Re: Kerberos support for Cyrus: I need help

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Sun, 22 Sep 2002, Balazs GAL wrote:
> PLEASE, dont compile it with kerberos support. We have symbols
> problem with mit krb5,krb4 vs. heimdal kth-krb4. If you compile it
> with any libs it can break the other with sasl2 plugin.

This just means we need versioned symbols in these libs.  Just like in
libsasl, libldap, and everything ever linked to a nss plugin.  And while the
versioning is not in place, it also means I have to pick one of MIT/heimdal,
and actively conflict with SASL plugins compiled against the other.

I am getting rather pissed off at the library breakage the lack of
versioning in our libraries causes.

> cyrus imapd use sasl/sasl2 for authc/authz.
> cyrus imapd dont use krb5 directly, only Kerberos 4 for authorization,
> but I think it is not very useful and you should choose between unix
> and krb4 for authz at compile time. So if you choose krb4 authz then
> you break the unix group based authz.

No. I can simply have two binaries (services) for everything that needs it,
one compiled against auth_unix and the other against auth_krb.  That means
two configure-and-compile passes to build, but what the heck...

> I can compile cyrus21/sasl/sasl2 with heimdal and kth-krb4 support, but
> as I wrote PLEASE dont do it.

How usable is Cyrus with the auth_unix module in a full kerberos
environment?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh