[OpenAFS] AFS kaserver PAM modules and Debian packages

Russ Allbery rra@stanford.edu
Thu, 26 Mar 2009 11:13:09 -0700


For the next major release of Debian, we will be dropping Kerberos v4
support from the Kerberos side of things, such as libraries, kinit, klist,
and so forth.  I'm considering also dropping kaserver support from the
Debian OpenAFS packages at the same time.  There are a few ways in which I
could do this:

* Drop all kaserver support from the package, including the
  openafs-kpasswd package (kas and kpasswd) and libpam-openafs-kaserver.
  Drop regular klog and replace it with the Kerberos v5 klog currently
  shipped with openafs-krb5.  Merge openafs-krb5 and openafs-client and
  replace openafs-krb5 with a transitional package that just depends on an
  appropriate version of openafs-client.

* Drop the dedicated openafs-kpasswd and libpam-openafs-kaserver packages
  but leave klog alone and leave openafs-krb5 split out as a separate
  package.

* Drop only the libpam-openafs-kaserver package but leave the other
  kaserver support, on the grounds that the PAM modules are the most
  fragile part of the kaserver support, are very buggy from a PAM
  perspective, and require an ugly hack to build properly on Debian.

* Do nothing and leave the current state as-is.

Opinions?

Note that the next release of Debian will not include fakeka (or krb524d
or any other libraries related to 4->5 or 5->4 translation), making
ka-forwarder rather pointless except to point to old servers running
earlier releases, so I'm considering dropping it as well.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>