EDU> writes:
>> >> >> As a result, kinit will link against libkdb5 and
>> libkadm5srv.
>> >>
Tom> I would prefer that this be a build-time option, so that
Tom> software packagers have more flexibility about whether the
Tom> kinit binary needs to have the KDC libraries installed.
Tom> Alternatively, build two versions, kinit and kinit.local, only
Tom> the latter of which depends on the KDC libraries.
>> >>
>> >> I'd like to push back on this and ask for someone to step
>> forward >> and say that's a problem for their packaging first
>> before we make >> the change.
>>
Simo> Unless you want to force people to install libkdb5 and
Simo> libkadm5srv on every client it looks like it is going to be an
Simo> issue. That is, unless you explicitly dlopen() these libraries
Simo> therefore not making them a strong dependency and breaking
Simo> only the impersonation functionality if they are not
Simo> available.
>>
>> Right. I was going to recommend installing libkdb5 and
>> libkadm5srv everywhere. Personally, I don't see a problem with
>> that with my Debian hat on, but if other packagers do, then we
>> can look at approaches.
Will> This would cause packaging changes for Solaris. Given this
Will> must run on the KDC, maybe it should be a separate utility, or
Will> a modification to kadmin.local?
Yes it causes changes. Are those changes bad? I'm happy to look at a
solution to this problem if someone steps forward--you and Simo are the
obvious candidates--and says that they've thought about the changes and
think they're undesirable. I think it's very bad practice to gsolve
problems because they cause differences. Making this a separate utility
that includes most of the code of kinit also has negative consequences.
If someone takes the time to look at both of these and conclude the
packaging changes are undesirable, that's one thing. However, so far,
we've had three people note that there will be a change without actually
taking the time to evaluate that change.
--Sam
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
