Internal MIT Kerberos functions used by Samba
asn at samba.org
Wed May 31 17:16:25 EDT 2017
On Wednesday, 31 May 2017 20:37:22 CEST Robbie Harwood wrote:
> Simo Sorce <simo at redhat.com> writes:
> > On Wed, 2017-05-31 at 11:53 -0400, Greg Hudson wrote:
> >> You're right. The flip side is that we have vague plans to
> >> renormalize decode_krb5_setpw_req() to match other encoders and use
> >> the structure type; see asn1_k_encode.c:1287. That's not really
> >> important if we don't have a stability guarantee for this function,
> >> though.
> >> The real reason I followed up was to ask a question about the libkrb5
> >> soname.
> >> For libkadm5clnt, libkadm5srv, and libkdb5, we install a header file
> >> with a comment noting that the API isn't stable, but we do change the
> >> library soname (via LIBMAJOR in Makefile.in) each time we make
> >> incompatible changes to the ABI.
> These require nontrivial work from downstream. The clearest example is
> freeipa, which needs to lock to a specific libkdb5 version, and has to
> rebuild every time the krb5 version changes.
We will have more incompatilbe changes with KDB in future. I will try to get
as many changes done in the next version but I'm the Samba one man show at RH
so I can not fully focus on that.
> I think the intent is for the burden to fall on Samba here, not on krb5,
> to ensure that things are working as expected. Samba uses these
> functions for test suite purposes, not at runtime, so we're not actually
> looking at breaking anything on upgrade.
> Andreas, what do you think?
Well mostly they are used for testing, the only thing is the kpasswd function
but I'm fine to add a configure check if that changes. I do not have a problem
here, just a header file with a prototyte is easier to check then defing it on
our own. I do not need API guarantees for these funcitons.
More information about the krbdev