1 config files in 39 etc 39 need updating
Also constant re-reading of krb5is already costly enough, I am skeptical that this is in fact a good idea. It should pretty much always be coming out of the cache anyway.When many threads are accepting client connections at a rate of thousands of connections per second, latency counts.This can result in significant overhead where it doesn't exist.I agree that Heimdal must be able to parse MIT compatible configuration files.Finally, it creates files on disk that need giant 'do not edit this file, it will be regenerated' warnings that get missed, causing administrators only further pain, particularly when it conflicts with other tools that do edit the file.Finally, if this worries you, then I suggest you hand-craft your krb5without these optional statements. includes and includedirs are by no means an unusual feature for configuration files.If others want this feature, and nobody else is opposed, go ahead...
Hi Jeffrey, I'll split it up in two parts; adding support for a function that checks whether any of the configuration files used for the current context have changed first, and then adding include/includedir support.
.//verify_krb5_conf verify_krb5_conf: krb5_config_parse_file: open /home/build/.krb5/config: No such file or directory verify_krb5_conf: krb5_config_parse_file: /etc/krb5.conf:2: binding before section On Fri, 2017-02-10 at -0800, Quanah Gibson-Mount wrote: I note some improvement in current Heimdal vs Heimdal 1.6.
In Heimdal 1.6, an includedir line breaks a ton of things, like: ./verify_krb5_conf verify_krb5_conf: krb5_init_context failed with 22 In current Heimdal: .//verify_krb5_conf verify_krb5_conf: krb5_config_parse_file: open /home/build/.krb5/config: No such file or directory verify_krb5_conf: krb5_config_parse_file: /etc/krb5.conf:2: binding before section The larger question is if things like kdc --builtin-hdb remain broken.
What's wrong we "make" or similar to build krb5by inlining all the required fragments. This functionality has no impact on performance if you don't use it; most sites don't have thousands of connections per second.
If latency is a big problem, then there are quite a few things that could be done in the current implementation to avoid re-reading files.
Search for 1 config files in 39 etc 39 need updating:
It makes it possible for different packages related to Kerberos (Heimdal, MIT, pam-krb5) to install their own krb5fragments rather than having all those settings shipped with the default krb5