[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The state of the heimdal project
>I certainly think it's a bit daft to use AFS with MIT kerberos (then
>again I sometimes wonder if we're the *only* folks using heimdal with
>AFS considering that I keep having to contribute back buigfixes...) :>
I don't want to get into the "MIT versus Heimdal" argument; they each have
their own strengths and weaknesses. But I'm going to address a few things.
(btw: "daft"? Where the hell is _THAT_ coming from?)
- The OpenAFS/Kerberos 5 tools are mostly coming out of the migration kit,
and that was written to work with MIT Kerberos. Of course, those tools
were developed to make up for things that Heimdal did natively. It's
not a surprise that they have bugs when it comes to Heimdal.
- I don't run Heimdal here, and I did the initial work integrating the
Kerberos 5 tools into OpenAFS. I did compile a Heimdal distribution
and made it work ... in the beginning. Aklog has been heavily
pounded on by various people to make it work in a variety of
situations (notably to make it work with ancient RedHat
distributions), and I've given up on maintaining it myself. Aklog
was developed to make up for native KeyFile support in Heimdal; it's
not a surprise that these tools have issues with Heimdal.
- Right or wrong, a few of the large consumers of AFS ship with MIT Kerberos
(e.g., most Linux distributions, MacOS X, Solaris ... okay, it was
only very recently Solaris actually exposed the MIT API). And on
Windows, the only real choice is MIT KfW. More effort goes into
making the out-of-the-box compile work ... which means more effort on
the MIT compatibility. Even the big Heimdal fans I know (well, okay,
I've never actually asked Love or Harald about this) compile with the
default Kerberos that's shipping with the OS, which is generally
MIT. Mind you, plenty of people use MIT on the client, and Heimdal
on the KDC. Why you're going to the extra effort of compiling with
Heimdal on the client, I'm not sure (I suppose there is a reason).
So really, the OpenAFS situation is a combination of historical
functionality plus what ships with more OSes today. It doesn't have
anything to do with the relative merits of Heimdal versus MIT.