Dependencies on kerberos5

Quentin Smith quentin at MIT.EDU
Thu Dec 6 09:15:33 PST 2012

On Thu, 6 Dec 2012, Rainer Müller wrote:

> Hello,
> Cc: maintainers of depends:kerberos5
> At the moment, several ports depend directly on kerberos5 in their
> default variant set. Most important for me are cyrus-sasl2 and openssh.
> As I want to use kerberos authentication against servers, I currently
> have to maintain two independent sets of kerberos tickets using both
> /usr/bin/kinit and ${prefix}/bin/kinit. This is the case as Mac OS X >=
> 10.7 no longer uses MIT Kerberos, but switched to Heimdal and the ticket
> stores are not compatible.

Actually, the FILE-type credential caches are compatible between Heimdal 
and MIT. I regularly use MIT kinit to get tickets requiring preauth that 
Heimdal doesn't support, and then use them with system utilities.

> In [1] Leo Singer (aronnax@) proposed to default to heimdal instead of
> kerberos5 on Mac OS X >= 10.7. This would resolve my problem as the
> ticket stores appear to be compatible.

Does this mean that the heimdal port is capable of using API-style 
credential caches created by the system?

> Therefore, I would like to ask to add +kerberos5 and +heimdal variants
> to these ports and make the default variant selection based on the
> version of Mac OS X this is installed to.
> Should we add a kerberos_select port for the kinit, klist, etc. tools?
> heimdal already installs them to ${prefix}/libexec/heimdal/bin/, while
> kerberos5 puts them into ${prefix}/bin directly.

The route I've gone down myself is to allow MIT and Heimdal to be 
installed side-by-side, with the MIT utilities prefixed by "mit-"; so 
"mit-kinit", etc.

I have an open bug with a patch to do this:


> As this affects multiple ports I did not want to open yet another ticket
> against these ports, but bring attention from a wider audience to this
> issue.
> Rainer
> [1]

More information about the macports-dev mailing list