From owner-freebsd-questions@FreeBSD.ORG Thu Feb 3 18:18:38 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E68B106564A for ; Thu, 3 Feb 2011 18:18:38 +0000 (UTC) (envelope-from prvs=0015394c74=kalts@estcard.ee) Received: from smtp.estcard.ee (smtp.estcard.ee [194.204.11.100]) by mx1.freebsd.org (Postfix) with ESMTP id 6832C8FC0A for ; Thu, 3 Feb 2011 18:18:37 +0000 (UTC) Received: from fserv.internal ([192.168.10.3]) by smtp.estcard.ee with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.73) (envelope-from ) id 1Pl3Mn-0005M7-Ia; Thu, 03 Feb 2011 19:53:18 +0200 Received: from myhakas.internal ([192.168.21.128]) by fserv.internal with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1Pl3Mn-0006NN-Go; Thu, 03 Feb 2011 19:53:13 +0200 Received: from kalts by myhakas.internal with local (Exim 4.69) (envelope-from ) id 1Pl3Mn-0006iU-Fy; Thu, 03 Feb 2011 19:53:13 +0200 Date: Thu, 3 Feb 2011 19:53:13 +0200 From: Vallo Kallaste To: Jan Henrik Sylvester Message-ID: <20110203175313.GA25099@hape.internal> References: <20110131154759.GA17485@hape.internal> <4D46E6A8.8040408@janh.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4D46E6A8.8040408@janh.de> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: questions-list freebsd Subject: Re: FreeBSD 8.2: state of Kerberos, GSS-API and (Cyrus) SASL? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: kalts@estpak.ee List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Feb 2011 18:18:38 -0000 On Mon, Jan 31, 2011 at 05:43:20PM +0100, Jan Henrik Sylvester wrote: > GSSAPI of Heimdal 1.1 in FreeBSD base is still broken, GSSAPI of > Heimdal 1.4 in ports is supposed to work, but I have not been > successful with Cyrus SASL (see below). > > >KDC up and working on 8.2-RC2 base Heimdal without any glitch, but > >this is to be expected. What's the state about GSS-API and > >cyrus-sasl2 integration with base Heimdal? With ports Heimdal? Can I > >replace base Heimdal with one from ports, is it supported? Any > >make.conf knobs to fiddle with? Any info appreciated. > > I am struggling with exactly the same problem. Unfortunately, I got > no reply on this list about it: > > http://lists.freebsd.org/pipermail/freebsd-questions/2011-January/226495.html > > If you get any further, please, tell me. I am thinking about > reposting my question to a different list: stable as that is where > the earlier discussions happened or ports as that seems more > appropriate. > > What I have not tried, yet, is using MIT Kerberos from ports instead > of Heimdal, but since we use Heimdal here for everything, I am kind > of reluctant. (Otherwise, I would have to setup some Linux > server...) > This is what I have done so far. I used the patches from http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/152030 and instructions from http://forum.nginx.org/read.php?23,1289579281,newer As a side remark, no matter how I try this freebsd-questions thread will not show up by using the search engine: http://www.freebsd.org/search/search.html#mailinglists After installing 8.2-RC2 I csup'ed RELENG_8 sources and fresh port tree, built and installed new world by using the instructions in the handbook. With new kernel, mergemaster x2 and all that stuff. Then I set WITHOUT_KERBEROS=1 in /etc/src.conf and repeated build-installworld. After completing and reboot I hunted down as much base Heimdal bits as I could and sent 'em to binary heaven: /usr/include: asn1_err.h heim_asn1.h cms_asn1.h rfc2459_asn1.h krb5_asn1.h pkinit_asn1.h pkcs8_asn1.h pkcs9_asn1.h pkcs12_asn1.h digest_asn1.h kx509_asn1.h hdb-private.h hdb-protos.h hdb.h hdb_asn1.h hdb_err.h heimntlm.h heimntlm-protos.h hx509-private.h hx509-protos.h hx509.h hx509_err.h ocsp_asn1.h pkcs10_asn1.h kafs.h heim_err.h heim_threads.h k524_err.h krb5-protos.h krb5-types.h krb5.h krb5_err.h krb5-v4compat.h krb_err.h roken.h roken-common.h gssapi.h kadm5/ gssapi/ /usr/lib: libroken.a libroken.so libroken.so.10 libroken_p.a libkadm5srv.a libkadm5srv.so libkadm5srv.so.10 libkadm5srv_p.a libkafs5.a libkafs5.so libkafs5.so.10 libkafs5_p.a libkrb5.a libkrb5.so libkrb5.so.10 libkrb5_p.a libgssapi_krb5.a libgssapi_krb5.so libgssapi_krb5.so.10 libgssapi_krb5_p.a libgssapi_ntlm.a libgssapi_ntlm.so libgssapi_ntlm.so.10 libgssapi_ntlm_p.a libgssapi_spnego.a libgssapi_spnego.so libgssapi_spnego.so.10 libgssapi_spnego_p.a libhdb.a libhdb.so libhdb.so.10 libhdb_p.a libheimntlm.a libheimntlm.so libheimntlm.so.10 libheimntlm_p.a libhx509.a libhx509.so libhx509.so.10 libhx509_p.a libkadm5clnt.a libkadm5clnt.so libkadm5clnt.so.10 libkadm5clnt_p.a libasn1.a libasn1.so libasn1.so.10 libasn1_p.a pam_krb5.so pam_krb5.so.5 pam_ksu.so pam_ksu.so.5 libgssapi.a libgssapi.so libgssapi.so.10 libgssapi_p.a librpcsec_gss.a librpcsec_gss.so librpcsec_gss.so.1 /usr/share/man/man1: kdestroy.1.gz kinit.1.gz klist.1.gz kpasswd.1.gz krb5-config.1.gz /usr/share/man/man3: gssapi.3.gz gss_accept_sec_context.3.gz gss_acquire_cred.3.gz gss_add_cred.3.gz gss_add_oid_set_member.3.gz gss_canonicalize_name.3.gz gss_compare_name.3.gz gss_context_time.3.gz gss_create_empty_oid_set.3.gz gss_delete_sec_context.3.gz gss_display_name.3.gz gss_display_status.3.gz gss_duplicate_name.3.gz gss_export_name.3.gz gss_export_sec_context.3.gz gss_get_mic.3.gz gss_import_name.3.gz gss_import_sec_context.3.gz gss_indicate_mechs.3.gz gss_init_sec_context.3.gz gss_inquire_context.3.gz gss_inquire_cred.3.gz gss_inquire_cred_by_mech.3.gz gss_inquire_mechs_for_name.3.gz gss_inquire_names_for_mech.3.gz gss_process_context_token.3.gz gss_release_buffer.3.gz gss_release_cred.3.gz gss_release_name.3.gz gss_release_oid_set.3.gz gss_test_oid_set_member.3.gz gss_unwrap.3.gz gss_verify_mic.3.gz gss_wrap.3.gz gss_wrap_size_limit.3.gz gss_sign.3.gz gss_unseal.3.gz gss_verify.3.gz gss_seal.3.gz rpcsec_gss.3.gz rpc_gss_seccreate.3.gz rpc_gss_set_defaults.3.gz rpc_gss_max_data_length.3.gz rpc_gss_get_error.3.gz rpc_gss_mech_to_oid.3.gz rpc_gss_oid_to_mech.3.gz rpc_gss_qop_to_num.3.gz rpc_gss_get_mechanisms.3.gz rpc_gss_get_mech_info.3.gz rpc_gss_get_versions.3.gz rpc_gss_is_installed.3.gz rpc_gss_set_svc_name.3.gz rpc_gss_getcred.3.gz rpc_gss_set_callback.3.gz rpc_gss_get_principal_name.3.gz rpc_gss_svc_max_data_length.3.gz kafs5.3.gz k_afs_cell_of_file.3.gz k_hasafs.3.gz k_pioctl.3.gz k_setpag.3.gz k_unlog.3.gz kafs.3.gz kafs_set_verbose.3.gz kafs_settoken.3.gz kafs_settoken5.3.gz kafs_settoken_rxkad.3.gz krb5_afslog.3.gz krb5_afslog_uid.3.gz krb_afslog.3.gz krb_afslog_uid.3.gz krb5.3.gz krb524_convert_creds_kdc.3.gz krb5_425_conv_principal.3.gz krb5_acl_match_file.3.gz krb5_address.3.gz krb5_aname_to_localname.3.gz krb5_appdefault.3.gz krb5_auth_context.3.gz krb5_c_make_checksum.3.gz krb5_ccache.3.gz krb5_check_transited.3.gz krb5_compare_creds.3.gz krb5_config.3.gz krb5_context.3.gz krb5_create_checksum.3.gz krb5_creds.3.gz krb5_crypto_init.3.gz krb5_data.3.gz krb5_digest.3.gz krb5_eai_to_heim_errno.3.gz krb5_encrypt.3.gz krb5_expand_hostname.3.gz krb5_find_padata.3.gz krb5_generate_random_block.3.gz krb5_get_all_client_addrs.3.gz krb5_get_credentials.3.gz krb5_get_creds.3.gz krb5_get_forwarded_creds.3.gz krb5_get_in_cred.3.gz krb5_get_init_creds.3.gz krb5_get_krbhst.3.gz krb5_getportbyname.3.gz krb5_init_context.3.gz krb5_is_thread_safe.3.gz krb5_keyblock.3.gz krb5_keytab.3.gz krb5_krbhst_init.3.gz krb5_kuserok.3.gz krb5_mk_req.3.gz krb5_mk_safe.3.gz krb5_openlog.3.gz krb5_parse_name.3.gz krb5_principal.3.gz krb5_rcache.3.gz krb5_rd_error.3.gz krb5_rd_safe.3.gz krb5_set_default_realm.3.gz krb5_set_password.3.gz krb5_storage.3.gz krb5_string_to_key.3.gz krb5_ticket.3.gz krb5_timeofday.3.gz krb5_unparse_name.3.gz krb5_verify_init_creds.3.gz krb5_verify_user.3.gz krb5_warn.3.gz krb5_425_conv_principal_ext.3.gz krb5_524_conv_principal.3.gz krb5_addr2sockaddr.3.gz krb5_address_compare.3.gz krb5_address_order.3.gz krb5_address_search.3.gz krb5_addresses.3.gz krb5_anyaddr.3.gz krb5_append_addresses.3.gz krb5_copy_address.3.gz krb5_copy_addresses.3.gz krb5_free_address.3.gz krb5_free_addresses.3.gz krb5_h_addr2addr.3.gz krb5_h_addr2sockaddr.3.gz krb5_make_addrport.3.gz krb5_max_sockaddr_size.3.gz krb5_parse_address.3.gz krb5_print_address.3.gz krb5_sockaddr2address.3.gz krb5_sockaddr2port.3.gz krb5_sockaddr_uninteresting.3.gz krb5_appdefault_boolean.3.gz krb5_appdefault_string.3.gz krb5_appdefault_time.3.gz krb5_auth_con_free.3.gz krb5_auth_con_genaddrs.3.gz krb5_auth_con_getaddrs.3.gz krb5_auth_con_getflags.3.gz krb5_auth_con_getkey.3.gz krb5_auth_con_getlocalsubkey.3.gz krb5_auth_con_getrcache.3.gz krb5_auth_con_getremotesubkey.3.gz krb5_auth_con_getuserkey.3.gz krb5_auth_con_init.3.gz krb5_auth_con_initivector.3.gz krb5_auth_con_setaddrs.3.gz krb5_auth_con_setaddrs_from_fd.3.gz krb5_auth_con_setflags.3.gz krb5_auth_con_setivector.3.gz krb5_auth_con_setkey.3.gz krb5_auth_con_setlocalsubkey.3.gz krb5_auth_con_setrcache.3.gz krb5_auth_con_setremotesubkey.3.gz krb5_auth_con_setuserkey.3.gz krb5_auth_getauthenticator.3.gz krb5_auth_getcksumtype.3.gz krb5_auth_getkeytype.3.gz krb5_auth_getlocalseqnumber.3.gz krb5_auth_getremoteseqnumber.3.gz krb5_auth_setcksumtype.3.gz krb5_auth_setkeytype.3.gz krb5_auth_setlocalseqnumber.3.gz krb5_auth_setremoteseqnumber.3.gz krb5_cc_close.3.gz krb5_cc_copy_cache.3.gz krb5_cc_cursor.3.gz krb5_cc_default.3.gz krb5_cc_default_name.3.gz krb5_cc_destroy.3.gz krb5_cc_end_seq_get.3.gz krb5_cc_gen_new.3.gz krb5_cc_get_name.3.gz krb5_cc_get_ops.3.gz krb5_cc_get_principal.3.gz krb5_cc_get_type.3.gz krb5_cc_get_version.3.gz krb5_cc_initialize.3.gz krb5_cc_next_cred.3.gz krb5_cc_ops.3.gz krb5_cc_register.3.gz krb5_cc_remove_cred.3.gz krb5_cc_resolve.3.gz krb5_cc_retrieve_cred.3.gz krb5_cc_set_default_name.3.gz krb5_cc_set_flags.3.gz krb5_cc_store_cred.3.gz krb5_fcc_ops.3.gz krb5_mcc_ops.3.gz krb5_config_get_bool_default.3.gz krb5_config_get_int_default.3.gz krb5_config_get_string_default.3.gz krb5_config_get_time_default.3.gz krb5_checksum_is_collision_proof.3.gz krb5_checksum_is_keyed.3.gz krb5_checksumsize.3.gz krb5_verify_checksum.3.gz krb5_crypto_destroy.3.gz krb5_copy_data.3.gz krb5_data_alloc.3.gz krb5_data_copy.3.gz krb5_data_free.3.gz krb5_data_realloc.3.gz krb5_data_zero.3.gz krb5_free_data.3.gz krb5_free_data_contents.3.gz krb5_decrypt.3.gz krb5_decrypt_EncryptedData.3.gz krb5_encrypt_EncryptedData.3.gz krb5_get_all_server_addrs.3.gz krb5_free_krbhst.3.gz krb5_get_krb524hst.3.gz krb5_get_krb_admin_hst.3.gz krb5_get_krb_changepw_hst.3.gz krb5_free_context.3.gz krb5_keytab_entry.3.gz krb5_kt_add_entry.3.gz krb5_kt_close.3.gz krb5_kt_compare.3.gz krb5_kt_copy_entry_contents.3.gz krb5_kt_cursor.3.gz krb5_kt_default.3.gz krb5_kt_default_name.3.gz krb5_kt_end_seq_get.3.gz krb5_kt_free_entry.3.gz krb5_kt_get_entry.3.gz krb5_kt_get_name.3.gz krb5_kt_get_type.3.gz krb5_kt_next_entry.3.gz krb5_kt_ops.3.gz krb5_log.3.gz krb5_kt_read_service_key.3.gz krb5_kt_register.3.gz krb5_kt_remove_entry.3.gz krb5_kt_resolve.3.gz krb5_kt_start_seq_get.3.gz krb5_krbhst_format_string.3.gz krb5_krbhst_free.3.gz krb5_krbhst_get_addrinfo.3.gz krb5_krbhst_next.3.gz krb5_krbhst_next_as_string.3.gz krb5_krbhst_reset.3.gz krb5_addlog_dest.3.gz krb5_addlog_func.3.gz krb5_closelog.3.gz krb5_initlog.3.gz krb5_log_msg.3.gz krb5_vlog.3.gz krb5_vlog_msg.3.gz krb5_get_default_principal.3.gz krb5_build_principal.3.gz krb5_build_principal_ext.3.gz krb5_build_principal_va.3.gz krb5_build_principal_va_ext.3.gz krb5_copy_principal.3.gz krb5_free_principal.3.gz krb5_make_principal.3.gz krb5_parse_name_flags.3.gz krb5_parse_nametype.3.gz krb5_princ_realm.3.gz krb5_princ_set_realm.3.gz krb5_principal_compare.3.gz krb5_principal_compare_any_realm.3.gz krb5_principal_get_comp_string.3.gz krb5_principal_get_realm.3.gz krb5_principal_get_type.3.gz krb5_principal_match.3.gz krb5_principal_set_type.3.gz krb5_realm_compare.3.gz krb5_sname_to_principal.3.gz krb5_sock_to_principal.3.gz krb5_unparse_name_flags.3.gz krb5_unparse_name_fixed.3.gz krb5_unparse_name_fixed_flags.3.gz krb5_unparse_name_fixed_short.3.gz krb5_unparse_name_short.3.gz krb5_free_host_realm.3.gz krb5_get_default_realm.3.gz krb5_get_default_realms.3.gz krb5_get_host_realm.3.gz krb5_us_timeofday.3.gz krb5_verify_opt_init.3.gz krb5_verify_opt_set_flags.3.gz krb5_verify_opt_set_keytab.3.gz krb5_verify_opt_set_secure.3.gz krb5_verify_opt_set_service.3.gz krb5_verify_user_lrealm.3.gz krb5_verify_user_opt.3.gz krb5_err.3.gz krb5_errx.3.gz krb5_set_warn_dest.3.gz krb5_verr.3.gz krb5_verrx.3.gz krb5_vwarn.3.gz krb5_vwarnx.3.gz krb5_warnx.3.gz /usr/share/man/man5: krb5.conf.5.gz mech.5.gz qop.5.gz /usr/share/man/man8: gssd.8.gz kadmin.8.gz kstash.8.gz ktutil.8.gz verify_krb5_conf.8.gz hprop.8.gz hpropd.8.gz kadmind.8.gz kcm.8.gz kdc.8.gz kpasswdd.8.gz kerberos.8.gz pam_krb5.8.gz pam_ksu.8.gz /usr/bin: kadmin kdestroy kinit klist kpasswd krb5-config ksu verify_krb5_conf /usr/sbin: gssd kstash ktutil /usr/libexec: ipropd-master ipropd-slave hprop hpropd kadmind kdc kpasswdd kcm /usr/share/info: heimdal.info.gz /etc: gss/ (I let this be) Next step was to install security/heimdal port. The latest Heimdal port has capability to provide Kerberos for base system build. In other words the Heimdal port installed into /usr/local can replace base system Kerberos. After installing Heimdal port I patched base system sources with 8-STABLE patch provided by Joerg Pulz in PR ports/152030. Then set WITH_KERBEROS_PORT=1 (in addition to WITHOUT_KERBEROS=1) in src.conf, HEIMDAL_HOME=/usr/local in /etc/make.conf, then built and installed world. It worked well. But after installing security/cyrus-sasl2 the included pluginviewer told that GSSAPI isn't one of supported SASL mechanisms. Althought the /usr/local/lib/sasl2/libgssapiv2.so.2 module is present it will not be loaded and the errors can be seen in /var/log/messages: Feb 3 10:53:43 kdc2 server: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: /usr/local/lib/sasl2/libgssapiv2.so.2: Undefined symbol "gss_nt_service_name" This can be cured by using yet another patch by Joerg Pulz in PR ports/152071. This did not apply cleanly and I did it by hand. The diff against cyrus-sasl-2.1.23.tar.gz distribution 'configure' follows, replace the security/cyrus-sasl2/files/patch-configure with this: ====================================================================== --- configure.dist 2011-02-03 18:17:18.000000000 +0200 +++ configure 2011-02-03 18:16:36.000000000 +0200 @@ -1586,6 +1586,7 @@ fi echo "$as_me:$LINENO: result: yes" >&5 echo "${ECHO_T}yes" >&6 +program_prefix=NONE test "$program_prefix" != NONE && program_transform_name="s,^,$program_prefix,;$program_transform_name" # Use a double $ so make ignores it. @@ -5147,7 +5148,7 @@ fi saved_LIBS=$LIBS - for dbname in db-4.4 db4.4 db44 db-4.3 db4.3 db43 db-4.2 db4.2 db42 db-4.1 db4.1 db41 db-4.0 db4.0 db-4 db40 db4 db-3.3 db3.3 db33 db-3.2 db3.2 db32 db-3.1 db3.1 db31 db-3 db30 db3 db + for dbname in ${with_bdb} db-4.4 db4.4 db44 db-4.3 db4.3 db43 db-4.2 db4.2 db42 db-4.1 db4.1 db41 db-4.0 db4.0 db-4 db40 db4 db-3.3 db3.3 db33 db-3.2 db3.2 db32 db-3.1 db3.1 db31 db-3 db30 db3 db do LIBS="$saved_LIBS -l$dbname" cat >conftest.$ac_ext <<_ACEOF @@ -5157,6 +5158,7 @@ cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +#include #include int main () @@ -5904,7 +5906,7 @@ fi saved_LIBS=$LIBS - for dbname in db-4.4 db4.4 db44 db-4.3 db4.3 db43 db-4.2 db4.2 db42 db-4.1 db4.1 db41 db-4.0 db4.0 db-4 db40 db4 db-3.3 db3.3 db33 db-3.2 db3.2 db32 db-3.1 db3.1 db31 db-3 db30 db3 db + for dbname in ${with_bdb} db-4.4 db4.4 db44 db-4.3 db4.3 db43 db-4.2 db4.2 db42 db-4.1 db4.1 db41 db-4.0 db4.0 db-4 db40 db4 db-3.3 db3.3 db33 db-3.2 db3.2 db32 db-3.1 db3.1 db31 db-3 db30 db3 db do LIBS="$saved_LIBS -l$dbname" cat >conftest.$ac_ext <<_ACEOF @@ -5914,6 +5916,7 @@ cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ +#include #include int main () @@ -7215,6 +7218,8 @@ SASLAUTHD_TRUE='#' SASLAUTHD_FALSE= fi +SASLAUTHD_TRUE='#' +SASLAUTHD_FALSE= echo "$as_me:$LINENO: checking if I should include saslauthd" >&5 echo $ECHO_N "checking if I should include saslauthd... $ECHO_C" >&6 @@ -10672,7 +10677,7 @@ echo $ECHO_N "(cached) $ECHO_C" >&6 else ac_check_lib_save_LIBS=$LIBS -LIBS="-lgssapi ${GSSAPIBASE_LIBS} -lgssapi -lkrb5 -lasn1 -lroken ${LIB_CRYPT} ${LIB_DES} -lcom_err ${LIB_SOCKET} $LIBS" +LIBS="${GSSAPIBASE_LIBS} `krb5-config --libs gssapi` $LIBS" cat >conftest.$ac_ext <<_ACEOF #line $LINENO "configure" /* confdefs.h. */ @@ -11082,7 +11087,7 @@ GSSAPIBASE_STATIC_LIBS="$GSSAPIBASE_LIBS $gssapi_dir/libgssapi_krb5.a $gssapi_dir/libkrb5.a $gssapi_dir/libk5crypto.a $gssapi_dir/libcom_err.a ${K5SUPSTATIC}" elif test "$gss_impl" = "heimdal"; then CPPFLAGS="$CPPFLAGS -DKRB5_HEIMDAL" - GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lgssapi -lkrb5 -lasn1 -lroken ${LIB_CRYPT} ${LIB_DES} -lcom_err" + GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS `krb5-config --libs gssapi`" GSSAPIBASE_STATIC_LIBS="$GSSAPIBASE_STATIC_LIBS $gssapi_dir/libgssapi.a $gssapi_dir/libkrb5.a $gssapi_dir/libasn1.a $gssapi_dir/libroken.a $gssapi_dir/libcom_err.a ${LIB_CRYPT}" elif test "$gss_impl" = "cybersafe03"; then # Version of CyberSafe with two libraries @@ -11119,7 +11124,7 @@ # in gssapi\rfckrb5.h # if test "$gssapi" != "no"; then - if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03"; then + if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03" -o "$gss_impl" = "heimdal"; then cat >conftest.$ac_ext <<_ACEOF #line $LINENO "configure" /* confdefs.h. */ @@ -11190,7 +11195,7 @@ fi - if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03"; then + if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03" -o "$gss_impl" = "heimdal"; then cat >conftest.$ac_ext <<_ACEOF #line $LINENO "configure" /* confdefs.h. */ @@ -11920,7 +11925,7 @@ echo $ECHO_N "(cached) $ECHO_C" >&6 else ac_check_lib_save_LIBS=$LIBS -LIBS="-lpq $LIBS" +LIBS="-lpq $GSSAPIBASE_LIBS $LIBS" cat >conftest.$ac_ext <<_ACEOF #line $LINENO "configure" /* confdefs.h. */ ====================================================================== After replacing the patch-configure install security/cyrus-sasl2 port and try out pluginviewer, in my case: [root@kdc2 ~]# pluginviewer -s Installed SASL (server side) mechanisms are: NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5 EXTERNAL List of server plugins follows Plugin "ntlm" [loaded], API version: 4 SASL mechanism: NTLM, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT features: WANT_CLIENT_FIRST Plugin "login" [loaded], API version: 4 SASL mechanism: LOGIN, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS features: Plugin "anonymous" [loaded], API version: 4 SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no security flags: NO_PLAINTEXT features: WANT_CLIENT_FIRST Plugin "plain" [loaded], API version: 4 SASL mechanism: PLAIN, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Plugin "otp" [loaded], API version: 4 SASL mechanism: OTP, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|FORWARD_SECRECY features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Plugin "digestmd5" [loaded], API version: 4 SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH features: PROXY_AUTHENTICATION Plugin "crammd5" [loaded], API version: 4 SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT features: SERVER_FIRST I have not tried yet to build and use apps which make use of Kerberos authentication via SASL, but clearly the first step is that pluginviewer must consider GSSAPI mechanism as worthy. My thanks go to Joerg Pulz who did all the heavy lifting and provided patches to the public. Thank you. -- Vallo