From nobody Tue Jun 24 17:34:42 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bRXBt411Lz6041r; Tue, 24 Jun 2025 17:34:46 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bRXBs2m9lz4FWR; Tue, 24 Jun 2025 17:34:45 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.33 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com; dmarc=permerror reason="p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com" header.from=cschubert.com (policy=permerror) Received: from shw-obgw-4004a.ext.cloudfilter.net ([10.228.9.227]) by cmsmtp with ESMTPS id U0QluUl8D5MqyU7XguLXic; Tue, 24 Jun 2025 17:34:44 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id U7XfuoPlcJhBPU7Xguz2Nh; Tue, 24 Jun 2025 17:34:44 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=QY3Fvdbv c=1 sm=1 tr=0 ts=685ae1b4 a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=6IFa9wvqVegA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=YxBL1-UpAAAA:8 a=Qx23DKg_b-MCP-Ps7AQA:9 a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id B3FBD158; Tue, 24 Jun 2025 10:34:42 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id ADC1ACA; Tue, 24 Jun 2025 10:34:42 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Cy Schubert , Dima Panov , Cy Schubert , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 7e35117eb07f - main - Makefile: Hook MIT KRB5 into the build In-reply-to: References: <202506160251.55G2pwx4063231@gitrepo.freebsd.org> <20250620073050.7f03f74e@slippy> <3742e37c-bca9-4778-881a-94c09aefdb32@FreeBSD.org> <20250623093010.71b18c87@slippy> <5fa53b5b-6c66-4195-8c89-1fc9d7b165bd@FreeBSD.org> <20250624083004.6de66e53@slippy> <20250624165402.5B759112@slippy.cwsent.com> Comments: In-reply-to Lexi Winter message dated "Tue, 24 Jun 2025 18:06:53 +0100." List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 24 Jun 2025 10:34:42 -0700 Message-Id: <20250624173442.ADC1ACA@slippy.cwsent.com> X-CMAE-Envelope: MS4xfHrQgM05cl43xC0pCuu237xNjHD9d7urxd0gAK+kK3dORgOqk4o2KD0Wyku6O95DqLZSXC3keiiVmxIZtTrzYBb6OQgV7PkOuR5Jl6POoa6uE7j8mw0n xaxoL0Vi5phL8wU3UF9QdlaFoDdKhCb4tnq5+CRvs3rNsbX9DrxUm3qLV6V7SJdKvpPo2d4QNXBDP1Qv8MwJTycX8E1e+prnedwgGyeCr3KMbKDnsmspQcOv DiJy766QkW1FbXp/vctbNztS2jEOUlblvZe1w5Gnvb38/G7GKsXeulXh2A09wEGp8jFc66FNg5/Pzc+3h6LZ45R7F4X7GImRIu2pR/z4ZWet7TLRQrfXd3vG Yc+eHjR+ X-Spamd-Result: default: False [2.71 / 15.00]; NEURAL_SPAM_MEDIUM(0.98)[0.980]; NEURAL_SPAM_SHORT(0.96)[0.955]; NEURAL_SPAM_LONG(0.68)[0.676]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.33:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; DMARC_BAD_POLICY(0.00)[cschubert.com : p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com]; MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org,dev-commits-src-main@freebsd.org]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_FIVE(0.00)[6] X-Rspamd-Queue-Id: 4bRXBs2m9lz4FWR X-Spamd-Bar: ++ In message , Lexi Winter writes: > > Cy Schubert: > > In message , Lexi Winter writes: > > > i'm hoping with MIT krb5 in base, we might be able to find a better > > > solution to this, but i haven't had a chance to actually try it. > > > it may be we have to go with a glib-style "bootstrap port" solution. > =20 > > It may help bootstrap but you can't rely on it to supply your KDC needs a= > s=20 > > it doesn't and will never use LDAP, unless we import OpenLDAP into base,= > =20 > > and that's another matter of discussion. > > i am thinking purely in terms of ports here, e.g.: > > - krb5-ldap requires openldap26@bootstrap > - openldap26@bootstrap builds OpenLDAP without Kerberos support > - after building krb5-ldap you then build openldap26 with Kerberos > support which is a drop-in replacement for openldap26@bootstrap. > > then you install krb5-ldap and openldap26-server and the > openldap26@bootstrap port is never used after the package build is done. > > the exact details of how this works might be more complicated but my > understanding is that this is how devel/glib20 and > devel/gobject-introspection manage to depend on each other. > > i was hoping MIT krb5 in base would avoid the need for this, but i don't > think it does: if ports openldap links to base krb5, and ports krb5 > links to ports openldap, you'd end up with the KDC binary linking to > both base and ports krb5. so in practice, you'd still need to ignore > base Kerberos entirely (other than for NFS) and build everything against > ports krb5, like we do now. This is the same problem we have with Heimdal currently. This is why gssapi.mk was created in the first place. Considering the alternative it does a fairly good job of insulating ports from whatever kerberos is in base. gssapi.mk should determine its default based on what it finds, whether it be Heimdal in base or ports or MIT in base or ports. The changes made to the kdc rc script detect the kerberos. We should be able to do the same in gssapi.mk. This avoids people having to muck around with make.conf. Currently with Heimdal 1.5.2 in 13 and 14, and in default in 15 (until the default changes), users will need to use some kind of modern kerberos from ports. And this will be the state of affairs until 14 is EOL. gssapi.mk will need to account for this and the best way would be to test 1) if the user has selected a default in make.conf, 2) test if one of the ports is installed and use that, and 3) use whatever is in base (in 13, 14, or 15). Testing for the kdc or krb5kdc binary in ${LOCALBASE} first, next in /usr/libexec will tell gssapi.mk which version is installed. Regardless, LDAP requires one of the ports be prebuilt. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e**(i*pi)+1=0