Dependencies on kerberos5

[Quentin Smith]

On Thu, 6 Dec 2012, Rainer Müller wrote:

> Hello,
>
> Cc: maintainers of depends:kerberos5
>
> At the moment, several ports depend directly on kerberos5 in their
> default variant set. Most important for me are cyrus-sasl2 and openssh.
>
> As I want to use kerberos authentication against servers, I currently
> have to maintain two independent sets of kerberos tickets using both
> /usr/bin/kinit and ${prefix}/bin/kinit. This is the case as Mac OS X >=
> 10.7 no longer uses MIT Kerberos, but switched to Heimdal and the ticket
> stores are not compatible.

Actually, the FILE-type credential caches are compatible between Heimdal 
and MIT. I regularly use MIT kinit to get tickets requiring preauth that 
Heimdal doesn't support, and then use them with system utilities.

> In [1] Leo Singer (aronnax@) proposed to default to heimdal instead of
> kerberos5 on Mac OS X >= 10.7. This would resolve my problem as the
> ticket stores appear to be compatible.

Does this mean that the heimdal port is capable of using API-style 
credential caches created by the system?

> Therefore, I would like to ask to add +kerberos5 and +heimdal variants
> to these ports and make the default variant selection based on the
> version of Mac OS X this is installed to.
>
> Should we add a kerberos_select port for the kinit, klist, etc. tools?
> heimdal already installs them to ${prefix}/libexec/heimdal/bin/, while
> kerberos5 puts them into ${prefix}/bin directly.

The route I've gone down myself is to allow MIT and Heimdal to be 
installed side-by-side, with the MIT utilities prefixed by "mit-"; so 
"mit-kinit", etc.

I have an open bug with a patch to do this:

http://trac.macports.org/ticket/34230

--Quentin

> As this affects multiple ports I did not want to open yet another ticket
> against these ports, but bring attention from a wider audience to this
> issue.
>
> Rainer
>
> [1] https://trac.macports.org/ticket/36781
>