From nobody Mon Jul 28 13:54:05 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4brKhy1Bklz6361t; Mon, 28 Jul 2025 13:54:26 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4brKhx3SrXz48td; Mon, 28 Jul 2025 13:54:25 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-615378b42ecso2138521a12.0; Mon, 28 Jul 2025 06:54:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1753710859; x=1754315659; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=qoFlqgSykRMGRrmLEoJQ86N/14i5MM+UMEMMsRaowoA=; b=fvXeTZ87mADi1tqBtLdhSCPjVue+LvPimqvG9UQrCeA2CXuPX81DyB/JQwz7vx/s8+ gjSlGJGUwUMdonrRDiH3fA3vLyad4/NTMnZL7sTRgHYhQSIsD6pPMiPpDLEsT/YcA+VA A4ED4lCz7yVNJEbCrxGByCkhQP8BbUOHVkrZBnAw5zSst6cT0mzT/sYuvL07MChGapyj Kvj7zHr8UaCs3WLsWdfCweaYbz2ie4zsqOwibKFqSv77gesnUMEsFqgMhmprGOtFVMoY dmMLZxYHRg87wxZhYWZhk6HZ4PMpiHGd9IFLJo8ttzMq2e+lMzF846zBxxzsMaeZoni6 5kZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753710859; x=1754315659; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qoFlqgSykRMGRrmLEoJQ86N/14i5MM+UMEMMsRaowoA=; b=gUg/JAo+8qdc6tH8tXmrDGWFlnipxN/fLy5zdGmRPqRnNy2DiGpNT/96eg+Mj/Ax8f GBWJs9alZe+dAbbqqlrtbUu/sPuJiBLla0TU2PpiWuCbXqPiezoRbDxjD+64MVdUW4LI SVJCMvwjZdvROV6THgnFBZ5QrgWJBZc7X5845TElp7APFwVL1eZcXwgEIdQ1kHC5w39B PIPyA25crhPoUdsk/M88zaESCo9/dljJShSauHeHom6mWbTxiFlCh/4yGmcdJHasw+/Y ApHy6fd5gBax4w3sPbNWRa1Ur7ZG64SvY0zYDFaUIQwofUF4AG+iddSETCBhuFX/pfP6 ovDw== X-Forwarded-Encrypted: i=1; AJvYcCV5x5fsFHprgISFqPaBvlNh9/7GdpqQtdO5JRZ2sbx6rCBgXSSm49y8bsHMXWMnwahTTUNPK+/9@freebsd.org, AJvYcCVDVECkUSO2b0pDJCrU2GOaFP1RwTJac/XXLmOzr2XZ8ynp0RB4VRF/abXKvGBCDHY2q3t7bBsgaarWdEeorJQgzYMfEGE=@freebsd.org, AJvYcCVJWNMEB+Pgf98UBEywdonJWIAJY7m7wto+iOXt2y9KJhkm2GEdwHMsI/6NgwY5Z5DKLw==@freebsd.org, AJvYcCWOyopeGoWF5bqm97JJuSL1GUtk5NLkq0D5+niA+iG0SSrPSmz+ygXk17DfHKIHsxVnMeIfzYWNRZ0/khm13rY=@freebsd.org, AJvYcCXsCFk1fWgSRU+sBZdPkqQRyprmR5h4/93RUpVQhdWbDJQi31mhSSUA1eTOQ0n171WsBkmKlRqzc+mNKkBjMLRgrn6Jgg==@freebsd.org X-Gm-Message-State: AOJu0YwWKT1dcdJRAbz/C9MLMSWLdQq+JCfLyRlIFZaa7EtGZNcfLOw/ aKqHPYcebMwiww/IA9Fx5efgWaOJ69cz1rc870ieBQ5ddget1q2M9QYCGZ8OdQXAGi2WVV9tkdj RJTMC36I2P0X7JidVN3Jok/vK02GIRoeg X-Gm-Gg: ASbGnctos1DFMXeWzVyhPEzMhNC6pI4uYdQcJbT8hK9xprxKYMkS7YbxNdXW1Ulj4ze V02JZkV1sdXvkbbiFUQgQJBgHL3IEDUZp8pv059Sr8nTmdt83LQWpcaC7m+0THnxYA1AwWiGisG pBR/G5sY9fPgRcuSKmFSb9nwBXhWRrz3yL//NpAcNZGiofYGhfFAdsRUBrr2hTbc6VY7/jwKJAj mku8+CKxhxIuqGFFWkKIzGaXvSa6RH/9Nk4MZU= X-Google-Smtp-Source: AGHT+IE7+tnprcerW+wq+Og2VHBONydUaEtevb3KLCtl2QlKCfXqubTV00dgp/cDHgrq3tEchhK3JgO1XjpRrkt4kK4= X-Received: by 2002:aa7:d158:0:b0:615:44c5:b5fc with SMTP id 4fb4d7f45d1cf-61544c5f515mr2693306a12.28.1753710858664; Mon, 28 Jul 2025 06:54:18 -0700 (PDT) List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 References: <202507211410.56LEAD6J066633@gitrepo.freebsd.org> <47C3CC37-6F32-4376-900A-B5387B9817D5@freebsd.org> <20250721144645.3BA391BE@slippy.cwsent.com> <20250722155941.AC7EB121@slippy.cwsent.com> In-Reply-To: From: Rick Macklem Date: Mon, 28 Jul 2025 06:54:05 -0700 X-Gm-Features: Ac12FXxMEI-ScCZeZvzRhZ5UUnFCOhLYYhWoidrWNv5nR0cOpfGO5DSEPbaijaQ Message-ID: Subject: Re: git: c7da9fb90b0b - main - KRB5: Enable MIT KRB5 by default To: Konstantin Belousov Cc: Cy Schubert , Jessica Clarke , Cy Schubert , "src-committers@freebsd.org" , "dev-commits-src-all@freebsd.org" , "dev-commits-src-main@freebsd.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4brKhx3SrXz48td X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] On Mon, Jul 28, 2025 at 1:20=E2=80=AFAM Konstantin Belousov wrote: > > CAUTION: This email originated from outside of the University of Guelph. = Do not click links or open attachments unless you recognize the sender and = know the content is safe. If in doubt, forward suspicious emails to IThelp@= uoguelph.ca. > > On Sun, Jul 27, 2025 at 08:26:03PM -0700, Rick Macklem wrote: > > On Tue, Jul 22, 2025 at 9:00=E2=80=AFAM Cy Schubert wrote: > > > > > > CAUTION: This email originated from outside of the University of Guel= ph. Do not click links or open attachments unless you recognize the sender = and know the content is safe. If in doubt, forward suspicious emails to ITh= elp@uoguelph.ca. > > > > > > In message , Konstantin Belousov writes= : > > > > On Mon, Jul 21, 2025 at 07:46:45AM -0700, Cy Schubert wrote: > > > > > In message <47C3CC37-6F32-4376-900A-B5387B9817D5@freebsd.org>, Je= ssica > > > > > Clarke w > > > > > rites: > > > > > > On 21 Jul 2025, at 15:10, Cy Schubert wrote: > > > > > > >=3D20 > > > > > > > The branch main has been updated by cy: > > > > > > >=3D20 > > > > > > > URL: =3D > > > > > > https://cgit.FreeBSD.org/src/commit/?id=3D3Dc7da9fb90b0b6385e99= bb7747476359 > > > > b=3D > > > > > > 712993fa > > > > > > >=3D20 > > > > > > > commit c7da9fb90b0b6385e99bb7747476359b712993fa > > > > > > > Author: Cy Schubert > > > > > > > AuthorDate: 2025-07-19 14:11:18 +0000 > > > > > > > Commit: Cy Schubert > > > > > > > CommitDate: 2025-07-21 14:07:22 +0000 > > > > > > >=3D20 > > > > > > > KRB5: Enable MIT KRB5 by default > > > > > > >=3D20 > > > > > > > Set WITH_MITKRB5=3D3Dyes as the default. > > > > > > >=3D20 > > > > > > > Rebuild all USES=3D3Dgssapi ports is recommended. > > > > > > >=3D20 > > > > > > > A clean buildworld is required. > > > > > > > > > > > > That=3DE2=3D80=3D99s going to be quite annoying and cause a lot= of issues =3D > > > > > > given > > > > > > WITH_CLEAN is now the default. Can we do something in depend-cl= eanup.sh > > > > > > to delete everything from the obj tree that needs to be rebuilt= if we > > > > > > detect the wrong kerberos implementation was previously built? > > > > > > > > > > All binaries that depend on any kerberos libraries must be rebuil= t. > > > > > WITHOUT_CLEAN will fail at various spots. Meta mode should take c= are of > > > > > this for us. > > > > Does the statement mean that ABI for the base libraries was broken? > > > > If yes, and the new libs have the same name as the old, we must bum= p > > > > dso versions. > > > > > > Three new libs have the same names. Most don't. The three with the sa= me > > > names are libkrb5, libgssapi_krb5 and libcom_err. > > > > > > libgssapi_krb5 is a merge of the Heimdal libgssapi_* files. For examp= le, > > > there is no libgssapi_spnego in MIT. > > > > > > The libcom_err contains the same but updated MIT functions. > > > > > > libkrb5 removes Heimdal-only functions. > > > > > > There is no libasn1 nor libroken in MIT. > > > > > > The differences are outlined at https://k5wiki.kerberos.org/wiki/Samb= a%27s_u > > > se_of_Heimdal_symbols,_with_MIT_differences. > > I know diddly about how libraries are handled, but is it possible to pu= t the > > old Heimdal 1.5.2 libraries somewhere (semi-private) under different na= mes? > > > > I ask because it is going to be very difficult to port the gssd to the > > new libraries. > > > > The problem is that the KGSSAPI code assumes some stuff very specific > > to Heimdal. Take a look at sys/kgssapi/krb5/krb5_mech.c and you'll see > > what I mean. (There's code that parses the keys etc out of the internal= ly > > generated tokens. I have no idea where to even find the information on > > how/where the MIT code hides this stuff and it a large part of krb5_mec= h.c > > looks like it will have to be re-written to work with the MIT libraries= .) > > It might be better to extract the required bits and keep just them. > Perhaps even moving that bits from vendor to FreeBSD-owned code area. > > I do not think that keeping large pieces of code in vendor without update= s > is a good plan. I will work on it. I just cannot guarantee timing. The next step to getting the gssd to work with MIT is finding the MIT structure that gss_ctx_id_t refers to. If that structure isn't a lot different than the Heimdal one, the conversion shouldn't be too bad. (I'll start on that to-day.) I understand that this does need to be upgraded. It is unfortunate that the KGSSAPI code is wired specifically for Heimdal. (Another approach would be to add a new upcall to the gssd daemon to extract the keys and then, hopefully, a kerberos library call could be used instead of having a "home rolled" chunk of code in the kernel that has to be updated whenever the structure returned by the library call changes.) I didn't realize this existed until yesterday when I bumped into it while debugging the kerberized NFS mount. If you glance at krb5_import() in sys/kgssapi/krb5/krb5_mech.c, you'll see how messy this could get. rick