Using KfM's credentials cache with Krb5 1.3 on OS X 10.2.6

Steven Michaud smichaud at pobox.com
Wed Aug 13 15:58:55 EDT 2003 

> IN particular, please remove the parts that add shared library
> support for darwin.

I'm not sure what you're getting at here.

> We are not ready to commit to an ABI on darwin and would be very
> annoyed if a bunch of people were distributing/using/expecting a
> particular shared library ABI.

Are you talking about the fact that my patch (as it now stands) hard
codes the name of the Kerberos framework?

> Personally, I'd argue for accepting a patch that added support for
> some well-maintained library that sat between Kerberos and ccapi and
> did the linking against the framework.

As this time, I don't think there's any compelling need for a separate
ccapi library on OS X.  I think it _would_ make sense as part of a
larger effort to support the ccapi on many different platforms, but I
don't have the time for that right now :-)

My patch (or Chas Williams') is currently quite useful, but only
because the KfM that comes with OS X currently doesn't support 1.3.1's
new encryption types.  For the time being, these patches are the only
way to get a single set of libraries that support both the ccapi and
the new encryption types.  But this will change when Panther is
released.

Yes, Apple should have included the entire MIT Kerberos package with
OS X, including the KDC and the application servers (ftpd, telnetd and
so forth).  But the KDC doesn't need the ccapi.  And you could argue
that it isn't a big deal that ftpd, telnetd and so forth have to use
file-based ticket caches for forwarded credentials.  (Telnetd can't
use anything better than single-DES encryption, so it's usefulness is
quite limited.  And I actually don't know of anything that uses ftpd's
forwarded credentials.)

To put it briefly, I don't see the point of complicating a patch that,
while it's now very useful, will be obsolete in a few months.

On Mon, 11 Aug 2003, Sam Hartman wrote:

> If you are going to distribute this patch, could you please remove
> everything unrelated to ccapi support.  IN particular, please remove
> the parts that add shared library support for darwin.
>
> We are not ready to commit to an ABI on darwin and would be very
> annoyed if a bunch of people were distributing/using/expecting a
> particular shared library ABI.
>
> I'd argue that we should not accept this patch because it modifies
> Kerberos to link against the native Kerberos framework.
>
> Personally, I'd argue for accepting a patch that added support for
> some well-maintained library that sat between Kerberos and ccapi and
> did the linking against the framework.
>
>
> --Sam
>
>

More information about the krbdev mailing list