Date: Thu, 7 Aug 2025 14:54:41 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Cy Schubert <Cy.Schubert@cschubert.com> Cc: Rick Macklem <rmacklem@freebsd.org>, Cy Schubert <cy@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: e26259f48afe - main - gssapi,krb5: Replace libgssapi with the MIT version Message-ID: <CAM5tNy655zWvAuXEiQkpOboYG%2BFAMPh=7GxQZcBZL3Vuhzzo3A@mail.gmail.com> In-Reply-To: <20250807172129.49D0EB7@slippy.cwsent.com> References: <202508071717.577HHbfI052679@gitrepo.freebsd.org> <20250807172129.49D0EB7@slippy.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 7, 2025 at 10:21=E2=80=AFAM Cy Schubert <Cy.Schubert@cschubert.= com> wrote: > > CAUTION: This email originated from outside of the University of Guelph. = Do not click links or open attachments unless you recognize the sender and = know the content is safe. If in doubt, forward suspicious emails to IThelp@= uoguelph.ca. > > Rick, > > Please go ahead with your kgssapi patches. I have applied them here. > Kerberized NFS works again. Thanks. It's back in main and at least survived a make buildworld. (timderbox just takes too long, even on the universe14a to-day.) rick > > > -- > Cheers, > Cy Schubert <Cy.Schubert@cschubert.com> > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org > NTP: <cy@nwtime.org> Web: https://nwtime.org > > e**(i*pi)+1=3D0 > > > In message <202508071717.577HHbfI052679@gitrepo.freebsd.org>, Cy Schubert > write > s: > > The branch main has been updated by cy: > > > > URL: https://cgit.FreeBSD.org/src/commit/?id=3De26259f48afe98022d885f02= fbb8abcd > > 7878e41a > > > > commit e26259f48afe98022d885f02fbb8abcd7878e41a > > Author: Cy Schubert <cy@FreeBSD.org> > > AuthorDate: 2025-07-31 16:51:20 +0000 > > Commit: Cy Schubert <cy@FreeBSD.org> > > CommitDate: 2025-08-07 17:17:00 +0000 > > > > gssapi,krb5: Replace libgssapi with the MIT version > > > > lib/libgssapi is based on Heimdal. As on Linux systems, the MIT > > libgssapi_krb5 replaces it. With both gssapi libraries and header f= iles > > installed results in broken buildworld (gssd) and ports that will n= ot > > build without modifications to support the MIT gssapi in an alterna= te > > location. > > > > 73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps= using > > MIT KRB5 gssapi functions and structures will fail to build without= this > > patch. > > > > This patch includes a temporary patch to usr.sbin/gssd to allow it > > to build with this patch. rmacklem@ has a patch for this and for > > kgssapi that uses this patch to resolve kgssapi issues for NFS with > > Kerberos. > > > > This patch is an updated version of D51661 to allow it to build fol= lowing > > additional patchs to the tree. > > > > This should have been implmented with 7e35117eb07f. > > > > Fixes: 7e35117eb07f, 73ed0c7992fd > > Differential Revision: https://reviews.freebsd.org/D51661 > > --- > > Makefile.inc1 | 6 ++++-- > > ObsoleteFiles.inc | 6 ++++++ > > etc/gss-krb5/Makefile | 2 +- > > etc/gss-krb5/qop | 1 - > > etc/mtree/BSD.include.dist | 4 ---- > > include/Makefile | 2 +- > > krb5/include/Makefile | 5 ++--- > > krb5/include/gssapi/Makefile | 9 ++------- > > krb5/lib/gssapi/generic/Makefile.inc | 2 +- > > lib/Makefile | 7 ++++++- > > lib/librpcsec_gss/Makefile | 6 ++++++ > > secure/libexec/sshd-session/Makefile | 9 ++++----- > > secure/usr.bin/ssh/Makefile | 4 ++++ > > secure/usr.sbin/sshd/Makefile | 4 ++++ > > share/mk/src.libnames.mk | 4 ++++ > > tools/build/mk/OptionalObsoleteFiles.inc | 3 +++ > > usr.sbin/gssd/Makefile | 5 ++--- > > usr.sbin/gssd/gssd.c | 3 +++ > > 18 files changed, 53 insertions(+), 29 deletions(-) > > > > diff --git a/Makefile.inc1 b/Makefile.inc1 > > index e6c9b49eefa3..9128d1d8ee77 100644 > > --- a/Makefile.inc1 > > +++ b/Makefile.inc1 > > @@ -3379,8 +3379,8 @@ secure/lib/libssh__L: lib/libldns__L > > > > .if ${MK_GSSAPI} !=3D "no" && ${MK_KERBEROS_SUPPORT} !=3D "no" > > .if ${MK_MITKRB5} !=3D "no" > > -secure/lib/libssh__L: lib/libgssapi__L krb5/lib/krb5__L \ > > - krb5/util/et__L lib/libmd__L krb5/util/support__L > > +secure/lib/libssh__L: krb5/lib/gssapi__L krb5/lib/krb5__L \ > > + krb5/lib/crypto__L krb5/util/et__L lib/libmd__L krb5/util/support= __L > > .else > > secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \ > > kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err_= _L \ > > @@ -3437,8 +3437,10 @@ kerberos5/lib/libheimipcc__L: kerberos5/lib/libr= oken__ > > L kerberos5/lib/libheimbas > > lib/libsqlite3__L: lib/libthr__L > > > > .if ${MK_GSSAPI} !=3D "no" > > +.if ${MK_MITKRB5} =3D=3D "no" > > _lib_libgssapi=3D lib/libgssapi > > .endif > > +.endif > > > > .if ${MK_KERBEROS} !=3D "no" > > .if ${MK_MITKRB5} !=3D "no" > > diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc > > index 86a449c80a76..2f63bbea5a49 100644 > > --- a/ObsoleteFiles.inc > > +++ b/ObsoleteFiles.inc > > @@ -51,6 +51,12 @@ > > # xargs -n1 | sort | uniq -d; > > # done > > > > +# 20250807: Replace lib/libgssapi with krb5/lib/gssapi > > +OLD_FILES+=3Dusr/include/gssapi_krb5/gssapi/gssapi.h > > +OLD_DIRS+=3Dusr/include/gssapi_krb5/gssapi > > +OLD_DIRS+=3Dusr/include/gssapi_krb5 > > +OLD_FILES+=3Detc/gssapi/qop > > + > > # 20250802: libutil bumped to 10 > > OLD_LIBS+=3Dlib/libutil.so.9 > > > > diff --git a/etc/gss-krb5/Makefile b/etc/gss-krb5/Makefile > > index 301a8e074e8c..8886ed35e281 100644 > > --- a/etc/gss-krb5/Makefile > > +++ b/etc/gss-krb5/Makefile > > @@ -1,4 +1,4 @@ > > -FILES=3D mech qop > > +FILES=3D mech > > NO_OBJ=3D > > FILESDIR=3D /etc/gss > > > > diff --git a/etc/gss-krb5/qop b/etc/gss-krb5/qop > > deleted file mode 100644 > > index 7d5b6b8f33dd..000000000000 > > --- a/etc/gss-krb5/qop > > +++ /dev/null > > @@ -1 +0,0 @@ > > -GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 kerberosv5 > > diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist > > index 0e9f739425a1..28c4d91ac1c0 100644 > > --- a/etc/mtree/BSD.include.dist > > +++ b/etc/mtree/BSD.include.dist > > @@ -258,10 +258,6 @@ > > .. > > gssapi > > .. > > - gssapi_krb5 > > - gssapi > > - .. > > - .. > > gssrpc > > .. > > infiniband > > diff --git a/include/Makefile b/include/Makefile > > index af7ef2337941..2792d594a888 100644 > > --- a/include/Makefile > > +++ b/include/Makefile > > @@ -293,7 +293,7 @@ LSUBSUBDIRS+=3D netgraph/bluetooth/include > > LSUBDIRS+=3D fs/cuse > > .endif > > > > -.if ${MK_GSSAPI} !=3D "no" > > +.if ${MK_GSSAPI} !=3D "no" && ${MK_MITKRB5} =3D=3D "no" > > SUBDIR+=3D gssapi > > INCS+=3D gssapi.h > > .endif > > diff --git a/krb5/include/Makefile b/krb5/include/Makefile > > index 699211b9c3c9..64c5d39b867b 100644 > > --- a/krb5/include/Makefile > > +++ b/krb5/include/Makefile > > @@ -17,13 +17,12 @@ SUBDIR=3D krb5 gssrpc gssapi > > > > SUBDIR_PARALLEL=3D > > > > -INCSGROUPS=3D INCS > > - > > INCSDIR=3D ${INCLUDEDIR} > > > > .PATH: ${KRB5_DIR}/include > > > > -INCS=3D kdb.h \ > > +INCS=3D gssapi.h \ > > + kdb.h \ > > krad.h \ > > krb5.h > > > > diff --git a/krb5/include/gssapi/Makefile b/krb5/include/gssapi/Makefil= e > > index 4959bf78944d..b181187e9d95 100644 > > --- a/krb5/include/gssapi/Makefile > > +++ b/krb5/include/gssapi/Makefile > > @@ -15,16 +15,11 @@ > > > > INCSGROUPS=3D INCS GSSAPI_KRB5 > > INCSDIR=3D ${INCLUDEDIR}/gssapi > > -GSSAPI_KRB5DIR=3D ${INCLUDEDIR}/gssapi_krb5 > > > > -INCS=3D gssapi_alloc.h \ > > +INCS=3D gssapi.h \ > > + gssapi_alloc.h \ > > gssapi_ext.h \ > > gssapi_generic.h \ > > gssapi_krb5.h > > > > -# This gssapi header file is only needed should an app need > > -# to build using the MIT KRB5 GSSAPI library. > > - > > -GSSAPI_KRB5=3D gssapi.h > > - > > .include <bsd.prog.mk> > > diff --git a/krb5/lib/gssapi/generic/Makefile.inc b/krb5/lib/gssapi/gen= eric/M > > akefile.inc > > index 9de18079a341..ef76172655d6 100644 > > --- a/krb5/lib/gssapi/generic/Makefile.inc > > +++ b/krb5/lib/gssapi/generic/Makefile.inc > > @@ -36,7 +36,7 @@ SRCS+=3D disp_com_err_status.c \ > > INCSGROUPS=3D GSSAPI_INCS > > GSSAPI_INCS=3D gssapi.h > > INCS+=3D ${GENI} > > -GSSAPI_INCSDIR=3D ${INCLUDEDIR}/gssapi_krb5/gssapi > > +GSSAPI_INCSDIR=3D ${INCLUDEDIR}/gssapi > > > > CLEANFILES+=3D gssapi.h ${GGEN} ${GGENI} > > > > diff --git a/lib/Makefile b/lib/Makefile > > index e5139b312a75..9447cc4551c0 100644 > > --- a/lib/Makefile > > +++ b/lib/Makefile > > @@ -137,7 +137,9 @@ SUBDIR_DEPEND_libdevstat=3D libkvm > > SUBDIR_DEPEND_libdpv=3D libfigpar ncurses libutil > > SUBDIR_DEPEND_libedit=3D ncurses > > SUBDIR_DEPEND_libgeom=3D libexpat libsbuf > > +.if ${MK_MITKRB5} =3D=3D "no" > > SUBDIR_DEPEND_librpcsec_gss=3D libgssapi > > +.endif > > SUBDIR_DEPEND_libmagic=3D libz > > SUBDIR_DEPEND_libmemstat=3D libkvm > > SUBDIR_DEPEND_libpam=3D libcrypt ${_libradius} librpcsvc libtacplus li= butil ${ > > _libypclnt} ${_libcom_err} > > @@ -176,7 +178,10 @@ SUBDIR.${MK_DIALOG}+=3D libdpv libfigpar > > SUBDIR.${MK_FDT}+=3D libfdt > > SUBDIR.${MK_FILE}+=3D libmagic > > SUBDIR.${MK_GPIO}+=3D libgpio > > -SUBDIR.${MK_GSSAPI}+=3D libgssapi librpcsec_gss > > +.if ${MK_MITKRB5} =3D=3D "no" > > +SUBDIR.${MK_GSSAPI}+=3D libgssapi > > +.endif > > +SUBDIR.${MK_GSSAPI}+=3D librpcsec_gss > > SUBDIR.${MK_ICONV}+=3D libiconv_modules > > .if ${MK_MITKRB5} =3D=3D "no" > > SUBDIR.${MK_KERBEROS_SUPPORT}+=3D libcom_err > > diff --git a/lib/librpcsec_gss/Makefile b/lib/librpcsec_gss/Makefile > > index a29d9780c1ab..eebc975acbd2 100644 > > --- a/lib/librpcsec_gss/Makefile > > +++ b/lib/librpcsec_gss/Makefile > > @@ -1,10 +1,16 @@ > > +.include <src.opts.mk> > > + > > PACKAGE=3Dlib${LIB} > > LIB=3D rpcsec_gss > > SHLIB_MAJOR=3D 1 > > SRCS+=3D rpcsec_gss.c rpcsec_gss_prot.c rpcsec_gss_conf.c rpcsec= _gss_mis > > c.c \ > > svc_rpcsec_gss.c > > > > +.if ${MK_MITKRB5} =3D=3D "no" > > LIBADD=3D gssapi > > +.else > > +LIBADD=3D gssapi_krb5 > > +.endif > > > > VERSION_DEF=3D ${SRCTOP}/lib/libc/Versions.def > > SYMBOL_MAPS=3D ${.CURDIR}/Symbol.map > > diff --git a/secure/libexec/sshd-session/Makefile b/secure/libexec/sshd= -sessi > > on/Makefile > > index 8841cace5239..37e099794bd5 100644 > > --- a/secure/libexec/sshd-session/Makefile > > +++ b/secure/libexec/sshd-session/Makefile > > @@ -39,15 +39,14 @@ LDFLAGS+=3D-L${LIBBLACKLISTDIR} > > .endif > > > > .if ${MK_GSSAPI} !=3D "no" && ${MK_KERBEROS_SUPPORT} !=3D "no" > > -LIBADD+=3D gssapi_krb5 gssapi krb5 > > .if ${MK_MITKRB5} !=3D "no" > > +LIBADD+=3D gssapi_krb5 krb5 > > .include "../../krb5/Makefile.inc" > > CFLAGS+=3D -I${KRB5_DIR}/include \ > > -I${KRB5_SRCTOP}/include \ > > - -I${KRB5_OBJTOP}/lib \ > > - -I${KRB5_DIR}/lib/gssapi/generic \ > > - -I${KRB5_DIR}/lib/gssapi/krb5 \ > > - -I${KRB5_DIR}/lib/gssapi/mechglue > > + -I${KRB5_OBJTOP}/lib > > +.else > > +LIBADD+=3D gssapi_krb5 gssapi krb5 > > .endif > > .endif > > > > diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile > > index acb1fd4eaa25..a4f36d0fe2df 100644 > > --- a/secure/usr.bin/ssh/Makefile > > +++ b/secure/usr.bin/ssh/Makefile > > @@ -18,7 +18,11 @@ SRCS+=3D gss-genr.c > > LIBADD=3D ssh > > > > .if ${MK_GSSAPI} !=3D "no" && ${MK_KERBEROS_SUPPORT} !=3D "no" > > +.if ${MK_MITKRB5} =3D=3D "no" > > LIBADD+=3D gssapi > > +.else > > +LIBADD+=3D gssapi_krb5 > > +.endif > > .endif > > > > LIBADD+=3D crypto > > diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makef= ile > > index e6913cd9d0d6..f37dfe1c1b3a 100644 > > --- a/secure/usr.sbin/sshd/Makefile > > +++ b/secure/usr.sbin/sshd/Makefile > > @@ -19,7 +19,11 @@ moduli: .MADE > > LIBADD=3D ssh util > > > > .if ${MK_GSSAPI} !=3D "no" && ${MK_KERBEROS_SUPPORT} !=3D "no" > > +.if ${MK_MITKRB5} =3D=3D "no" > > LIBADD+=3D gssapi_krb5 gssapi krb5 > > +.else > > +LIBADD+=3D gssapi_krb5 krb5 > > +.endif > > .endif > > > > .if ${MK_TCP_WRAPPERS} !=3D "no" > > diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk > > index 283a99496b9f..9ca043e7733c 100644 > > --- a/share/mk/src.libnames.mk > > +++ b/share/mk/src.libnames.mk > > @@ -472,7 +472,11 @@ _DP_ncursesw=3D tinfow > > _DP_formw=3D ncursesw > > _DP_nvpair=3D spl > > _DP_panelw=3D ncursesw > > +.if ${MK_MITKRB5} =3D=3D "no" > > _DP_rpcsec_gss=3D gssapi > > +.else > > +_DP_rpcsec_gss=3D gssapi_krb5 > > +.endif > > _DP_smb=3D kiconv > > _DP_ulog=3D md > > _DP_fifolog=3D z > > diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/= Option > > alObsoleteFiles.inc > > index aa6d04f1cc43..8e5ac7fa2a63 100644 > > --- a/tools/build/mk/OptionalObsoleteFiles.inc > > +++ b/tools/build/mk/OptionalObsoleteFiles.inc > > @@ -4836,6 +4836,7 @@ OLD_FILES+=3Dusr/share/man/man8/sserver.8.gz > > .else > > .if ${MK_MITKRB5} !=3D "no" > > # Remove Heimdal because we want MIT KRB5 but not Heimdal > > +OLD_FILES+=3Detc/gss/qop > > OLD_FILES+=3Detc/rc.d/ipropd_master > > OLD_FILES+=3Detc/rc.d/ipropd_slave > > OLD_FILES+=3Dusr/bin/asn1_compile > > @@ -4921,6 +4922,8 @@ OLD_LIBS+=3Dusr/lib/libasn1.so.11 > > OLD_FILES+=3Dusr/lib/libasn1_p.a > > OLD_LIBS+=3Dusr/lib/libcom_err.so.5 > > OLD_FILES+=3Dusr/lib/libcom_err_p.a > > +OLD_LIBS+=3Dusr/lib/libgssapi.a > > +OLD_LIBS+=3Dusr/lib/libgssapi.so.10 > > OLD_LIBS+=3Dusr/lib/libgssapi_krb5.so.10 > > OLD_FILES+=3Dusr/lib/libgssapi_krb5_p.a > > OLD_FILES+=3Dusr/lib/libgssapi_mech.a > > diff --git a/usr.sbin/gssd/Makefile b/usr.sbin/gssd/Makefile > > index 569e2c7e18f5..336a1b49f696 100644 > > --- a/usr.sbin/gssd/Makefile > > +++ b/usr.sbin/gssd/Makefile > > @@ -9,15 +9,14 @@ SRCS=3D gssd.c gssd.h gssd_svc.c gssd_xdr.c gss= d_prot.c > > CFLAGS+=3D -I. > > WARNS?=3D 1 > > > > -LIBADD=3D gssapi > > .if ${MK_KERBEROS_SUPPORT} !=3D "no" > > .if ${MK_MITKRB5} !=3D "no" > > # MIT KRB5 > > -LIBADD+=3D krb5 k5crypto krb5profile krb5support > > +LIBADD+=3D gssapi_krb5 krb5 k5crypto krb5profile krb5support > > CFLAGS+=3D -DMK_MITKRB5=3Dyes > > .else > > # Heimdal > > -LIBADD+=3D krb5 roken > > +LIBADD+=3D gssapi krb5 roken > > .endif > > .else > > CFLAGS+=3D -DWITHOUT_KERBEROS > > diff --git a/usr.sbin/gssd/gssd.c b/usr.sbin/gssd/gssd.c > > index 94eb6ca575c8..2a3af05496cf 100644 > > --- a/usr.sbin/gssd/gssd.c > > +++ b/usr.sbin/gssd/gssd.c > > @@ -53,6 +53,9 @@ > > #include <arpa/inet.h> > > #include <netinet/in.h> > > #include <gssapi/gssapi.h> > > +#ifdef MK_MITKRB5 > > +#include <gssapi/gssapi_krb5.h> > > +#endif > > #include <rpc/rpc.h> > > #include <rpc/rpc_com.h> > > > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy655zWvAuXEiQkpOboYG%2BFAMPh=7GxQZcBZL3Vuhzzo3A>