Description of problem: I spent a lot of time learning about LDAP and Kerberos so I could use the former to manage user information in a cluster of machines, and the latter for authentication. I got everything set up, threw the switch ... and only then discovered that this setup is not feasible because libuser_krb5.so is not available (see bug 144057) and won't be made available (see bug 83365). If you are going to disable functionality like this, document it! There is no mention ANYWHERE in the release notes that people like me shouldn't sink a bunch of time into this setup because system-config-users isn't going to work when you're done. The two bugs I referenced above are both closed, so doing a search on open bugs to see if any problems lurk in that setup also turns up nothing. There are no warning signs anywhere, when there ought to be big blazing signs demanding attention. For the benefit of others with the same problem, apply the patch attached to this bug report and rebuild libuser, and you'll be much happier. For what it's worth, I understand the need to avoid exposing internal/unsupported APIs. However, I do not understand why that need is considered of higher priority than not crippling the systems of users with LDAP + Kerberos setups. That seems backwards to me. Version-Release number of selected component (if applicable): libuser-0.54.7-2 How reproducible: Always Steps to Reproduce: 1. Set up user authentication with Kerberos 2. Set up LDAP to manage user information 3. Try to use system-config-users Actual results: system-config-users fails with a message about a missing libuser_krb5.so Expected results: system-config-users ought to let me do what I want since the Fedora Core documentation definitely leads one to believe that this is a reasonable setup. Fedora ought to be making it very clear to its users that it is not the right distribution to use if one wants an LDAP + Kerberos setup. Additional info:
Created attachment 149200 [details] Patch to allow building a libuser with a libuser_krb5.so that (mostly) works
Thanks for your report. > If you > are going to disable functionality like this, document it! As far as I know the krb5 module was not disabled, it was simply never available in RHL/Fedora. > There is no mention > ANYWHERE in the release notes that people like me shouldn't sink a bunch of time > into this setup because system-config-users isn't going to work when you're > done. Because this isn't a change, it doesn't belong in the release notes. > There are no warning signs anywhere, when there ought to be big blazing signs > demanding attention. Please file a but against the relevant documentation. The only mention of krb5 in libuser I could find is the default config file, and I have removed the section in CVS. > For the benefit of others with the same problem, apply the patch attached to > this bug report and rebuild libuser, and you'll be much happier. I'm afraid this is not an acceptable solution of the problem. It has all the disadvantages of using /usr/include/kadm5, which the Kerberos maintainer considers unsupportable, and has the additional disadvantage that libuser will continue to compile even if the libkrb5clnt ABI changes incompatibly, without even a warning. > For what it's worth, I understand the need to avoid exposing > internal/unsupported APIs. However, I do not understand why that need is > considered of higher priority than not crippling the systems of users with LDAP > + Kerberos setups. That seems backwards to me. Using the internal API is a guaranteed disaster when the API changes. Any urgent krb5 security update might break the libuser module - maybe even completely remove some functionality the libuser module depends on. The krb5 module is not missing to achieve some idealistic cleanliness. It is missing because advertising Kerberos support in libuser now, when it is almost certain it will break at some unexpected moment, is misleading the users.