Date: Tue, 24 Jun 2025 10:41:09 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Lexi Winter <ivy@freebsd.org> Cc: Dima Panov <fluffy@freebsd.org>, Cy Schubert <cy@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 7e35117eb07f - main - Makefile: Hook MIT KRB5 into the build Message-ID: <20250624174109.7EC672E@slippy.cwsent.com> In-Reply-To: <20250624173442.ADC1ACA@slippy.cwsent.com> References: <202506160251.55G2pwx4063231@gitrepo.freebsd.org> <cc9222b0-8745-48cf-988c-4206287a7a7b@FreeBSD.org> <20250620073050.7f03f74e@slippy> <3742e37c-bca9-4778-881a-94c09aefdb32@FreeBSD.org> <20250623093010.71b18c87@slippy> <5fa53b5b-6c66-4195-8c89-1fc9d7b165bd@FreeBSD.org> <20250624083004.6de66e53@slippy> <aFrSQUqsTI4pRASQ@freefall.freebsd.org> <20250624165402.5B759112@slippy.cwsent.com> <aFrbLUEohuXAhZ8W@freefall.freebsd.org> <20250624173442.ADC1ACA@slippy.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20250624173442.ADC1ACA@slippy.cwsent.com>, Cy Schubert writes:
> In message <aFrbLUEohuXAhZ8W@freefall.freebsd.org>, Lexi Winter writes:
> >
> > Cy Schubert:
> > > In message <aFrSQUqsTI4pRASQ@freefall.freebsd.org>, Lexi Winter writes:
> > > > i'm hoping with MIT krb5 in base, we might be able to find a better
> > > > solution to this, but i haven't had a chance to actually try it.
> > > > it may be we have to go with a glib-style "bootstrap port" solution.
> > =20
> > > It may help bootstrap but you can't rely on it to supply your KDC needs a
> =
> > s=20
> > > it doesn't and will never use LDAP, unless we import OpenLDAP into base,=
> > =20
> > > and that's another matter of discussion.
> >
> > i am thinking purely in terms of ports here, e.g.:
> >
> > - krb5-ldap requires openldap26@bootstrap
> > - openldap26@bootstrap builds OpenLDAP without Kerberos support
> > - after building krb5-ldap you then build openldap26 with Kerberos
> > support which is a drop-in replacement for openldap26@bootstrap.
> >
> > then you install krb5-ldap and openldap26-server and the
> > openldap26@bootstrap port is never used after the package build is done.
> >
> > the exact details of how this works might be more complicated but my
> > understanding is that this is how devel/glib20 and
> > devel/gobject-introspection manage to depend on each other.
> >
> > i was hoping MIT krb5 in base would avoid the need for this, but i don't
> > think it does: if ports openldap links to base krb5, and ports krb5
> > links to ports openldap, you'd end up with the KDC binary linking to
> > both base and ports krb5. so in practice, you'd still need to ignore
> > base Kerberos entirely (other than for NFS) and build everything against
> > ports krb5, like we do now.
>
> This is the same problem we have with Heimdal currently. This is why
> gssapi.mk was created in the first place. Considering the alternative it
> does a fairly good job of insulating ports from whatever kerberos is in
> base.
>
> gssapi.mk should determine its default based on what it finds, whether it
> be Heimdal in base or ports or MIT in base or ports. The changes made to
> the kdc rc script detect the kerberos. We should be able to do the same in
> gssapi.mk. This avoids people having to muck around with make.conf.
>
> Currently with Heimdal 1.5.2 in 13 and 14, and in default in 15 (until the
> default changes), users will need to use some kind of modern kerberos from
> ports. And this will be the state of affairs until 14 is EOL. gssapi.mk
> will need to account for this and the best way would be to test 1) if the
> user has selected a default in make.conf, 2) test if one of the ports is
> installed and use that, and 3) use whatever is in base (in 13, 14, or 15).
>
> Testing for the kdc or krb5kdc binary in ${LOCALBASE} first, next in
> /usr/libexec will tell gssapi.mk which version is installed.
>
> Regardless, LDAP requires one of the ports be prebuilt.
Something we should start thinking about is bringing FreeIPA into ports.
FreeIPA allows building a trust relationship between it and Microsoft
Active Directory. I don't know what the requirements are but it's been on
my radar for a while.
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e**(i*pi)+1=0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20250624174109.7EC672E>