FreeBSD 8.2: state of Kerberos, GSS-API and (Cyrus) SASL?

Vallo Kallaste kalts at estpak.ee
Thu Feb 3 18:18:38 UTC 2011


On Mon, Jan 31, 2011 at 05:43:20PM +0100, Jan Henrik Sylvester
<me at janh.de> wrote:

> GSSAPI of Heimdal 1.1 in FreeBSD base is still broken, GSSAPI of
> Heimdal 1.4 in ports is supposed to work, but I have not been
> successful with Cyrus SASL (see below).
> 
> >KDC up and working on 8.2-RC2 base Heimdal without any glitch, but
> >this is to be expected. What's the state about GSS-API and
> >cyrus-sasl2 integration with base Heimdal? With ports Heimdal? Can I
> >replace base Heimdal with one from ports, is it supported? Any
> >make.conf knobs to fiddle with? Any info appreciated.
> 
> I am struggling with exactly the same problem. Unfortunately, I got
> no reply on this list about it:
> 
> http://lists.freebsd.org/pipermail/freebsd-questions/2011-January/226495.html
> 
> If you get any further, please, tell me. I am thinking about
> reposting my question to a different list: stable as that is where
> the earlier discussions happened or ports as that seems more
> appropriate.
> 
> What I have not tried, yet, is using MIT Kerberos from ports instead
> of Heimdal, but since we use Heimdal here for everything, I am kind
> of reluctant. (Otherwise, I would have to setup some Linux
> server...)
> 
This is what I have done so far.
I used the patches from
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/152030
and instructions from
http://forum.nginx.org/read.php?23,1289579281,newer
As a side remark, no matter how I try this freebsd-questions
thread will not show up by using the search engine:
http://www.freebsd.org/search/search.html#mailinglists

After installing 8.2-RC2 I csup'ed RELENG_8 sources and fresh port
tree, built and installed new world by using the instructions in the
handbook. With new kernel, mergemaster x2 and all that stuff.
Then I set WITHOUT_KERBEROS=1 in /etc/src.conf and repeated
build-installworld. After completing and reboot I hunted down as
much base Heimdal bits as I could and sent 'em to binary heaven:

/usr/include:
asn1_err.h
heim_asn1.h
cms_asn1.h
rfc2459_asn1.h
krb5_asn1.h
pkinit_asn1.h
pkcs8_asn1.h
pkcs9_asn1.h
pkcs12_asn1.h
digest_asn1.h
kx509_asn1.h
hdb-private.h
hdb-protos.h
hdb.h
hdb_asn1.h
hdb_err.h
heimntlm.h
heimntlm-protos.h
hx509-private.h
hx509-protos.h
hx509.h
hx509_err.h
ocsp_asn1.h
pkcs10_asn1.h
kafs.h
heim_err.h
heim_threads.h
k524_err.h
krb5-protos.h
krb5-types.h
krb5.h
krb5_err.h
krb5-v4compat.h
krb_err.h
roken.h
roken-common.h
gssapi.h
kadm5/
gssapi/

/usr/lib:
libroken.a
libroken.so
libroken.so.10
libroken_p.a
libkadm5srv.a
libkadm5srv.so
libkadm5srv.so.10
libkadm5srv_p.a
libkafs5.a
libkafs5.so
libkafs5.so.10
libkafs5_p.a
libkrb5.a
libkrb5.so
libkrb5.so.10
libkrb5_p.a
libgssapi_krb5.a
libgssapi_krb5.so
libgssapi_krb5.so.10
libgssapi_krb5_p.a
libgssapi_ntlm.a
libgssapi_ntlm.so
libgssapi_ntlm.so.10
libgssapi_ntlm_p.a
libgssapi_spnego.a
libgssapi_spnego.so
libgssapi_spnego.so.10
libgssapi_spnego_p.a
libhdb.a
libhdb.so
libhdb.so.10
libhdb_p.a
libheimntlm.a
libheimntlm.so
libheimntlm.so.10
libheimntlm_p.a
libhx509.a
libhx509.so
libhx509.so.10
libhx509_p.a
libkadm5clnt.a
libkadm5clnt.so
libkadm5clnt.so.10
libkadm5clnt_p.a
libasn1.a
libasn1.so
libasn1.so.10
libasn1_p.a
pam_krb5.so
pam_krb5.so.5
pam_ksu.so
pam_ksu.so.5
libgssapi.a
libgssapi.so
libgssapi.so.10
libgssapi_p.a
librpcsec_gss.a
librpcsec_gss.so
librpcsec_gss.so.1

/usr/share/man/man1:
kdestroy.1.gz
kinit.1.gz
klist.1.gz
kpasswd.1.gz
krb5-config.1.gz

/usr/share/man/man3:
gssapi.3.gz
gss_accept_sec_context.3.gz
gss_acquire_cred.3.gz
gss_add_cred.3.gz
gss_add_oid_set_member.3.gz
gss_canonicalize_name.3.gz
gss_compare_name.3.gz
gss_context_time.3.gz
gss_create_empty_oid_set.3.gz
gss_delete_sec_context.3.gz
gss_display_name.3.gz
gss_display_status.3.gz
gss_duplicate_name.3.gz
gss_export_name.3.gz
gss_export_sec_context.3.gz
gss_get_mic.3.gz
gss_import_name.3.gz
gss_import_sec_context.3.gz
gss_indicate_mechs.3.gz
gss_init_sec_context.3.gz
gss_inquire_context.3.gz
gss_inquire_cred.3.gz
gss_inquire_cred_by_mech.3.gz
gss_inquire_mechs_for_name.3.gz
gss_inquire_names_for_mech.3.gz
gss_process_context_token.3.gz
gss_release_buffer.3.gz
gss_release_cred.3.gz
gss_release_name.3.gz
gss_release_oid_set.3.gz
gss_test_oid_set_member.3.gz
gss_unwrap.3.gz
gss_verify_mic.3.gz
gss_wrap.3.gz
gss_wrap_size_limit.3.gz
gss_sign.3.gz
gss_unseal.3.gz
gss_verify.3.gz
gss_seal.3.gz
rpcsec_gss.3.gz
rpc_gss_seccreate.3.gz
rpc_gss_set_defaults.3.gz
rpc_gss_max_data_length.3.gz
rpc_gss_get_error.3.gz
rpc_gss_mech_to_oid.3.gz
rpc_gss_oid_to_mech.3.gz
rpc_gss_qop_to_num.3.gz
rpc_gss_get_mechanisms.3.gz
rpc_gss_get_mech_info.3.gz
rpc_gss_get_versions.3.gz
rpc_gss_is_installed.3.gz
rpc_gss_set_svc_name.3.gz
rpc_gss_getcred.3.gz
rpc_gss_set_callback.3.gz
rpc_gss_get_principal_name.3.gz
rpc_gss_svc_max_data_length.3.gz
kafs5.3.gz
k_afs_cell_of_file.3.gz
k_hasafs.3.gz
k_pioctl.3.gz
k_setpag.3.gz
k_unlog.3.gz
kafs.3.gz
kafs_set_verbose.3.gz
kafs_settoken.3.gz
kafs_settoken5.3.gz
kafs_settoken_rxkad.3.gz
krb5_afslog.3.gz
krb5_afslog_uid.3.gz
krb_afslog.3.gz
krb_afslog_uid.3.gz
krb5.3.gz
krb524_convert_creds_kdc.3.gz
krb5_425_conv_principal.3.gz
krb5_acl_match_file.3.gz
krb5_address.3.gz
krb5_aname_to_localname.3.gz
krb5_appdefault.3.gz
krb5_auth_context.3.gz
krb5_c_make_checksum.3.gz
krb5_ccache.3.gz
krb5_check_transited.3.gz
krb5_compare_creds.3.gz
krb5_config.3.gz
krb5_context.3.gz
krb5_create_checksum.3.gz
krb5_creds.3.gz
krb5_crypto_init.3.gz
krb5_data.3.gz
krb5_digest.3.gz
krb5_eai_to_heim_errno.3.gz
krb5_encrypt.3.gz
krb5_expand_hostname.3.gz
krb5_find_padata.3.gz
krb5_generate_random_block.3.gz
krb5_get_all_client_addrs.3.gz
krb5_get_credentials.3.gz
krb5_get_creds.3.gz
krb5_get_forwarded_creds.3.gz
krb5_get_in_cred.3.gz
krb5_get_init_creds.3.gz
krb5_get_krbhst.3.gz
krb5_getportbyname.3.gz
krb5_init_context.3.gz
krb5_is_thread_safe.3.gz
krb5_keyblock.3.gz
krb5_keytab.3.gz
krb5_krbhst_init.3.gz
krb5_kuserok.3.gz
krb5_mk_req.3.gz
krb5_mk_safe.3.gz
krb5_openlog.3.gz
krb5_parse_name.3.gz
krb5_principal.3.gz
krb5_rcache.3.gz
krb5_rd_error.3.gz
krb5_rd_safe.3.gz
krb5_set_default_realm.3.gz
krb5_set_password.3.gz
krb5_storage.3.gz
krb5_string_to_key.3.gz
krb5_ticket.3.gz
krb5_timeofday.3.gz
krb5_unparse_name.3.gz
krb5_verify_init_creds.3.gz
krb5_verify_user.3.gz
krb5_warn.3.gz
krb5_425_conv_principal_ext.3.gz
krb5_524_conv_principal.3.gz
krb5_addr2sockaddr.3.gz
krb5_address_compare.3.gz
krb5_address_order.3.gz
krb5_address_search.3.gz
krb5_addresses.3.gz
krb5_anyaddr.3.gz
krb5_append_addresses.3.gz
krb5_copy_address.3.gz
krb5_copy_addresses.3.gz
krb5_free_address.3.gz
krb5_free_addresses.3.gz
krb5_h_addr2addr.3.gz
krb5_h_addr2sockaddr.3.gz
krb5_make_addrport.3.gz
krb5_max_sockaddr_size.3.gz
krb5_parse_address.3.gz
krb5_print_address.3.gz
krb5_sockaddr2address.3.gz
krb5_sockaddr2port.3.gz
krb5_sockaddr_uninteresting.3.gz
krb5_appdefault_boolean.3.gz
krb5_appdefault_string.3.gz
krb5_appdefault_time.3.gz
krb5_auth_con_free.3.gz
krb5_auth_con_genaddrs.3.gz
krb5_auth_con_getaddrs.3.gz
krb5_auth_con_getflags.3.gz
krb5_auth_con_getkey.3.gz
krb5_auth_con_getlocalsubkey.3.gz
krb5_auth_con_getrcache.3.gz
krb5_auth_con_getremotesubkey.3.gz
krb5_auth_con_getuserkey.3.gz
krb5_auth_con_init.3.gz
krb5_auth_con_initivector.3.gz
krb5_auth_con_setaddrs.3.gz
krb5_auth_con_setaddrs_from_fd.3.gz
krb5_auth_con_setflags.3.gz
krb5_auth_con_setivector.3.gz
krb5_auth_con_setkey.3.gz
krb5_auth_con_setlocalsubkey.3.gz
krb5_auth_con_setrcache.3.gz
krb5_auth_con_setremotesubkey.3.gz
krb5_auth_con_setuserkey.3.gz
krb5_auth_getauthenticator.3.gz
krb5_auth_getcksumtype.3.gz
krb5_auth_getkeytype.3.gz
krb5_auth_getlocalseqnumber.3.gz
krb5_auth_getremoteseqnumber.3.gz
krb5_auth_setcksumtype.3.gz
krb5_auth_setkeytype.3.gz
krb5_auth_setlocalseqnumber.3.gz
krb5_auth_setremoteseqnumber.3.gz
krb5_cc_close.3.gz
krb5_cc_copy_cache.3.gz
krb5_cc_cursor.3.gz
krb5_cc_default.3.gz
krb5_cc_default_name.3.gz
krb5_cc_destroy.3.gz
krb5_cc_end_seq_get.3.gz
krb5_cc_gen_new.3.gz
krb5_cc_get_name.3.gz
krb5_cc_get_ops.3.gz
krb5_cc_get_principal.3.gz
krb5_cc_get_type.3.gz
krb5_cc_get_version.3.gz
krb5_cc_initialize.3.gz
krb5_cc_next_cred.3.gz
krb5_cc_ops.3.gz
krb5_cc_register.3.gz
krb5_cc_remove_cred.3.gz
krb5_cc_resolve.3.gz
krb5_cc_retrieve_cred.3.gz
krb5_cc_set_default_name.3.gz
krb5_cc_set_flags.3.gz
krb5_cc_store_cred.3.gz
krb5_fcc_ops.3.gz
krb5_mcc_ops.3.gz
krb5_config_get_bool_default.3.gz
krb5_config_get_int_default.3.gz
krb5_config_get_string_default.3.gz
krb5_config_get_time_default.3.gz
krb5_checksum_is_collision_proof.3.gz
krb5_checksum_is_keyed.3.gz
krb5_checksumsize.3.gz
krb5_verify_checksum.3.gz
krb5_crypto_destroy.3.gz
krb5_copy_data.3.gz
krb5_data_alloc.3.gz
krb5_data_copy.3.gz
krb5_data_free.3.gz
krb5_data_realloc.3.gz
krb5_data_zero.3.gz
krb5_free_data.3.gz
krb5_free_data_contents.3.gz
krb5_decrypt.3.gz
krb5_decrypt_EncryptedData.3.gz
krb5_encrypt_EncryptedData.3.gz
krb5_get_all_server_addrs.3.gz
krb5_free_krbhst.3.gz
krb5_get_krb524hst.3.gz
krb5_get_krb_admin_hst.3.gz
krb5_get_krb_changepw_hst.3.gz
krb5_free_context.3.gz
krb5_keytab_entry.3.gz
krb5_kt_add_entry.3.gz
krb5_kt_close.3.gz
krb5_kt_compare.3.gz
krb5_kt_copy_entry_contents.3.gz
krb5_kt_cursor.3.gz
krb5_kt_default.3.gz
krb5_kt_default_name.3.gz
krb5_kt_end_seq_get.3.gz
krb5_kt_free_entry.3.gz
krb5_kt_get_entry.3.gz
krb5_kt_get_name.3.gz
krb5_kt_get_type.3.gz
krb5_kt_next_entry.3.gz
krb5_kt_ops.3.gz
krb5_log.3.gz
krb5_kt_read_service_key.3.gz
krb5_kt_register.3.gz
krb5_kt_remove_entry.3.gz
krb5_kt_resolve.3.gz
krb5_kt_start_seq_get.3.gz
krb5_krbhst_format_string.3.gz
krb5_krbhst_free.3.gz
krb5_krbhst_get_addrinfo.3.gz
krb5_krbhst_next.3.gz
krb5_krbhst_next_as_string.3.gz
krb5_krbhst_reset.3.gz
krb5_addlog_dest.3.gz
krb5_addlog_func.3.gz
krb5_closelog.3.gz
krb5_initlog.3.gz
krb5_log_msg.3.gz
krb5_vlog.3.gz
krb5_vlog_msg.3.gz
krb5_get_default_principal.3.gz
krb5_build_principal.3.gz
krb5_build_principal_ext.3.gz
krb5_build_principal_va.3.gz
krb5_build_principal_va_ext.3.gz
krb5_copy_principal.3.gz
krb5_free_principal.3.gz
krb5_make_principal.3.gz
krb5_parse_name_flags.3.gz
krb5_parse_nametype.3.gz
krb5_princ_realm.3.gz
krb5_princ_set_realm.3.gz
krb5_principal_compare.3.gz
krb5_principal_compare_any_realm.3.gz
krb5_principal_get_comp_string.3.gz
krb5_principal_get_realm.3.gz
krb5_principal_get_type.3.gz
krb5_principal_match.3.gz
krb5_principal_set_type.3.gz
krb5_realm_compare.3.gz
krb5_sname_to_principal.3.gz
krb5_sock_to_principal.3.gz
krb5_unparse_name_flags.3.gz
krb5_unparse_name_fixed.3.gz
krb5_unparse_name_fixed_flags.3.gz
krb5_unparse_name_fixed_short.3.gz
krb5_unparse_name_short.3.gz
krb5_free_host_realm.3.gz
krb5_get_default_realm.3.gz
krb5_get_default_realms.3.gz
krb5_get_host_realm.3.gz
krb5_us_timeofday.3.gz
krb5_verify_opt_init.3.gz
krb5_verify_opt_set_flags.3.gz
krb5_verify_opt_set_keytab.3.gz
krb5_verify_opt_set_secure.3.gz
krb5_verify_opt_set_service.3.gz
krb5_verify_user_lrealm.3.gz
krb5_verify_user_opt.3.gz
krb5_err.3.gz
krb5_errx.3.gz
krb5_set_warn_dest.3.gz
krb5_verr.3.gz
krb5_verrx.3.gz
krb5_vwarn.3.gz
krb5_vwarnx.3.gz
krb5_warnx.3.gz

/usr/share/man/man5:
krb5.conf.5.gz
mech.5.gz
qop.5.gz

/usr/share/man/man8:
gssd.8.gz
kadmin.8.gz
kstash.8.gz
ktutil.8.gz
verify_krb5_conf.8.gz
hprop.8.gz
hpropd.8.gz
kadmind.8.gz
kcm.8.gz
kdc.8.gz
kpasswdd.8.gz
kerberos.8.gz
pam_krb5.8.gz
pam_ksu.8.gz

/usr/bin:
kadmin
kdestroy
kinit
klist
kpasswd
krb5-config
ksu
verify_krb5_conf

/usr/sbin:
gssd
kstash
ktutil

/usr/libexec:
ipropd-master
ipropd-slave
hprop
hpropd
kadmind
kdc
kpasswdd
kcm

/usr/share/info:
heimdal.info.gz

/etc:
gss/ (I let this be)


Next step was to install security/heimdal port. The latest Heimdal
port has capability to provide Kerberos for base system build. In
other words the Heimdal port installed into /usr/local can replace
base system Kerberos.
After installing Heimdal port I patched base system sources with
8-STABLE patch provided by Joerg Pulz in PR ports/152030. Then set
WITH_KERBEROS_PORT=1 (in addition to WITHOUT_KERBEROS=1) in
src.conf, HEIMDAL_HOME=/usr/local in /etc/make.conf, then built and
installed world. It worked well.

But after installing security/cyrus-sasl2 the included pluginviewer
told that GSSAPI isn't one of supported SASL mechanisms. Althought
the /usr/local/lib/sasl2/libgssapiv2.so.2 module is present it will
not be loaded and the errors can be seen in /var/log/messages:
Feb  3 10:53:43 kdc2 server: unable to dlopen /usr/local/lib/sasl2/libgssapiv2.so.2: /usr/local/lib/sasl2/libgssapiv2.so.2: Undefined symbol "gss_nt_service_name"

This can be cured by using yet another patch by Joerg Pulz in PR
ports/152071. This did not apply cleanly and I did it by hand. The
diff against cyrus-sasl-2.1.23.tar.gz distribution 'configure'
follows, replace the security/cyrus-sasl2/files/patch-configure with
this:
======================================================================
--- configure.dist	2011-02-03 18:17:18.000000000 +0200
+++ configure	2011-02-03 18:16:36.000000000 +0200
@@ -1586,6 +1586,7 @@
 fi
 echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
+program_prefix=NONE
 test "$program_prefix" != NONE &&
   program_transform_name="s,^,$program_prefix,;$program_transform_name"
 # Use a double $ so make ignores it.
@@ -5147,7 +5148,7 @@
 	fi
 
 	saved_LIBS=$LIBS
-        for dbname in db-4.4 db4.4 db44 db-4.3 db4.3 db43 db-4.2 db4.2 db42 db-4.1 db4.1 db41 db-4.0 db4.0 db-4 db40 db4 db-3.3 db3.3 db33 db-3.2 db3.2 db32 db-3.1 db3.1 db31 db-3 db30 db3 db
+        for dbname in ${with_bdb} db-4.4 db4.4 db44 db-4.3 db4.3 db43 db-4.2 db4.2 db42 db-4.1 db4.1 db41 db-4.0 db4.0 db-4 db40 db4 db-3.3 db3.3 db33 db-3.2 db3.2 db32 db-3.1 db3.1 db31 db-3 db30 db3 db
           do
 	    LIBS="$saved_LIBS -l$dbname"
 	    cat >conftest.$ac_ext <<_ACEOF
@@ -5157,6 +5158,7 @@
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+#include <stdio.h>
 #include <db.h>
 int
 main ()
@@ -5904,7 +5906,7 @@
 	fi
 
 	saved_LIBS=$LIBS
-        for dbname in db-4.4 db4.4 db44 db-4.3 db4.3 db43 db-4.2 db4.2 db42 db-4.1 db4.1 db41 db-4.0 db4.0 db-4 db40 db4 db-3.3 db3.3 db33 db-3.2 db3.2 db32 db-3.1 db3.1 db31 db-3 db30 db3 db
+        for dbname in ${with_bdb} db-4.4 db4.4 db44 db-4.3 db4.3 db43 db-4.2 db4.2 db42 db-4.1 db4.1 db41 db-4.0 db4.0 db-4 db40 db4 db-3.3 db3.3 db33 db-3.2 db3.2 db32 db-3.1 db3.1 db31 db-3 db30 db3 db
           do
 	    LIBS="$saved_LIBS -l$dbname"
 	    cat >conftest.$ac_ext <<_ACEOF
@@ -5914,6 +5916,7 @@
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
+#include <stdio.h>
 #include <db.h>
 int
 main ()
@@ -7215,6 +7218,8 @@
   SASLAUTHD_TRUE='#'
   SASLAUTHD_FALSE=
 fi
+SASLAUTHD_TRUE='#'
+SASLAUTHD_FALSE=
 
 echo "$as_me:$LINENO: checking if I should include saslauthd" >&5
 echo $ECHO_N "checking if I should include saslauthd... $ECHO_C" >&6
@@ -10672,7 +10677,7 @@
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lgssapi ${GSSAPIBASE_LIBS} -lgssapi -lkrb5 -lasn1 -lroken ${LIB_CRYPT} ${LIB_DES} -lcom_err ${LIB_SOCKET} $LIBS"
+LIBS="${GSSAPIBASE_LIBS} `krb5-config --libs gssapi` $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
 #line $LINENO "configure"
 /* confdefs.h.  */
@@ -11082,7 +11087,7 @@
     GSSAPIBASE_STATIC_LIBS="$GSSAPIBASE_LIBS $gssapi_dir/libgssapi_krb5.a $gssapi_dir/libkrb5.a $gssapi_dir/libk5crypto.a $gssapi_dir/libcom_err.a ${K5SUPSTATIC}"
   elif test "$gss_impl" = "heimdal"; then
     CPPFLAGS="$CPPFLAGS -DKRB5_HEIMDAL"
-    GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lgssapi -lkrb5 -lasn1 -lroken ${LIB_CRYPT} ${LIB_DES} -lcom_err"
+    GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS `krb5-config --libs gssapi`"
     GSSAPIBASE_STATIC_LIBS="$GSSAPIBASE_STATIC_LIBS $gssapi_dir/libgssapi.a $gssapi_dir/libkrb5.a $gssapi_dir/libasn1.a $gssapi_dir/libroken.a $gssapi_dir/libcom_err.a ${LIB_CRYPT}"
   elif test "$gss_impl" = "cybersafe03"; then
 # Version of CyberSafe with two libraries
@@ -11119,7 +11124,7 @@
 # in gssapi\rfckrb5.h
 #
 if test "$gssapi" != "no"; then
-  if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03"; then
+  if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03" -o "$gss_impl" = "heimdal"; then
     cat >conftest.$ac_ext <<_ACEOF
 #line $LINENO "configure"
 /* confdefs.h.  */
@@ -11190,7 +11195,7 @@
 
   fi
 
-  if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03"; then
+  if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03" -o "$gss_impl" = "heimdal"; then
     cat >conftest.$ac_ext <<_ACEOF
 #line $LINENO "configure"
 /* confdefs.h.  */
@@ -11920,7 +11925,7 @@
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpq  $LIBS"
+LIBS="-lpq $GSSAPIBASE_LIBS $LIBS"
 cat >conftest.$ac_ext <<_ACEOF
 #line $LINENO "configure"
 /* confdefs.h.  */
======================================================================

After replacing the patch-configure install security/cyrus-sasl2
port and try out pluginviewer, in my case:

[root at kdc2 ~]# pluginviewer -s
Installed SASL (server side) mechanisms are:
NTLM LOGIN ANONYMOUS PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5 EXTERNAL
List of server plugins follows
Plugin "ntlm" [loaded],         API version: 4
        SASL mechanism: NTLM, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "login" [loaded],        API version: 4
        SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS
        features:
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "gssapiv2" [loaded],     API version: 4
        SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "otp" [loaded],  API version: 4
        SASL mechanism: OTP, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|FORWARD_SECRECY
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST

I have not tried yet to build and use apps which make use of
Kerberos authentication via SASL, but clearly the first step is that
pluginviewer must consider GSSAPI mechanism as worthy.
My thanks go to Joerg Pulz who did all the heavy lifting and
provided patches to the public. Thank you.
-- 
Vallo


More information about the freebsd-questions mailing list