Re: Heimdal Bugs re update-alternatives
Hi,
On Mon, Feb 10, 2025 at 08:59:47AM +1100, Brian May wrote:
> Can I please have some thoughts on #1070031?
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070031
Hmm, how is that possible? At a quick glance, heimdal-kdc Depends: on
heimdal-clients, and krb5-user Conflicts: with heimdal-clients. Oh I
see, this latter Conflicts: became versioned. Which is generally good,
except...
> Is it appropriate to use update-alternatives for kadmin that is supplied
> with {Heimdal,MIT} Kerberos?
... in the real world, KDCs tend to be heavily locked down machines with
not much else installed, due to their sensitivity. So while allowing
random tools to be co-installed is generally a good thing, I don't think
that would be a valid goal for a KDC. Making heimdal-kdc Conflicts: with
krb5-user might not be the most elegant solution, but it would be fine
for real-world KDC setups.
> I am thinking they do very different things but maybe not. i.e. one
> updates files for Heimdal KDC, the other updates files for MIT KDC.
>
> But we don't what these packages to conflict either. What is the best
> solution?
I think this is a "I shot myself in the foot and it hurts" situation. If
you don't want to add an explicit conflict, then you could add a note to
README.Debian which says that mixing different Kerberos implementaions
on a host which is meant to be a KDC is not necessarily a good idea.
I have doubts if a MIT KDC would work with Heimdal's "kadmin -l"...
> Also what can I do about #1095296?
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095296
>
> Seems that Heimdal tools are implemented as symlinks that point to
> "/usr/bin/heimtools" and then use the program name to decide what to
> do. Argh.
This one is nothing special - some commands behaving differently based
on argv[0] is a traditional Unix thing. "(exec -a klist klist.heimdal)"
should work.
Regards,
Gabor
Reply to: