Bug 452212 (heimdal)

Summary: Review Request: heimdal - Heimdal Kerberos libraries and KDC
Product: [Fedora] Fedora Reporter: Andrew Bartlett <abartlet>
Component: Package ReviewAssignee: Rex Dieter <rdieter>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: abo, fedora-package-review, gdeschner, itamar, kagesenshi.87, k.georgiou, nalin, notting, tuju, zxvdr.au
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-09 21:28:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
rebased patch none

Description Andrew Bartlett 2008-06-20 09:00:36 UTC 
Spec URL: http://abartlet.net/heimdal-rpm/heimdal.spec
SRPM URL: http://abartlet.net/heimdal-rpm/heimdal-1.2-1.src.rpm
Description: Heimdal is a Kerberos distribution, distinct from MIT's krb5.  

Heimdal is a free implementation of Kerberos 5. The goals are to:
   - have an implementation that can be freely used by anyone
   - be protocol compatible with existing implementations and, if not in
     conflict, with RFC 1510 (and any future updated RFC)
   - be reasonably compatible with the M.I.T Kerberos V5 API
   - have support for Kerberos V5 over GSS-API (RFC1964)
   - include enough backwards compatibility with Kerberos V4
   - IPv6 support

I'm packaging it for Fedora because I would like Samba4 to depend on a system-provided krb5, rather than rely on it's internal copy of Heimdal.  (I also happen to think it's a better Kerberos package :-)
Comment 1 Alexander Boström 2008-07-02 16:42:28 UTC 
The manual says it's not recommended to start kadmind from xinetd. I guess
replacing the xinetd conf with an init script would be in order.
http://www.h5l.org/manual/HEAD/info/heimdal.html#Remote-administration

The binaries are going to be after the MIT Kerberos binaries in the PATH. I'm
not sure if that matters much one way or the other.

Is there going to be a conflict with krb5-debuginfo regarding libkrb5.so.debug?
Comment 2 Rex Dieter 2008-07-10 12:26:31 UTC 
I can help review this (and the rest of the samba4/libmapi stack as time 
permits).  I'm Cc'ing the krb5 maintainer (nalin) for comments too (on 
parallel-installability, potential gotchas, etc).
Comment 3 Rex Dieter 2008-07-10 13:07:52 UTC 
A few initial (minor) comments:
1.  BuildRoot doesn't match any of those recommnded in packaging guidelines.

2. in -libs, Requires(preun,post): info, /sbin/install-info is extraneous,
Requires(...): /sbin/install-info
is sufficient 

3. -clients: Groups: Networking/Other isn't used in Fedora.  maybe use 
something like (matching krb5-workstation-clients):
Group: System Environment/Base
while you're at it, maybe also consider using a subpkg 
name -workstation-clients to match krb5 as well.

4.  Consider using %{?dist} tag in Release, something like:
Release: 1%{?dist}

Submitted a scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=707572
failed. 

5.  looks like missing deps, per:
xnlock.c:18:28: error: X11/StringDefs.h: No such file or directory
xnlock.c:19:27: error: X11/Intrinsic.h: No such file or directory
xnlock.c:21:23: error: X11/Shell.h: No such file or directory
so, add 
BuildRequires: libXt-devel 

6.  build failed again with
    Installed (but unpackaged) file(s) found:
   /usr/share/info/dir.gz
so, need to remove that in %install (or otherwise omit from packaging)

7.  shlibs.  I noticed -libs includes all shlibs, but libkdc.so.*, libhdb.so.* 
and libkadm5srv.so.* are (also) included in -server.  On purpose or oversight?

8.  -devel installs a pkgconfig file, so this subpkg should include
Requires: pkgconfig

fixed 5,6 submitted new build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=707650
Comment 4 Rex Dieter 2008-07-10 13:25:19 UTC 
build finished, rpmlint output (on x86_64 binaries):
$ rpmlint *.rpm
heimdal-devel.x86_64: E: only-non-binary-in-usr-lib
heimdal-server.x86_64: E: non-readable /var/lib/heimdal/kadmind.acl 0600
heimdal-server.x86_64: E: description-line-too-long This package contains the 
KDC, and associated services such as kpasswdd and kadmind

4 packages and 0 specfiles checked; 3 errors, 0 warnings.
Comment 5 Andrew Bartlett 2008-07-11 02:17:13 UTC 
For 7, these shared libs are for the KDC, so I figured they belonged there, or
in s -server-libs (but that seemed like overkill).  Samba4 will be linking
against libkdc.

I'll look at the other issues and some other feedback I have got, and provide an
updated spec (based on what you left in koji, I hope).
Comment 6 Andrew Bartlett 2008-07-11 06:20:05 UTC 
I think I've addressed most of these concerns with a new spec file and SRPM at
http://abartlet.net/heimdal-rpm
Comment 7 Alexander Boström 2008-07-11 22:26:03 UTC 
(This is not a formal review, Rex is doing that and besides neither me nor
Andrew is sponsored.)

$ rpmlint dl/heimdal-1.2-1.fc9.2.src.rpm 
heimdal.src: W: mixed-use-of-spaces-and-tabs (spaces: line 49, tab: line 11)

$ rpmbuild ...
...
+ autoreconf
configure.in:3: error: Autoconf version 2.62 or higher is required

That was on F9. Hmm, let's see if I have a rawhide machine at hand...
Comment 8 Alexander Boström 2008-07-11 22:37:14 UTC 
kpasswdd.init line 24 looks wrong:

kpasswdd=/usr/heimdal/sbin/kdc
Comment 9 Andrew Bartlett 2008-07-12 02:09:22 UTC 
With regard to Comment #4, I'm very much at a loss to understand what is wrong
with the /usr/lib stuff.  What I'm putting there in the devel package looks sane...

I'll fix the kpasswdd issue and upload to my website again.
Comment 10 Andrew Bartlett 2008-07-29 01:50:37 UTC 
I'll need to be sponsored for this package.
Comment 11 Alexander Boström 2008-08-15 12:10:04 UTC 
Some stuff from rpmlint:


heimdal-devel.i386: W: dangling-relative-symlink /usr/lib/windc.so windc.so.0.0.0

Maybe it would be best to remove the windc.so symlink from -devel if the library is not supposed to be used outside of the -server package? (I guess that's why the library is in -server instead of in -libs.)


heimdal-libs.i386: E: info-files-without-install-info-post{in,un} /usr/share/info/{heimdal,hx509}.info.gz

Does this matter?


Lots of unstripped-binary-or-object for /usr/{lib,bin,sbin}.
Comment 12 Andrew Bartlett 2008-08-16 00:43:04 UTC 
I suppose we could move windc back to the library package, as Samba4 will use that.  (but otherwise, like libkdc, it is useless on a client, so hence why I put it in the server package).  

Adding a server-libs seemed overkill.
Comment 13 Alexander Boström 2008-08-22 07:46:42 UTC 
I guess that'd be better.

The system-sqlite patch needs rebasing to make it build with --fuzz=0. I'll attach an updated version.
Comment 14 Alexander Boström 2008-08-22 07:48:10 UTC 
Created attachment 314783 [details]
rebased patch
Comment 15 Rex Dieter 2009-11-09 20:11:57 UTC 
Sorry for my going awol here for awhile, I can still do sponsoring if still needed, Andrew, can you chime in on the current state of affairs here, and offer something newish to continue the review (if available)?
Comment 16 Andrew Bartlett 2009-11-09 21:24:58 UTC 
We have not yet made Samba4 use the external Heimdal libs, so this isn't required for now.  

I'm also no longer in the packaging game, so this will be for someone else to pick up.
Comment 17 Rex Dieter 2009-11-09 21:28:33 UTC 
Fair enough then, thanks for the update.  I'll close this then.
Comment 18 Izhar Firdaus 2010-11-26 01:16:52 UTC 
anybody continuing this? .. else i'll create a new review ticket .. needing it here in my deployment ..
Comment 19 Jason Tibbitts 2010-11-29 21:57:33 UTC 
Asking a question in a long-dead ticket is not the best way to get an answer, but see bug 613001.

*** This bug has been marked as a duplicate of bug 613001 ***