From nobody Mon Jul 28 05:00:40 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4br5s83pNgz61pvZ; Mon, 28 Jul 2025 05:00:44 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4br5s75Kbdz42fK; Mon, 28 Jul 2025 05:00:43 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.32 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com; dmarc=permerror reason="p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com" header.from=cschubert.com (policy=permerror) Received: from shw-obgw-4004a.ext.cloudfilter.net ([10.228.9.227]) by cmsmtp with ESMTPS id fzHruOWqo9JM2gFycuOoUZ; Mon, 28 Jul 2025 05:00:42 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id gFybuJLTOJhBPgFycutGVs; Mon, 28 Jul 2025 05:00:42 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=QY3Fvdbv c=1 sm=1 tr=0 ts=688703fa a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=Wb1JkmetP80A:10 a=6I5d2MoRAAAA:8 a=6gsJtrw7AAAA:8 a=EkcXrb_YAAAA:8 a=hF2rLc1pAAAA:8 a=YxBL1-UpAAAA:8 a=caNyfLVYzJr0Zn2PVDUA:9 a=CjuIK1q_8ugA:10 a=pJONDuH_yeJkak6KR8-4:22 a=LK5xJRSDVpKd5WXXoEvA:22 a=O9OM7dhJW_8Hj9EqqvKN:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id A17EC199; Sun, 27 Jul 2025 22:00:40 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 6C1BA2B; Sun, 27 Jul 2025 22:00:40 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Rick Macklem cc: Cy Schubert , Konstantin Belousov , Jessica Clarke , Cy Schubert , "src-committers@freebsd.org" , "dev-commits-src-all@freebsd.org" , "dev-commits-src-main@freebsd.org" Subject: Re: git: c7da9fb90b0b - main - KRB5: Enable MIT KRB5 by default In-reply-to: References: <202507211410.56LEAD6J066633@gitrepo.freebsd.org> <47C3CC37-6F32-4376-900A-B5387B9817D5@freebsd.org> <20250721144645.3BA391BE@slippy.cwsent.com> <20250722155941.AC7EB121@slippy.cwsent.com> Comments: In-reply-to Rick Macklem message dated "Sun, 27 Jul 2025 20:26:03 -0700." List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 27 Jul 2025 22:00:40 -0700 Message-Id: <20250728050040.6C1BA2B@slippy.cwsent.com> X-CMAE-Envelope: MS4xfEKXngI1biWo/g6DHR/jIjXnDIwXSEakgARSB7GXPwQemIRoQppie94+0DFgZ+3pcH3j/jO68Gp5QusmTqHpoivxjadtbXKldeT7vDifaaUZZE9Bv1Ba Ql4y1syfhDTyFmo4UH7aC+KpWfjpFYfTAUGQBHEc8aCqP5y9ZzTk1pVE5JPJxQfflaSWuFDRQzSe6TdvmgcUF/1/fkjHV0ugophjkt4lALpiv1mhOCC/Rpy2 RKN7ociiSUSQmACGlM4Mqp5vfqZeO/3Xn6wFt80+nQ9yrz8fOM8//8pm/T4/ZmlSzaHg3eA/C+8XItnOP1Ef8eySSSuc3MdRTUArNpRDbHOsgRPwUFaoe/SO /ckvPOJb0qczFZ5gecsJP6kQ3oSypEC0GW5Vst0NPQrOBYEd1Du06f3sAwATAmF1xRJrWdn8 X-Spamd-Result: default: False [-2.52 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.91)[-0.911]; NEURAL_HAM_LONG(-0.71)[-0.712]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.32:from]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; FREEMAIL_TO(0.00)[gmail.com]; DMARC_BAD_POLICY(0.00)[cschubert.com : p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_CC(0.00)[cschubert.com,gmail.com,freebsd.org]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org,dev-commits-src-main@freebsd.org]; RCPT_COUNT_SEVEN(0.00)[8]; R_DKIM_NA(0.00)[]; TAGGED_RCPT(0.00)[]; REPLYTO_EQ_FROM(0.00)[] X-Rspamd-Queue-Id: 4br5s75Kbdz42fK X-Spamd-Bar: -- In message , Rick Macklem writes: > On Tue, Jul 22, 2025 at 9:00=E2=80=AFAM Cy Schubert com> wrote: > > > > CAUTION: This email originated from outside of the University of Guelph. = > Do not click links or open attachments unless you recognize the sender and = > know the content is safe. If in doubt, forward suspicious emails to IThelp@= > uoguelph.ca. > > > > In message , Konstantin Belousov writes: > > > On Mon, Jul 21, 2025 at 07:46:45AM -0700, Cy Schubert wrote: > > > > In message <47C3CC37-6F32-4376-900A-B5387B9817D5@freebsd.org>, Jessic= > a > > > > Clarke w > > > > rites: > > > > > On 21 Jul 2025, at 15:10, Cy Schubert wrote: > > > > > >=3D20 > > > > > > The branch main has been updated by cy: > > > > > >=3D20 > > > > > > URL: =3D > > > > > https://cgit.FreeBSD.org/src/commit/?id=3D3Dc7da9fb90b0b6385e99bb77= > 47476359 > > > b=3D > > > > > 712993fa > > > > > >=3D20 > > > > > > commit c7da9fb90b0b6385e99bb7747476359b712993fa > > > > > > Author: Cy Schubert > > > > > > AuthorDate: 2025-07-19 14:11:18 +0000 > > > > > > Commit: Cy Schubert > > > > > > CommitDate: 2025-07-21 14:07:22 +0000 > > > > > >=3D20 > > > > > > KRB5: Enable MIT KRB5 by default > > > > > >=3D20 > > > > > > Set WITH_MITKRB5=3D3Dyes as the default. > > > > > >=3D20 > > > > > > Rebuild all USES=3D3Dgssapi ports is recommended. > > > > > >=3D20 > > > > > > A clean buildworld is required. > > > > > > > > > > That=3DE2=3D80=3D99s going to be quite annoying and cause a lot of = > issues =3D > > > > > given > > > > > WITH_CLEAN is now the default. Can we do something in depend-cleanu= > p.sh > > > > > to delete everything from the obj tree that needs to be rebuilt if = > we > > > > > detect the wrong kerberos implementation was previously built? > > > > > > > > All binaries that depend on any kerberos libraries must be rebuilt. > > > > WITHOUT_CLEAN will fail at various spots. Meta mode should take care = > of > > > > this for us. > > > Does the statement mean that ABI for the base libraries was broken? > > > If yes, and the new libs have the same name as the old, we must bump > > > dso versions. > > > > Three new libs have the same names. Most don't. The three with the same > > names are libkrb5, libgssapi_krb5 and libcom_err. > > > > libgssapi_krb5 is a merge of the Heimdal libgssapi_* files. For example, > > there is no libgssapi_spnego in MIT. > > > > The libcom_err contains the same but updated MIT functions. > > > > libkrb5 removes Heimdal-only functions. > > > > There is no libasn1 nor libroken in MIT. > > > > The differences are outlined at https://k5wiki.kerberos.org/wiki/Samba%27= > s_u > > se_of_Heimdal_symbols,_with_MIT_differences. > I know diddly about how libraries are handled, but is it possible to put th= > e > old Heimdal 1.5.2 libraries somewhere (semi-private) under different names? > > I ask because it is going to be very difficult to port the gssd to the > new libraries. I can take a look at it. However any app that issues GSSAPI calls will eventually call the MIT library as defined in /etc/gss/mech. The 1.2.840.113554.1.2.2 OID will point to the MIT gssapi_krb5.so instead of the Heimdal gssapi_krb5. > > The problem is that the KGSSAPI code assumes some stuff very specific > to Heimdal. Take a look at sys/kgssapi/krb5/krb5_mech.c and you'll see > what I mean. (There's code that parses the keys etc out of the internally > generated tokens. I have no idea where to even find the information on > how/where the MIT code hides this stuff and it a large part of krb5_mech.c > looks like it will have to be re-written to work with the MIT libraries.) Unfortunately some apps make use of private data that Kerberos does not share. As gssd issues GSSAPI calls through libgssapi which in turn calls lilbgssapi_krb5 supplied by the installed Kerberos (MIT or Heimdal) an alternate libgssapi will also be needed. I cannot guarantee this will work because of potential prebuild conflicts. But it's certainly worth a try. Another option may be to revert WITH_MITKRB5 until 16 to give us more time to solve this without the Heimdal libraries. Short answer, I'm certainly willing to try to have Heimdal and MIT libraries coexist. I think the show stopper could be conflicting header files in prebuild, though I think I can put those in /usr/include/heimdal or some place like it. Libraries would need to be named libheim*. This would work well with our build system. I'm not sure how this might affect pkgbase. It would probably be best for WITH_MITKRB5 to be disabled while working on this. As some here who I've intimated to, a life thing happened here that has complicated things. > > rick > > > > > > > -- > > Cheers, > > Cy Schubert > > FreeBSD UNIX: Web: https://FreeBSD.org > > NTP: Web: https://nwtime.org > > > > e**(i*pi)+1=3D0 > > > > -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e**(i*pi)+1=0