Hi, On Mon, Feb 10, 2025 at 08:59:47AM +1100, Brian May wrote:
> Can I please have some thoughts on #1070031? > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070031 Hmm, how is that possible? At a quick glance, heimdal-kdc Depends: on heimdal-clients, and krb5-user Conflicts: with heimdal-clients. Oh I see, this latter Conflicts: became versioned. Which is generally good, except... > Is it appropriate to use update-alternatives for kadmin that is supplied > with {Heimdal,MIT} Kerberos? ... in the real world, KDCs tend to be heavily locked down machines with not much else installed, due to their sensitivity. So while allowing random tools to be co-installed is generally a good thing, I don't think that would be a valid goal for a KDC. Making heimdal-kdc Conflicts: with krb5-user might not be the most elegant solution, but it would be fine for real-world KDC setups. > I am thinking they do very different things but maybe not. i.e. one > updates files for Heimdal KDC, the other updates files for MIT KDC. > > But we don't what these packages to conflict either. What is the best > solution? I think this is a "I shot myself in the foot and it hurts" situation. If you don't want to add an explicit conflict, then you could add a note to README.Debian which says that mixing different Kerberos implementaions on a host which is meant to be a KDC is not necessarily a good idea. I have doubts if a MIT KDC would work with Heimdal's "kadmin -l"... > Also what can I do about #1095296? > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095296 > > Seems that Heimdal tools are implemented as symlinks that point to > "/usr/bin/heimtools" and then use the program name to decide what to > do. Argh. This one is nothing special - some commands behaving differently based on argv[0] is a traditional Unix thing. "(exec -a klist klist.heimdal)" should work. Regards, Gabor
