From nobody Sat Aug 02 20:33:03 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bvZJn0GB5z63XY8 for ; Sat, 02 Aug 2025 20:33:13 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bvZJm15s7z3ckH; Sat, 02 Aug 2025 20:33:12 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.33 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com; dmarc=permerror reason="p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com" header.from=cschubert.com (policy=permerror) Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id i9qKu3PD55MqyiIuluQDhI; Sat, 02 Aug 2025 20:33:11 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id iIukufSv1WbOaiIulufvPd; Sat, 02 Aug 2025 20:33:11 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=Q5lx4J2a c=1 sm=1 tr=0 ts=688e7607 a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=IkcTkHD0fZMA:10 a=2OwXVqhp2XgA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=YxBL1-UpAAAA:8 a=pGLkceISAAAA:8 a=UMVtr5JMFuM1yl8WDoAA:9 a=QEXdDO2ut3YA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from [127.0.0.1] (unknown [209.52.88.210]) by spqr.komquats.com (Postfix) with ESMTPSA id 20D6CA4C; Sat, 02 Aug 2025 13:33:09 -0700 (PDT) Date: Sat, 02 Aug 2025 13:33:03 -0700 From: Cy Schubert To: freebsd-current@freebsd.org, Rick Macklem , FreeBSD CURRENT , Gleb Smirnoff , Benjamin Kaduk Subject: Re: kgssapi and gssd patches for MIT's Kerberos In-Reply-To: References: Message-ID: <447F3CFA-E4B8-4283-ACB5-DFE571F00554@cschubert.com> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfAk4wo28yn6FW2/bincGzQvFFZsV3HYdoNU4VOT/QXWuV4HYAyBMbe5feKXxmlK31nZs+r/h2WWVhsj1zIUukF8+uugkvt13MpEiCdnj33uDds0NztmZ A2U+g5fjSTYb4x8Ste//jHxvcErpnL84jZbfXxPqsIBq5cDpetfLRrK2L8TCO6F5yC8kcpq8geON06aIDO0ZsD4qRI7zOGussOB5n/TL/cW7SMqXAX0DyQnJ vYg8omJ0TBqJiCByuRKYRoMVEftmwBnLOAcf+r616DnVHo4R6wqJlwOsy/MMAq7/03hoDfAhewdr3K/XN+nkuw== X-Spamd-Result: default: False [-3.73 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.93)[-0.930]; RWL_MAILSPIKE_EXCELLENT(-0.40)[3.97.99.33:from]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.33:from]; RCVD_TLS_ALL(0.00)[]; RECEIVED_HELO_LOCALHOST(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DMARC_BAD_POLICY(0.00)[cschubert.com : p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com]; FREEMAIL_TO(0.00)[freebsd.org,gmail.com]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; MISSING_XM_UA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; TAGGED_RCPT(0.00)[]; RCPT_COUNT_FIVE(0.00)[5] X-Rspamd-Queue-Id: 4bvZJm15s7z3ckH X-Spamd-Bar: --- There is also a review in phabricator to switch the gssapi from lib/libgssa= pi to the MIT provided gssapi as a companion to the patches in this thread= =2E --=20 Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD=2Eorg NTP: Web: https://nwtime=2Eorg e^(i*pi)+1=3D0 Pardon the typos=2E Tiny keyboard in use=2E On August 1, 2025 5:21:40=E2=80=AFp=2Em=2E PDT, Rick Macklem wrote: >Hi, > >The discussion seems to have not had a mailing list on it, >so here's what I posted=2E > >Maybe some others can do testing (or take a look at them)? > >Well, here's patches for testing=2E They are still kinda rough, >but I'll be cleaning them up in the coming days and putting >them in phabricator=2E > >They are attached and can also be found here=2E=2E=2E >https://people=2Efreebsd=2Eorg/~rmacklem/gssd=2Epatch >https://people=2Efreebsd=2Eorg/~rmacklem/kgssapi=2Epatch > >To make it work, I did=2E=2E ># pkg install krb5 >--> The libraries in /usr/lib are broken, at least in the one > week old snapshot I am using for testing=2E ># cp /usr/include/gssapi_krb5/gssapi/gssapi=2Eh /usr/include/gssapi >--> So that the correct (MIT) gssapi=2Eh is in /usr/include/gssapi=2E > >Then after patching and building, I go into=2E=2E=2E >/usr/obj/usr/src/amd64=2Eamd64/usr=2Esbin/gssd >and then I re-link gssd with >cc -o gssd -L/usr/local/lib gssd=2Epieo gssd_prot=2Epieo gssd_svc=2Epieo >gssd_xdr=2Epieo -lkrb5 -lk5crypto -lkrb5profile -lkrb5support >-lgssapi_krb5 >and then ># cp gssd /usr/sbin > >You might be able to just add "-L/usr/local/lib" to the gssd Makefile, >but I didn't feel like messing with it=2E > >It now seems to be working ok, using a pre-MIT Heimdal 1=2E5=2E2 kdc >and pre-MIT system=2E (I have not yet done any testing with non-FreeBSD >systems=2E I have Solaris 11=2E4 and a fairly recent 6=2E12 kernel based = Debian, >but I haven't set either up for Kerberos=2E) > >Good luck with testing, rick >ps: I'll post when cleaner patches are on phabricator=2E