logo_kerberos.gif

Release Meeting Minutes/2010-06-22

From K5Wiki
Jump to: navigation, search


Thomas Hardjono, Zhanna Tsitkova, Greg Hudson, Tom Yu, Sam Hartman, Will Fiveash, Simo Sorce

Tom
implemented SRV record test to check for availability of known-good DNS name, so tests don't fail when offline or firewalled.

The case that Will Fiveash ran into was using the "files" nsswitch option to provide a very constrained name resolution environment.

Sam
  1. just no DNS -- common with sites having web proxy
  2. DNS allows external names even if there's no IP connectivity to the target
Greg
RPC library IPv4-specific. It's not difficult to get kadmin to work over IPv6 with existing code. Do we care about NFS?
Sam
UMich NFS uses a separate library. We took patches from them hoping they could throw away theirs. Current state -- they're still shipping their own RPC and mechglue... it dlopens our GSS library. ... export_lucid for non-krb mechs. They reach into the context and do stuff, maybe naming-related things?
Greg
portmapper needed for NFS. kadmin doesn't use it.
Sam
Find out what UMich wants, try to coordinate. Kevin Coffman?

...

Greg wants to test IPv6 code on a v4-only network. Sam suggests miredo (?) getaddrinfo may prefer v4 depending on config.

Rich vs embedded databases.

Greg
Do they really mean multimaster?
Simo
being able to change passwords during a net split. Also being able to take down a server and keep all functionality.
Greg
We don't always implement kadmin capability to manage non-LDAP, e.g. aliases.
Sam
If supported in a minimal back end, should be able to manage with kadmin.
Tom
[aliases, case folding]
Greg
not necessarily easier in LDAP (requires schema change)
Simo
not wise to change an existing schema
Tom
normalization libraries ... sync with AD matching rules, etc.
Greg
existing deployments...
Sam
internationalization for embedded not necessarily hard. String2key remains a problem. Ease of extending kadmin -- rpcgen no longer possible in 1.7 due to Luke's changes.
Greg
Policy struct layout has dependency on API version. (added for lockout) extending deeply nested structures bubbles up to higher layers.
Will
Some API-version-specific thing. -- heuristic used by Sun to determine AES support.
Will
pluggable config (profile). Sun has some interest.
Greg
use case? requirements? Shawn had an idea of writing cached DNS information to the profile. I don't agree that it's desirable.
Personal tools