[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kerberos support for Cyrus: I need help

On Mon, 23 Sep 2002, Balazs GAL wrote:
> 2002-09-23, h keltezéssel Henrique de Moraes Holschuh ezt írta:
> > On Sun, 22 Sep 2002, Balazs GAL wrote:
> > > PLEASE, dont compile it with kerberos support. We have symbols
> > > problem with mit krb5,krb4 vs. heimdal kth-krb4. If you compile it
> > > with any libs it can break the other with sasl2 plugin.
> > 
> > This just means we need versioned symbols in these libs.  Just like in
> > libsasl, libldap, and everything ever linked to a nss plugin.
> 
> This is not as simple, as we think. Please read the threads:

You might need versioned symbols in a library and _all_ libraries it links
against, *including* static ones -- otherwise symbol clashes are possible.
If a symbol ends up in the ELF headers, it needs to be versioned.

OR,  you need versioned symbols in a dynamic library and _all_ dynamic
libraries it links against, and -Bsymbolic everywhere else (which might
break LD_PRELOAD tricks, for example).

That's why I once proposed that we simply version EVERY library we have. It
breaks nothing but cross-distribution compatibility -- and that assumes the
other important distros can't be convinced to do it as well, in which case
nothing breaks; or that we don't pull some clever hacks in ld.so and friends
to ease up the transition.

> > No. I can simply have two binaries (services) for everything that needs it,
> > one compiled against auth_unix and the other against auth_krb.  That means
> > two configure-and-compile passes to build, but what the heck...
> 
> Great. :) Then we have symbol problem only with the pop3 daemon.

Maybe.  I think all the other services pull in kerberos code from auth_krb.

> > > I can compile cyrus21/sasl/sasl2 with heimdal and kth-krb4 support, but
> > > as I wrote PLEASE dont do it.
> > 
> > How usable is Cyrus with the auth_unix module in a full kerberos
> > environment?
> 
> Very usable. :))
> Kerberos itself doesn't provide an authorization system, every daemon
> should implement it for onself. So often the krb based daemons use
> the standard unix authz system (e.g unix groups), like auth_unix in
> cyrus.
> The auth_krb authorization in cyrus is not very usefull, because it
> doesn't implement groups only aliases from one user to another, and it
> _breaks some imap clients_ wich dont use krb based sasl plugin for authc
> (e.g like a webmail client with login or plain authc).
> 
> The afs pts naturally implements groups and it can be really usefull.

Now, THAT is some welcome feedback.  If auth_krb is almost useless, I
shouldn't bother.  If AFS pts _is_ useful for enough people, I should
probably bother with that instead.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Reply to: