[OpenAFS] MIT Kerberos v4 aklog on Windows - I propose removing it for 1.6

Jeffrey Altman jaltman@secure-endpoints.com
Sat, 20 Nov 2010 15:50:05 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

    <meta http-equiv=3D"content-type" content=3D"text/html; charset=3DUTF=
  <body bgcolor=3D"#ffffff" text=3D"#000000">
    <tt>Since 1.3.50 OpenAFS for 32-bit Windows has included a version
      of aklog.exe that supports a -4 option that performs a pure
      Kerberos v4 service ticket acquisition.=C2=A0 This functionality is=
      present on 64-bit Windows because there are is not 64-bit
      implementation of MIT Kerberos v4 (krbv4w32.dll).=C2=A0 The MIT
      Kerberos v4 implementation has not been under active development
      since 2004 and over the course of the last several years every
      Kerberos distribution has stopped shipping Kerberos v4.<br>
      There has not been significant reason to remove this functionality
      from OpenAFS for Windows up to this point.=C2=A0 The code was alrea=
      written and (at least on 32-bit Windows) it continued to build.=C2=A0=

      However, there are two significant changes to the OpenAFS code
      base that are going to make on-going inclusion of this
      functionality challenging:<br>
      =C2=A01. In order to support the Heimdal Kerberos implementation on=

      Windows as well as MIT Kerberos within the same binaries OpenAFS
      must switch to building against an implementation independent
      Kerberos SDK.=C2=A0 This SDK does not contain any support for Kerbe=
      =C2=A02. There has been an on-going effort over the last several ye=
      to clean up the OpenAFS source tree and make more efficient use of
      the limited developer resources.=C2=A0 As part of that effort, Simo=
      Wilkinson and others have replaced the OpenAFS crypto and platform
      compatibility utility functions with the much better
      implementations found in the Heimdal hcrypto and roken libraries.=C2=
      The roken functionality interacts quite poorly with the MIT
      Kerberos for Windows headers.<br>
      I know that there are still a number of sites (unfortunately) that
      are still relying on kaserver.=C2=A0 I would assume that these site=
s do
      not install MIT Kerberos for Windows and therefore do not use the
      "aklog -4" functionality.=C2=A0 Are there any sites left that are s=
      using non-kaserver Kerberos v4 and which do install MIT Kerberos
      for Windows to obtain ticket granting tickets?=C2=A0 I suspect ther=
      aren't because those sites would be jumping through hoops
      attempting to support 64-bit Windows.<br>
      In any case, I propose that this functionality be removed in the
      coming months as part of the 1.6 series release.<br>
      Any objections?<br>
      Jeffrey Altman<br>

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)