The current KDC is at version 1.6.x. The new KDC we want to go to is version 1.8.x. The reason for the upgrade and transition is new functionality that is only available in the 1.8.x branch which is now considered an enterprise requirement.
No biggie, I thought to myself. I'll just go and get a newer version from RedHat. Nope. RHEL5 is stuck at 1.6.x.
Ok. I guess I'll build a newer package like I have done for other things that I have done with RHEL recently. So I started to build a 1.8.x version and since I do not like reinventing the wheel, I used Fedora Core Rawhide's krb5 source rpm as a starting point.
After ripping out the Fedora-isms, I got the rpm to build. When I tried to install it on RHEL5.5 box it failed dependency checks. Looks like pam_krb5 depends on krb5-libs. Makes sense. Hmm, pam_krb5 depends on the krb4 parts of krb5-libs. That could be a problem.
Every since version 1.7 of MIT Kerberos, krb4 compatibility has been removed. Thats actually a really good thing since:
- I don't have a need for any parts of krb4
- MIT has an easier time of maintaining the kerberos distribution
At this point I got really frustrated ( read: angry ). I really don't want to go down the RPM dependency graph to much further than a single package.
I think my solution to this problem is going to just remove my need for pam_krb5 from the KDC and install my custom package.
The other alternative is to install an RHEL6 beta on the KDC since it is deployed with at least a 1.7 krb5-libs package. That makes me feel really icky. Deploying a beta distribution for such a critical part of the enterprise makes me feel kinda sick.