Big Sur & MIT Kerberos no longer interoperate
Ken Hornstein
kenh at cmf.nrl.navy.mil
Sat Mar 20 09:39:53 EDT 2021
>It looks like it would require a fair amount of code for us to
>interoperate with the XCC cache, and unlike the KCM code, it wouldn't
>give us ancillary benefits on other platforms. So I'm not certain what
>we'll do. One option is to create a public ccache pluggable interface
>to allow maintenance of an XCC plugin module outside of our tree, but
>that (1) assumes someone would put in that work, and (2) would be harder
>to deploy than just building MIT krb5 and having it use the native
>ccache automatically.
One relatively simple possibility is to create a shim layer that
dlopen()'s the Heimdal framework and calls the appropriate credential
cache functions.
I kind of have to solve this problem sooner rather than later, and I
don't mind doing the work and contributing it to MIT. Like everyone
else we have been telling everyone not to upgrade to Big Sur, but I
know eventually systems are going to start shipping with Big Sur (and
of course Apple Silicon systems already are). If we could work out an
acceptable approach I can get to work on that and see where it leads me.
Maintaining an out-of-tree plugin ... well, we do that for some things,
but I can tell you from experience that it sucks. It's not so bad on
server systems that you manage, but it is a huge pain on client systems
that are administrated by users.
--Ken
More information about the krbdev
mailing list