Le 10/02/2025 à 18:59, Russ Allbery a écrit :
It's unfortunate that the commands have the same names in both Kerberos
distributions, although it's understandable from a user UI perspective.
I don't have a good solution. Either using alternatives or not using
alternatives runs some risk of breaking things. I think I'd lean towards
using alternatives for kadmin because I think anyone installing both
kadmin client packages probably knows what they're doing and can cope, but
technically it is a policy violation because the two commands do not
implement the same interface.
You might use alternatives with 3 implementations:
a) one for Heimdal
b) one for MIT kerberos
c) one with a script that automatically calls Heimdal or MIT kerberos if only
one of them is available
but that fails if both are installed (or none)
In the latter case (both installed), you might wish to add a way (envvar,
config, extra parameter, etc) to let the user choose an implementation instead
of failing.
a and b would recommends c (that would have a higher priority in the
alternative system)
With such setup, installing only one implementation would be transparent (same
behavior as before, kadmin referring to the only installed implementation).
This can be archived with c installed or not.
But with both installed (unusual but want-to-be-supported setup), with default
setup (i.e. recommended packages installed), the user has to explicitly choose
its implementation,
either by calling directly the good binary (other name or in an other path), or
by configuring the new script to run the explicitly chosen version.
An admin would also be able to use the alternative system to choose
(system-wide) the default kadmin implementation (with c installed or not)
Regards
Vincent
