[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The state of the heimdal project

>I certainly think it's a bit daft to use AFS with MIT kerberos (then  
>again I sometimes wonder if we're the *only* folks using heimdal with  
>AFS considering that I keep having to contribute back buigfixes...) :>

I don't want to get into the "MIT versus Heimdal" argument; they each have
their own strengths and weaknesses.  But I'm going to address a few things.
(btw: "daft"?  Where the hell is _THAT_ coming from?)

- The OpenAFS/Kerberos 5 tools are mostly coming out of the migration kit,
  and that was written to work with MIT Kerberos.  Of course, those tools
  were developed to make up for things that Heimdal did natively.  It's
  not a surprise that they have bugs when it comes to Heimdal.

- I don't run Heimdal here, and I did the initial work integrating the
  Kerberos 5 tools into OpenAFS.  I did compile a Heimdal distribution
  and made it work ... in the beginning.  Aklog has been heavily
  pounded on by various people to make it work in a variety of
  situations (notably to make it work with ancient RedHat
  distributions), and I've given up on maintaining it myself.  Aklog
  was developed to make up for native KeyFile support in Heimdal; it's
  not a surprise that these tools have issues with Heimdal.

- Right or wrong, a few of the large consumers of AFS ship with MIT Kerberos
  (e.g., most Linux distributions, MacOS X, Solaris ... okay, it was
  only very recently Solaris actually exposed the MIT API).  And on
  Windows, the only real choice is MIT KfW.  More effort goes into
  making the out-of-the-box compile work ... which means more effort on
  the MIT compatibility.  Even the big Heimdal fans I know (well, okay,
  I've never actually asked Love or Harald about this) compile with the
  default Kerberos that's shipping with the OS, which is generally
  MIT.  Mind you, plenty of people use MIT on the client, and Heimdal
  on the KDC.  Why you're going to the extra effort of compiling with
  Heimdal on the client, I'm not sure (I suppose there is a reason).

So really, the OpenAFS situation is a combination of historical
functionality plus what ships with more OSes today.  It doesn't have
anything to do with the relative merits of Heimdal versus MIT.