From owner-freebsd-fs@freebsd.org  Sun Jan  7 19:13:23 2018
Return-Path: <owner-freebsd-fs@freebsd.org>
Delivered-To: freebsd-fs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4160E7BD2D
 for <freebsd-fs@mailman.ysv.freebsd.org>; Sun,  7 Jan 2018 19:13:23 +0000 (UTC)
 (envelope-from kaduk@mit.edu)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu
 [18.7.68.35])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7F172743E8
 for <freebsd-fs@freebsd.org>; Sun,  7 Jan 2018 19:13:22 +0000 (UTC)
 (envelope-from kaduk@mit.edu)
X-AuditID: 12074423-487ff7000000527d-2c-5a52701ad3a1
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36])
 (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id
 BB.E4.21117.B10725A5; Sun,  7 Jan 2018 14:08:11 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11])
 by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w07J86f7011394;
 Sun, 7 Jan 2018 14:08:08 -0500
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com
 [24.107.191.124]) (authenticated bits=56)
 (User authenticated as kaduk@ATHENA.MIT.EDU)
 by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w07J8286003039
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
 Sun, 7 Jan 2018 14:08:05 -0500
Date: Sun, 7 Jan 2018 13:08:02 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Garrett Wollman <wollman@bimajority.org>
Cc: freebsd-fs@freebsd.org
Subject: Re: Anyone managed to build a static gssd?
Message-ID: <20180107190802.GD25484@kduck.kaduk.org>
References: <23121.48634.348216.421634@hergotha.csail.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <23121.48634.348216.421634@hergotha.csail.mit.edu>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsUixG6noitdEBRlsGWvvsWxxz/ZLHZ8usvu
 wORxaeptVo8Zn+azBDBFcdmkpOZklqUW6dslcGVMX76YveA9e8WhyS3MDYyb2LoYOTkkBEwk
 Nsw6wNTFyMUhJLCYSWL5kw9QzgZGiZnHNzBDOFeYJJ6vmM0E0sIioCKxuGs5M4jNBmQ3dF8G
 sjk4RAR0JJYu4wEJMwtISVxe8ocdJCwsYCzx7IoMSJgXaNnqt5PYQWwhATuJ71uesEHEBSVO
 znzCAtGqJXHj30smkFZmAWmJ5f84QMKcAvYSm59sYASxRQWUJfb2HWKfwCgwC0n3LCTdsxC6
 FzAyr2KUTcmt0s1NzMwpTk3WLU5OzMtLLdI108vNLNFLTSndxAgOURflHYwv+7wPMQpwMCrx
 8O5QDowSYk0sK67MPcQoycGkJMor6hwQJcSXlJ9SmZFYnBFfVJqTWnyIUYKDWUmElyUpKEqI
 NyWxsiq1KB8mJc3BoiTO62GiHSUkkJ5YkpqdmlqQWgSTleHgUJLgNcgHahQsSk1PrUjLzClB
 SDNxcIIM5wEaPiUPZHhxQWJucWY6RP4Uoy7Hs5mvG5iFWPLy81KlxHn/gxQJgBRllObBzQGl
 Fons/TWvGMWB3hLm3QhSxQNMS3CTXgEtYQJa8m5fIMiSkkSElFQDo2BY7vmiN2fX/niXPd1g
 jynTw6Ldzsq/Ht3f9eJOy2Pdx4uVZ8c+SY5nd3xn/vTYu4mTAi8tEZp5v9OSLXtHKsNVrRyO
 1Qmmmw6dF2idVBX/snfr1vI2AcmYRS8Cm14w5oTt+uHKfuxCobO/88zKH18TP/iViFqINmzm
 0pNuFnDNNAvrj+Y4qsRSnJFoqMVcVJwIAJssVJYIAwAA
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jan 2018 19:13:24 -0000

On Sun, Jan 07, 2018 at 01:28:10AM -0500, Garrett Wollman wrote:
> I'm interesting in experimenting with GSSAPI security for NFS mounts,
> but we run MIT Kerberos, not Heimdal.  AIUI, the kernel code has to
> have the same data structures as the userland code in gssd, which
> implies that gssd has to be built against Heimdal libraries, not MIT.

I think you might want to test that hypothesis experimentally --
both Heimdal and MIT have gss_export_lucid_sec_context() that
generate the gss_krb5_lucid_context_v1_t data type, which seems
to be defined identically between them.  AIUI, this "lucid" (i.e.,
non-opaque) type is what is used for sending the GSS information
into the kernel.

-Ben

> Has anyone managed to build a gssd executable that is linked
> statically against all the Heimdal libraries?  I attempted to do this
> (in a chroot initialized with stock 11.1) but ended up with something
> that still tries to dlopen libgssapi.so.10, which obviously isn't
> going to work.