OSX uses Heimdal libraries for Kerberos rather than MIT. There are 2 chief problems with Heimdal:
- The semantics of the Heimdal library are different from MIT Kerberos - this leads to a number of unresolved segfaults in the gssapi gem, resulting from things like double frees - for instance - https://github.com/zenchild/gssapi/issues/12 (marked as closed, but I've verified at least 2 segfaults are still present)
- The version of Heimdal included with OSX does not expose all the available functions either - to communicate with AD, Microsoft DCE RPC support is necessary, which is only included in the IOV functions, which are not present on OSX. Allegedly Heimdal added IOV functions before MIT Kerberos, but for whatever reason, they're unavailable for use on at least OSX 10.12.6
There are a few options for solutions to this problem:
- For development, require OSX users install / configure MIT Kerberos to run any Kerberos tests (the Docker setup obviates the need for this, but only supports Linux containers)
- In CI, we'll have to investigate if OSX clients can be used for testing at all (probably requires a brew install / configuration) - may have to punt on automated OSX testing
- In packages, ship a custom build of MIT kerberos - This will also require patching gssapi gem to load the library from another location, as it's currently hardcoded to /usr/lib/libgssapi_krb5.dylib at https://github.com/zenchild/gssapi/blob/master/lib/gssapi/lib_gssapi_loader.rb#L26
- It's unclear if newer versions of OSX export additional IOV functions from Heimdal. OSX 10.12.6 does not.