Date: Sat, 02 Aug 2025 14:54:24 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Rick Macklem <rick.macklem@gmail.com> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>, Gleb Smirnoff <glebius@freebsd.org>, Benjamin Kaduk <bjkfbsd@gmail.com> Subject: Re: kgssapi and gssd patches for MIT's Kerberos Message-ID: <C372BBDE-2270-4DA0-B663-A85A0A92D5CC@cschubert.com> In-Reply-To: <CAM5tNy49_KxAwf_dcfoE-pvQNC_n0J7sS3qvXj01v6OQR23XXA@mail.gmail.com> References: <CAM5tNy6kRjUeJUZwmWSnC_kupAaKrqxn5aXR76p_CtWFEu9bvQ@mail.gmail.com> <447F3CFA-E4B8-4283-ACB5-DFE571F00554@cschubert.com> <CAM5tNy49_KxAwf_dcfoE-pvQNC_n0J7sS3qvXj01v6OQR23XXA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
I don't have it here. I'm on my phone. I'll get it to you when I get back. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0 Pardon the typos. Tiny keyboard in use. On August 2, 2025 2:30:35 p.m. PDT, Rick Macklem <rick.macklem@gmail.com> wrote: >On Sat, Aug 2, 2025 at 1:33 PM Cy Schubert <Cy.Schubert@cschubert.com> wrote: >> >> There is also a review in phabricator to switch the gssapi from lib/libgssapi to the MIT provided gssapi as a companion to the patches in this thread. >So what Dnnn? > >I'll look, but I'm not sure what you mean? >For Heimdal, there was a libgssapi and a libgssapi_krb5. >(They kept the generic code separate from the krb5 mech code.) > >For MIT, it appears that they just put it all in libgssapi_krb5. > >If you mean renaming libgssapi_krb5 to libgssapi, I don't think that >is a good idea (I think it will just cause more confusion). I suspect >that will mean anything linked to libgssapi (really libgssapi_krb5) >will also need libkrb5, etc. > >If applications currently try and link to libgssapi, the Makefile needs >to be fixed. At least then they know they are switching to MIT and >might get surprises. > >I have run into a related thing w.r.t. building the gssd. It currently >builds when MK_KERBEROS_SUPPORT is set to "no". >With MIT, that means a bunch of fake stub functions must be >added for the WITHOUT_KERBEROS case. I was just about to >do that, but I think it is just plain silly to even build it when >MK_KERBEROS_SUPPORT is "no"? > >So, should I put stub functions in to get gssd.c to build or not >when MK_KERBEROS_SUPPORT == "no"? > >rick >> >> >> -- >> Cheers, >> Cy Schubert <Cy.Schubert@cschubert.com> >> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org >> NTP: <cy@nwtime.org> Web: https://nwtime.org >> e^(i*pi)+1=0 >> >> Pardon the typos. Tiny keyboard in use. >> >> On August 1, 2025 5:21:40 p.m. PDT, Rick Macklem <rick.macklem@gmail.com> wrote: >> >Hi, >> > >> >The discussion seems to have not had a mailing list on it, >> >so here's what I posted. >> > >> >Maybe some others can do testing (or take a look at them)? >> > >> >Well, here's patches for testing. They are still kinda rough, >> >but I'll be cleaning them up in the coming days and putting >> >them in phabricator. >> > >> >They are attached and can also be found here... >> >https://people.freebsd.org/~rmacklem/gssd.patch >> >https://people.freebsd.org/~rmacklem/kgssapi.patch >> > >> >To make it work, I did.. >> ># pkg install krb5 >> >--> The libraries in /usr/lib are broken, at least in the one >> > week old snapshot I am using for testing. >> ># cp /usr/include/gssapi_krb5/gssapi/gssapi.h /usr/include/gssapi >> >--> So that the correct (MIT) gssapi.h is in /usr/include/gssapi. >> > >> >Then after patching and building, I go into... >> >/usr/obj/usr/src/amd64.amd64/usr.sbin/gssd >> >and then I re-link gssd with >> >cc -o gssd -L/usr/local/lib gssd.pieo gssd_prot.pieo gssd_svc.pieo >> >gssd_xdr.pieo -lkrb5 -lk5crypto -lkrb5profile -lkrb5support >> >-lgssapi_krb5 >> >and then >> ># cp gssd /usr/sbin >> > >> >You might be able to just add "-L/usr/local/lib" to the gssd Makefile, >> >but I didn't feel like messing with it. >> > >> >It now seems to be working ok, using a pre-MIT Heimdal 1.5.2 kdc >> >and pre-MIT system. (I have not yet done any testing with non-FreeBSD >> >systems. I have Solaris 11.4 and a fairly recent 6.12 kernel based Debian, >> >but I haven't set either up for Kerberos.) >> > >> >Good luck with testing, rick >> >ps: I'll post when cleaner patches are on phabricator. >home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C372BBDE-2270-4DA0-B663-A85A0A92D5CC>