Re: git: e26259f48afe - main - gssapi,krb5: Replace libgssapi with the MIT version
Date: Thu, 07 Aug 2025 17:21:29 UTC
Rick,
Please go ahead with your kgssapi patches. I have applied them here.
Kerberized NFS works again.
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org
e**(i*pi)+1=0
In message <202508071717.577HHbfI052679@gitrepo.freebsd.org>, Cy Schubert
write
s:
> The branch main has been updated by cy:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=e26259f48afe98022d885f02fbb8abcd
> 7878e41a
>
> commit e26259f48afe98022d885f02fbb8abcd7878e41a
> Author: Cy Schubert <cy@FreeBSD.org>
> AuthorDate: 2025-07-31 16:51:20 +0000
> Commit: Cy Schubert <cy@FreeBSD.org>
> CommitDate: 2025-08-07 17:17:00 +0000
>
> gssapi,krb5: Replace libgssapi with the MIT version
>
> lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
> libgssapi_krb5 replaces it. With both gssapi libraries and header files
> installed results in broken buildworld (gssd) and ports that will not
> build without modifications to support the MIT gssapi in an alternate
> location.
>
> 73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps using
> MIT KRB5 gssapi functions and structures will fail to build without this
> patch.
>
> This patch includes a temporary patch to usr.sbin/gssd to allow it
> to build with this patch. rmacklem@ has a patch for this and for
> kgssapi that uses this patch to resolve kgssapi issues for NFS with
> Kerberos.
>
> This patch is an updated version of D51661 to allow it to build following
> additional patchs to the tree.
>
> This should have been implmented with 7e35117eb07f.
>
> Fixes: 7e35117eb07f, 73ed0c7992fd
> Differential Revision: https://reviews.freebsd.org/D51661
> ---
> Makefile.inc1 | 6 ++++--
> ObsoleteFiles.inc | 6 ++++++
> etc/gss-krb5/Makefile | 2 +-
> etc/gss-krb5/qop | 1 -
> etc/mtree/BSD.include.dist | 4 ----
> include/Makefile | 2 +-
> krb5/include/Makefile | 5 ++---
> krb5/include/gssapi/Makefile | 9 ++-------
> krb5/lib/gssapi/generic/Makefile.inc | 2 +-
> lib/Makefile | 7 ++++++-
> lib/librpcsec_gss/Makefile | 6 ++++++
> secure/libexec/sshd-session/Makefile | 9 ++++-----
> secure/usr.bin/ssh/Makefile | 4 ++++
> secure/usr.sbin/sshd/Makefile | 4 ++++
> share/mk/src.libnames.mk | 4 ++++
> tools/build/mk/OptionalObsoleteFiles.inc | 3 +++
> usr.sbin/gssd/Makefile | 5 ++---
> usr.sbin/gssd/gssd.c | 3 +++
> 18 files changed, 53 insertions(+), 29 deletions(-)
>
> diff --git a/Makefile.inc1 b/Makefile.inc1
> index e6c9b49eefa3..9128d1d8ee77 100644
> --- a/Makefile.inc1
> +++ b/Makefile.inc1
> @@ -3379,8 +3379,8 @@ secure/lib/libssh__L: lib/libldns__L
>
> .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
> .if ${MK_MITKRB5} != "no"
> -secure/lib/libssh__L: lib/libgssapi__L krb5/lib/krb5__L \
> - krb5/util/et__L lib/libmd__L krb5/util/support__L
> +secure/lib/libssh__L: krb5/lib/gssapi__L krb5/lib/krb5__L \
> + krb5/lib/crypto__L krb5/util/et__L lib/libmd__L krb5/util/support__L
> .else
> secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \
> kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \
> @@ -3437,8 +3437,10 @@ kerberos5/lib/libheimipcc__L: kerberos5/lib/libroken__
> L kerberos5/lib/libheimbas
> lib/libsqlite3__L: lib/libthr__L
>
> .if ${MK_GSSAPI} != "no"
> +.if ${MK_MITKRB5} == "no"
> _lib_libgssapi= lib/libgssapi
> .endif
> +.endif
>
> .if ${MK_KERBEROS} != "no"
> .if ${MK_MITKRB5} != "no"
> diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
> index 86a449c80a76..2f63bbea5a49 100644
> --- a/ObsoleteFiles.inc
> +++ b/ObsoleteFiles.inc
> @@ -51,6 +51,12 @@
> # xargs -n1 | sort | uniq -d;
> # done
>
> +# 20250807: Replace lib/libgssapi with krb5/lib/gssapi
> +OLD_FILES+=usr/include/gssapi_krb5/gssapi/gssapi.h
> +OLD_DIRS+=usr/include/gssapi_krb5/gssapi
> +OLD_DIRS+=usr/include/gssapi_krb5
> +OLD_FILES+=etc/gssapi/qop
> +
> # 20250802: libutil bumped to 10
> OLD_LIBS+=lib/libutil.so.9
>
> diff --git a/etc/gss-krb5/Makefile b/etc/gss-krb5/Makefile
> index 301a8e074e8c..8886ed35e281 100644
> --- a/etc/gss-krb5/Makefile
> +++ b/etc/gss-krb5/Makefile
> @@ -1,4 +1,4 @@
> -FILES= mech qop
> +FILES= mech
> NO_OBJ=
> FILESDIR= /etc/gss
>
> diff --git a/etc/gss-krb5/qop b/etc/gss-krb5/qop
> deleted file mode 100644
> index 7d5b6b8f33dd..000000000000
> --- a/etc/gss-krb5/qop
> +++ /dev/null
> @@ -1 +0,0 @@
> -GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 kerberosv5
> diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist
> index 0e9f739425a1..28c4d91ac1c0 100644
> --- a/etc/mtree/BSD.include.dist
> +++ b/etc/mtree/BSD.include.dist
> @@ -258,10 +258,6 @@
> ..
> gssapi
> ..
> - gssapi_krb5
> - gssapi
> - ..
> - ..
> gssrpc
> ..
> infiniband
> diff --git a/include/Makefile b/include/Makefile
> index af7ef2337941..2792d594a888 100644
> --- a/include/Makefile
> +++ b/include/Makefile
> @@ -293,7 +293,7 @@ LSUBSUBDIRS+= netgraph/bluetooth/include
> LSUBDIRS+= fs/cuse
> .endif
>
> -.if ${MK_GSSAPI} != "no"
> +.if ${MK_GSSAPI} != "no" && ${MK_MITKRB5} == "no"
> SUBDIR+= gssapi
> INCS+= gssapi.h
> .endif
> diff --git a/krb5/include/Makefile b/krb5/include/Makefile
> index 699211b9c3c9..64c5d39b867b 100644
> --- a/krb5/include/Makefile
> +++ b/krb5/include/Makefile
> @@ -17,13 +17,12 @@ SUBDIR= krb5 gssrpc gssapi
>
> SUBDIR_PARALLEL=
>
> -INCSGROUPS= INCS
> -
> INCSDIR= ${INCLUDEDIR}
>
> .PATH: ${KRB5_DIR}/include
>
> -INCS= kdb.h \
> +INCS= gssapi.h \
> + kdb.h \
> krad.h \
> krb5.h
>
> diff --git a/krb5/include/gssapi/Makefile b/krb5/include/gssapi/Makefile
> index 4959bf78944d..b181187e9d95 100644
> --- a/krb5/include/gssapi/Makefile
> +++ b/krb5/include/gssapi/Makefile
> @@ -15,16 +15,11 @@
>
> INCSGROUPS= INCS GSSAPI_KRB5
> INCSDIR= ${INCLUDEDIR}/gssapi
> -GSSAPI_KRB5DIR= ${INCLUDEDIR}/gssapi_krb5
>
> -INCS= gssapi_alloc.h \
> +INCS= gssapi.h \
> + gssapi_alloc.h \
> gssapi_ext.h \
> gssapi_generic.h \
> gssapi_krb5.h
>
> -# This gssapi header file is only needed should an app need
> -# to build using the MIT KRB5 GSSAPI library.
> -
> -GSSAPI_KRB5= gssapi.h
> -
> .include <bsd.prog.mk>
> diff --git a/krb5/lib/gssapi/generic/Makefile.inc b/krb5/lib/gssapi/generic/M
> akefile.inc
> index 9de18079a341..ef76172655d6 100644
> --- a/krb5/lib/gssapi/generic/Makefile.inc
> +++ b/krb5/lib/gssapi/generic/Makefile.inc
> @@ -36,7 +36,7 @@ SRCS+= disp_com_err_status.c \
> INCSGROUPS= GSSAPI_INCS
> GSSAPI_INCS= gssapi.h
> INCS+= ${GENI}
> -GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi_krb5/gssapi
> +GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi
>
> CLEANFILES+= gssapi.h ${GGEN} ${GGENI}
>
> diff --git a/lib/Makefile b/lib/Makefile
> index e5139b312a75..9447cc4551c0 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -137,7 +137,9 @@ SUBDIR_DEPEND_libdevstat= libkvm
> SUBDIR_DEPEND_libdpv= libfigpar ncurses libutil
> SUBDIR_DEPEND_libedit= ncurses
> SUBDIR_DEPEND_libgeom= libexpat libsbuf
> +.if ${MK_MITKRB5} == "no"
> SUBDIR_DEPEND_librpcsec_gss= libgssapi
> +.endif
> SUBDIR_DEPEND_libmagic= libz
> SUBDIR_DEPEND_libmemstat= libkvm
> SUBDIR_DEPEND_libpam= libcrypt ${_libradius} librpcsvc libtacplus libutil ${
> _libypclnt} ${_libcom_err}
> @@ -176,7 +178,10 @@ SUBDIR.${MK_DIALOG}+= libdpv libfigpar
> SUBDIR.${MK_FDT}+= libfdt
> SUBDIR.${MK_FILE}+= libmagic
> SUBDIR.${MK_GPIO}+= libgpio
> -SUBDIR.${MK_GSSAPI}+= libgssapi librpcsec_gss
> +.if ${MK_MITKRB5} == "no"
> +SUBDIR.${MK_GSSAPI}+= libgssapi
> +.endif
> +SUBDIR.${MK_GSSAPI}+= librpcsec_gss
> SUBDIR.${MK_ICONV}+= libiconv_modules
> .if ${MK_MITKRB5} == "no"
> SUBDIR.${MK_KERBEROS_SUPPORT}+= libcom_err
> diff --git a/lib/librpcsec_gss/Makefile b/lib/librpcsec_gss/Makefile
> index a29d9780c1ab..eebc975acbd2 100644
> --- a/lib/librpcsec_gss/Makefile
> +++ b/lib/librpcsec_gss/Makefile
> @@ -1,10 +1,16 @@
> +.include <src.opts.mk>
> +
> PACKAGE=lib${LIB}
> LIB= rpcsec_gss
> SHLIB_MAJOR= 1
> SRCS+= rpcsec_gss.c rpcsec_gss_prot.c rpcsec_gss_conf.c rpcsec_gss_mis
> c.c \
> svc_rpcsec_gss.c
>
> +.if ${MK_MITKRB5} == "no"
> LIBADD= gssapi
> +.else
> +LIBADD= gssapi_krb5
> +.endif
>
> VERSION_DEF= ${SRCTOP}/lib/libc/Versions.def
> SYMBOL_MAPS= ${.CURDIR}/Symbol.map
> diff --git a/secure/libexec/sshd-session/Makefile b/secure/libexec/sshd-sessi
> on/Makefile
> index 8841cace5239..37e099794bd5 100644
> --- a/secure/libexec/sshd-session/Makefile
> +++ b/secure/libexec/sshd-session/Makefile
> @@ -39,15 +39,14 @@ LDFLAGS+=-L${LIBBLACKLISTDIR}
> .endif
>
> .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
> -LIBADD+= gssapi_krb5 gssapi krb5
> .if ${MK_MITKRB5} != "no"
> +LIBADD+= gssapi_krb5 krb5
> .include "../../krb5/Makefile.inc"
> CFLAGS+= -I${KRB5_DIR}/include \
> -I${KRB5_SRCTOP}/include \
> - -I${KRB5_OBJTOP}/lib \
> - -I${KRB5_DIR}/lib/gssapi/generic \
> - -I${KRB5_DIR}/lib/gssapi/krb5 \
> - -I${KRB5_DIR}/lib/gssapi/mechglue
> + -I${KRB5_OBJTOP}/lib
> +.else
> +LIBADD+= gssapi_krb5 gssapi krb5
> .endif
> .endif
>
> diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile
> index acb1fd4eaa25..a4f36d0fe2df 100644
> --- a/secure/usr.bin/ssh/Makefile
> +++ b/secure/usr.bin/ssh/Makefile
> @@ -18,7 +18,11 @@ SRCS+= gss-genr.c
> LIBADD= ssh
>
> .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
> +.if ${MK_MITKRB5} == "no"
> LIBADD+= gssapi
> +.else
> +LIBADD+= gssapi_krb5
> +.endif
> .endif
>
> LIBADD+= crypto
> diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile
> index e6913cd9d0d6..f37dfe1c1b3a 100644
> --- a/secure/usr.sbin/sshd/Makefile
> +++ b/secure/usr.sbin/sshd/Makefile
> @@ -19,7 +19,11 @@ moduli: .MADE
> LIBADD= ssh util
>
> .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
> +.if ${MK_MITKRB5} == "no"
> LIBADD+= gssapi_krb5 gssapi krb5
> +.else
> +LIBADD+= gssapi_krb5 krb5
> +.endif
> .endif
>
> .if ${MK_TCP_WRAPPERS} != "no"
> diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk
> index 283a99496b9f..9ca043e7733c 100644
> --- a/share/mk/src.libnames.mk
> +++ b/share/mk/src.libnames.mk
> @@ -472,7 +472,11 @@ _DP_ncursesw= tinfow
> _DP_formw= ncursesw
> _DP_nvpair= spl
> _DP_panelw= ncursesw
> +.if ${MK_MITKRB5} == "no"
> _DP_rpcsec_gss= gssapi
> +.else
> +_DP_rpcsec_gss= gssapi_krb5
> +.endif
> _DP_smb= kiconv
> _DP_ulog= md
> _DP_fifolog= z
> diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/Option
> alObsoleteFiles.inc
> index aa6d04f1cc43..8e5ac7fa2a63 100644
> --- a/tools/build/mk/OptionalObsoleteFiles.inc
> +++ b/tools/build/mk/OptionalObsoleteFiles.inc
> @@ -4836,6 +4836,7 @@ OLD_FILES+=usr/share/man/man8/sserver.8.gz
> .else
> .if ${MK_MITKRB5} != "no"
> # Remove Heimdal because we want MIT KRB5 but not Heimdal
> +OLD_FILES+=etc/gss/qop
> OLD_FILES+=etc/rc.d/ipropd_master
> OLD_FILES+=etc/rc.d/ipropd_slave
> OLD_FILES+=usr/bin/asn1_compile
> @@ -4921,6 +4922,8 @@ OLD_LIBS+=usr/lib/libasn1.so.11
> OLD_FILES+=usr/lib/libasn1_p.a
> OLD_LIBS+=usr/lib/libcom_err.so.5
> OLD_FILES+=usr/lib/libcom_err_p.a
> +OLD_LIBS+=usr/lib/libgssapi.a
> +OLD_LIBS+=usr/lib/libgssapi.so.10
> OLD_LIBS+=usr/lib/libgssapi_krb5.so.10
> OLD_FILES+=usr/lib/libgssapi_krb5_p.a
> OLD_FILES+=usr/lib/libgssapi_mech.a
> diff --git a/usr.sbin/gssd/Makefile b/usr.sbin/gssd/Makefile
> index 569e2c7e18f5..336a1b49f696 100644
> --- a/usr.sbin/gssd/Makefile
> +++ b/usr.sbin/gssd/Makefile
> @@ -9,15 +9,14 @@ SRCS= gssd.c gssd.h gssd_svc.c gssd_xdr.c gssd_prot.c
> CFLAGS+= -I.
> WARNS?= 1
>
> -LIBADD= gssapi
> .if ${MK_KERBEROS_SUPPORT} != "no"
> .if ${MK_MITKRB5} != "no"
> # MIT KRB5
> -LIBADD+= krb5 k5crypto krb5profile krb5support
> +LIBADD+= gssapi_krb5 krb5 k5crypto krb5profile krb5support
> CFLAGS+= -DMK_MITKRB5=yes
> .else
> # Heimdal
> -LIBADD+= krb5 roken
> +LIBADD+= gssapi krb5 roken
> .endif
> .else
> CFLAGS+= -DWITHOUT_KERBEROS
> diff --git a/usr.sbin/gssd/gssd.c b/usr.sbin/gssd/gssd.c
> index 94eb6ca575c8..2a3af05496cf 100644
> --- a/usr.sbin/gssd/gssd.c
> +++ b/usr.sbin/gssd/gssd.c
> @@ -53,6 +53,9 @@
> #include <arpa/inet.h>
> #include <netinet/in.h>
> #include <gssapi/gssapi.h>
> +#ifdef MK_MITKRB5
> +#include <gssapi/gssapi_krb5.h>
> +#endif
> #include <rpc/rpc.h>
> #include <rpc/rpc_com.h>
>
>