GNOME Bugzilla – Bug 692250
goa kerberos provider is incompatible with heimdal kerberos 5 implementation
Last modified: 2013-09-04 12:09:03 UTC
On a machine that uses the heimdal-1.5.3 kerberos 5 implementation, when trying to build gnome-online-accounts-3.6.2 with --enable-kerberos: goakerberosidentity.c: In function 'get_identifier': goakerberosidentity.c:303:3: warning: 'krb5_free_unparsed_name' is deprecated (declared at /usr/include/krb5-protos.h:1962) [-Wdeprecated-declarations] goakerberosidentity.c: In function 'goa_kerberos_identity_get_principal_name': goakerberosidentity.c:392:3: warning: 'krb5_free_unparsed_name' is deprecated (declared at /usr/include/krb5-protos.h:1962) [-Wdeprecated-declarations] goakerberosidentity.c: In function 'goa_kerberos_identity_get_realm_name': goakerberosidentity.c:423:3: warning: 'krb5_princ_realm' is deprecated (declared at /usr/include/krb5-protos.h:3251) [-Wdeprecated-declarations] goakerberosidentity.c:423:9: warning: assignment from incompatible pointer type [enabled by default] goakerberosidentity.c: In function 'credentials_validate_existence': goakerberosidentity.c:450:3: warning: implicit declaration of function 'krb5_princ_size' [-Wimplicit-function-declaration] goakerberosidentity.c:450:3: warning: nested extern declaration of 'krb5_princ_size' [-Wnested-externs] goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: warning: left-hand operand of comma expression has no effect [-Wunused-value] goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: warning: value computed is not used [-Wunused-value] goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: warning: left-hand operand of comma expression has no effect [-Wunused-value] goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:460:7: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:467:26: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:467:62: error: request for member 'length' in something not a structure or union goakerberosidentity.c:468:34: error: 'struct Principal' has no member named 'data' goakerberosidentity.c:469:31: error: request for member 'data' in something not a structure or union goakerberosidentity.c:469:54: error: request for member 'length' in something not a structure or union goakerberosidentity.c: In function 'goa_kerberos_identity_update': goakerberosidentity.c:1363:3: warning: implicit declaration of function 'krb5_cc_dup' [-Wimplicit-function-declaration] goakerberosidentity.c:1363:3: warning: nested extern declaration of 'krb5_cc_dup' [-Wnested-externs] make[4]: *** [libgoaidentity_la-goakerberosidentity.lo] Error 1
Out of curiosity, why do you want it to work with heimdal? I'd rather pick one library and require it than have a bunch of ifdefs to support changing out the kerberos backend.
(In reply to comment #1) > Out of curiosity, why do you want it to work with heimdal? Because: 1. heimdal and mit-krb5 cannot live in the same prefix since they install the same filenames. 2. Gentoo, since it's a source distro, provides users the choice of using either heimdal or mit-krb5 as the system kerberos library. Both get installed in the same default prefix (/usr). This means that heimdal and mit-krb5 cannot be installed on Gentoo at the same time. 3. samba-4 requires heimdal. The net result is that any Gentoo user who uses samba-4 cannot use goa with kerberos support. If such a user enabled kerberos via a systemwide USE flag (which most Gentoo kerberos users would want to do), he would get an error message saying that he cannot install gnome. This is therefore a rather suboptimal situation for our users.
weird, in fedora we have samba4 and don't have heimdal
(In reply to comment #3) > weird, in fedora we have samba4 and don't have heimdal As far as I can tell, Fedora's samba-4 package simply bundles a private copy of heimdal libraries (the current samba.spec calls configure with --bundled-libraries=heimdal), but Gentoo can't go that route because of a policy against bundling dependencies.
ah, interesting. It's a shame the two competing implementations aren't parallel installable.
FWIW, it's not just fixing the build incompatibilities. If we're actually going to commit to supporting heimdal, we need contributions in GNOME and its dependencies to make sure use of implementations in GOA (and elsewhere like realmd) actually work in the same way. For example, MIT krb5 now has no requirement for a kerberos client to sync their system clock. Work is being done upstream to support better prompting (smart cards, otp and all that) through MIT kerberos, and doing that all twice is going to be hard.
i guess one "right now" solution would be to check for heimdal in configure and --disable-kerberos implicitly
As nobody has stepped up to write a patch to address this in one way or the other, I am closing this as WONTFIX. As Stef pointed out, we are depending on some MIT krb5 features that are absent in Heimdal. In future the list of features will only continue to grow (see bug 707402). Suffice to say that as far as we (Stef, Ray & myself) are concerned we don't care about Heimdal. Please feel free to reopen if you have patches.
(In reply to comment #8) > As Stef pointed out, we are depending on some MIT krb5 features that are absent > in Heimdal. In future the list of features will only continue to grow (see bug > 707402). Suffice to say that as far as we (Stef, Ray & myself) are concerned we > don't care about Heimdal. A better way of putting it is that I personally don't want to do extra work to support Heimdal. As Ray points out, supporting two libraries (esp. those that are not parallel installable or testable) is lots of work. If someone wants to make Heimdal work well here and are willing to commit to their active, continued involvement, then I'm not against that. Alternatively heimdal could be fixed so that it is parallel installable.