Project Review: kinit -C

Sam Hartman hartmans at MIT.EDU
Wed Sep 15 09:02:14 EDT 2010


>>>>> "Will" == Will Fiveash <will.fiveash at oracle.com> writes:

    Will> On Tue, Sep 14, 2010 at 05:03:02PM -0400, Sam Hartman wrote:
    >> >>>>> "Simo" == Simo Sorce <ssorce at redhat.com> writes:
    >> 
    Simo> On Tue, 14 Sep 2010 14:54:35 -0400
    Simo> Sam Hartman <hartmans at MIT.EDU> wrote:
    >> 
> > >>>>> "Tom" == Tom Yu <tlyu at MIT.EDU> writes:
    >> >> 
    Tom> Sam Hartman <hartmans at MIT.EDU> writes:
    >> >> >> As a result, kinit will link against libkdb5 and
    >> libkadm5srv.
    >> >> 
    Tom> I would prefer that this be a build-time option, so that
    Tom> software packagers have more flexibility about whether the
    Tom> kinit binary needs to have the KDC libraries installed.
    Tom> Alternatively, build two versions, kinit and kinit.local, only
    Tom> the latter of which depends on the KDC libraries.
    >> >> 
    >> >> I'd like to push back on this and ask for someone to step
    >> forward >> and say that's a problem for their packaging first
    >> before we make >> the change.
    >> 
    Simo> Unless you want to force people to install libkdb5 and
    Simo> libkadm5srv on every client it looks like it is going to be an
    Simo> issue. That is, unless you explicitly dlopen() these libraries
    Simo> therefore not making them a strong dependency and breaking
    Simo> only the impersonation functionality if they are not
    Simo> available.
    >> 
    >> Right.  I was going to recommend installing libkdb5 and
    >> libkadm5srv everywhere.  Personally, I don't see a problem with
    >> that with my Debian hat on, but if other packagers do, then we
    >> can look at approaches.

    Will> This would cause packaging changes for Solaris.  Given this
    Will> must run on the KDC, maybe it should be a separate utility, or
    Will> a modification to kadmin.local?

Yes it causes changes.  Are those changes bad?  I'm happy to look at a
solution to this problem if someone steps forward--you and Simo are the
obvious candidates--and says that they've thought about the changes and
think they're undesirable.  I think it's very bad practice to gsolve
problems because they cause differences.  Making this a separate utility
that includes most of the code of kinit also has negative consequences.
If someone takes the time to look at both of these and conclude the
packaging changes are undesirable, that's one thing.  However, so far,
we've had three people note that there will be a change without actually
taking the time to evaluate that change.

--Sam



More information about the krbdev mailing list