From nobody Tue Jun 24 17:41:09 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bRXLJ5k3pz604Mx; Tue, 24 Jun 2025 17:41:12 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bRXLJ1nLVz4JYr; Tue, 24 Jun 2025 17:41:12 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.33 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com; dmarc=permerror reason="p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com" header.from=cschubert.com (policy=permerror) Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id TzcyuUjqK5MqyU7dvuLlFb; Tue, 24 Jun 2025 17:41:11 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id U7dtulflAWbOaU7duucp80; Tue, 24 Jun 2025 17:41:11 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=Q5lx4J2a c=1 sm=1 tr=0 ts=685ae337 a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=6IFa9wvqVegA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=VxmjJ2MpAAAA:8 a=YxBL1-UpAAAA:8 a=VrJqQQMgC7OOvynP3w4A:9 a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=7gXAzLPJhVmCkEl4_tsf:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 8916616B; Tue, 24 Jun 2025 10:41:09 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 7EC672E; Tue, 24 Jun 2025 10:41:09 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Lexi Winter cc: Dima Panov , Cy Schubert , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 7e35117eb07f - main - Makefile: Hook MIT KRB5 into the build In-reply-to: <20250624173442.ADC1ACA@slippy.cwsent.com> References: <202506160251.55G2pwx4063231@gitrepo.freebsd.org> <20250620073050.7f03f74e@slippy> <3742e37c-bca9-4778-881a-94c09aefdb32@FreeBSD.org> <20250623093010.71b18c87@slippy> <5fa53b5b-6c66-4195-8c89-1fc9d7b165bd@FreeBSD.org> <20250624083004.6de66e53@slippy> <20250624165402.5B759112@slippy.cwsent.com> <20250624173442.ADC1ACA@slippy.cwsent.com> Comments: In-reply-to Cy Schubert message dated "Tue, 24 Jun 2025 10:34:42 -0700." List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 24 Jun 2025 10:41:09 -0700 Message-Id: <20250624174109.7EC672E@slippy.cwsent.com> X-CMAE-Envelope: MS4xfKDzuax5Kx2xnL7YJ9p5LwdF10m2ZC3mqQIHrSUVkWSv7Lu7wo19hS9iT7qB2UCUFpNKmifocwDXIVgoon/zOn5myyuZaH+pN8OKDmJsX5jrDl0ydwVt pc41Md6ka8R2JllLCnF9Frp8tg2dFnrDG4qs0TKHFqOE6ozU8pIYbZdoudMCK+/eC3xyMnvkdi8lK8UGSmBGFpj/oiBRWL1sK94zZO/TJYdJgK0CeUzU1H8W 88AygajzisyUd5nWbDW4oj7d4C827ZLxOCKuG3mo3sRfZxTEmksHSS98MtsJGDjJiW20k6+fyLtNoNwWPFAWgGTEv8Ykxk/Ux/rSg1tnFpmCqRKkAVLnbGb4 xg5VY9baUkiAI6ZCZ0R8ryJ7v64PcA== X-Spamd-Result: default: False [2.75 / 15.00]; NEURAL_SPAM_SHORT(0.99)[0.986]; NEURAL_SPAM_MEDIUM(0.98)[0.981]; NEURAL_SPAM_LONG(0.69)[0.686]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.33:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; DMARC_BAD_POLICY(0.00)[cschubert.com : p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com]; MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org,dev-commits-src-main@freebsd.org]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_FIVE(0.00)[6] X-Rspamd-Queue-Id: 4bRXLJ1nLVz4JYr X-Spamd-Bar: ++ In message <20250624173442.ADC1ACA@slippy.cwsent.com>, Cy Schubert writes: > In message , Lexi Winter writes: > > > > Cy Schubert: > > > In message , Lexi Winter writes: > > > > i'm hoping with MIT krb5 in base, we might be able to find a better > > > > solution to this, but i haven't had a chance to actually try it. > > > > it may be we have to go with a glib-style "bootstrap port" solution. > > =20 > > > It may help bootstrap but you can't rely on it to supply your KDC needs a > = > > s=20 > > > it doesn't and will never use LDAP, unless we import OpenLDAP into base,= > > =20 > > > and that's another matter of discussion. > > > > i am thinking purely in terms of ports here, e.g.: > > > > - krb5-ldap requires openldap26@bootstrap > > - openldap26@bootstrap builds OpenLDAP without Kerberos support > > - after building krb5-ldap you then build openldap26 with Kerberos > > support which is a drop-in replacement for openldap26@bootstrap. > > > > then you install krb5-ldap and openldap26-server and the > > openldap26@bootstrap port is never used after the package build is done. > > > > the exact details of how this works might be more complicated but my > > understanding is that this is how devel/glib20 and > > devel/gobject-introspection manage to depend on each other. > > > > i was hoping MIT krb5 in base would avoid the need for this, but i don't > > think it does: if ports openldap links to base krb5, and ports krb5 > > links to ports openldap, you'd end up with the KDC binary linking to > > both base and ports krb5. so in practice, you'd still need to ignore > > base Kerberos entirely (other than for NFS) and build everything against > > ports krb5, like we do now. > > This is the same problem we have with Heimdal currently. This is why > gssapi.mk was created in the first place. Considering the alternative it > does a fairly good job of insulating ports from whatever kerberos is in > base. > > gssapi.mk should determine its default based on what it finds, whether it > be Heimdal in base or ports or MIT in base or ports. The changes made to > the kdc rc script detect the kerberos. We should be able to do the same in > gssapi.mk. This avoids people having to muck around with make.conf. > > Currently with Heimdal 1.5.2 in 13 and 14, and in default in 15 (until the > default changes), users will need to use some kind of modern kerberos from > ports. And this will be the state of affairs until 14 is EOL. gssapi.mk > will need to account for this and the best way would be to test 1) if the > user has selected a default in make.conf, 2) test if one of the ports is > installed and use that, and 3) use whatever is in base (in 13, 14, or 15). > > Testing for the kdc or krb5kdc binary in ${LOCALBASE} first, next in > /usr/libexec will tell gssapi.mk which version is installed. > > Regardless, LDAP requires one of the ports be prebuilt. Something we should start thinking about is bringing FreeIPA into ports. FreeIPA allows building a trust relationship between it and Microsoft Active Directory. I don't know what the requirements are but it's been on my radar for a while. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e**(i*pi)+1=0