From nobody Thu Aug 07 17:21:29 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4byYqK324sz64WVc; Thu, 07 Aug 2025 17:21:33 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4byYqJ6x1Dz3dTj; Thu, 07 Aug 2025 17:21:32 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id jzEyuXbrC9JM2k4J2uNjIg; Thu, 07 Aug 2025 17:21:32 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id k4J0u2VVLWbOak4J1un313; Thu, 07 Aug 2025 17:21:32 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=Q5lx4J2a c=1 sm=1 tr=0 ts=6894e09c a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=2OwXVqhp2XgA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=YxBL1-UpAAAA:8 a=m6xXa00Mfrbd_3NcV1cA:9 a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy.cwsent.com [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 540411081; Thu, 07 Aug 2025 10:21:29 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 49D0EB7; Thu, 07 Aug 2025 10:21:29 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Rick Macklem cc: Cy Schubert , src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: e26259f48afe - main - gssapi,krb5: Replace libgssapi with the MIT version In-reply-to: <202508071717.577HHbfI052679@gitrepo.freebsd.org> References: <202508071717.577HHbfI052679@gitrepo.freebsd.org> Comments: In-reply-to Cy Schubert message dated "Thu, 07 Aug 2025 17:17:37 +0000." List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 07 Aug 2025 10:21:29 -0700 Message-Id: <20250807172129.49D0EB7@slippy.cwsent.com> X-CMAE-Envelope: MS4xfN5WvrAFGVMh1w5Vj1BzNNap9txDa+JDq0cVZxRtcYrns7e9pWdQuId983jbzMM3Q2bLP90s8D4GRf84PQPlUtPXotLJRhEKG1mZT5PSRDnMcgM0NSO5 LRP+wTQd/elfetJoHJiHsuzroc8yrVs2/QaOLbhr9jwZiE8OwCrZkCFaFhZyK9X3Jv+XTT4Cw8ulJtQVMkUuo7fSpiBFSzOCqip9w13ZCxmHjNINijvOmGqg iJE79APKXvl9pqxjd+J4aXT0MNRxndYjDP9fZTQerAUhvtrlQszWg/wt19tXNvkMTsm6/1AHcnVmsBYfH1T5xfLs+D2lkUeayunOSkUqFtZNrGNr1886E9de FR1dzHNd X-Rspamd-Queue-Id: 4byYqJ6x1Dz3dTj X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] Rick, Please go ahead with your kgssapi patches. I have applied them here. Kerberized NFS works again. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e**(i*pi)+1=0 In message <202508071717.577HHbfI052679@gitrepo.freebsd.org>, Cy Schubert write s: > The branch main has been updated by cy: > > URL: https://cgit.FreeBSD.org/src/commit/?id=e26259f48afe98022d885f02fbb8abcd > 7878e41a > > commit e26259f48afe98022d885f02fbb8abcd7878e41a > Author: Cy Schubert > AuthorDate: 2025-07-31 16:51:20 +0000 > Commit: Cy Schubert > CommitDate: 2025-08-07 17:17:00 +0000 > > gssapi,krb5: Replace libgssapi with the MIT version > > lib/libgssapi is based on Heimdal. As on Linux systems, the MIT > libgssapi_krb5 replaces it. With both gssapi libraries and header files > installed results in broken buildworld (gssd) and ports that will not > build without modifications to support the MIT gssapi in an alternate > location. > > 73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps using > MIT KRB5 gssapi functions and structures will fail to build without this > patch. > > This patch includes a temporary patch to usr.sbin/gssd to allow it > to build with this patch. rmacklem@ has a patch for this and for > kgssapi that uses this patch to resolve kgssapi issues for NFS with > Kerberos. > > This patch is an updated version of D51661 to allow it to build following > additional patchs to the tree. > > This should have been implmented with 7e35117eb07f. > > Fixes: 7e35117eb07f, 73ed0c7992fd > Differential Revision: https://reviews.freebsd.org/D51661 > --- > Makefile.inc1 | 6 ++++-- > ObsoleteFiles.inc | 6 ++++++ > etc/gss-krb5/Makefile | 2 +- > etc/gss-krb5/qop | 1 - > etc/mtree/BSD.include.dist | 4 ---- > include/Makefile | 2 +- > krb5/include/Makefile | 5 ++--- > krb5/include/gssapi/Makefile | 9 ++------- > krb5/lib/gssapi/generic/Makefile.inc | 2 +- > lib/Makefile | 7 ++++++- > lib/librpcsec_gss/Makefile | 6 ++++++ > secure/libexec/sshd-session/Makefile | 9 ++++----- > secure/usr.bin/ssh/Makefile | 4 ++++ > secure/usr.sbin/sshd/Makefile | 4 ++++ > share/mk/src.libnames.mk | 4 ++++ > tools/build/mk/OptionalObsoleteFiles.inc | 3 +++ > usr.sbin/gssd/Makefile | 5 ++--- > usr.sbin/gssd/gssd.c | 3 +++ > 18 files changed, 53 insertions(+), 29 deletions(-) > > diff --git a/Makefile.inc1 b/Makefile.inc1 > index e6c9b49eefa3..9128d1d8ee77 100644 > --- a/Makefile.inc1 > +++ b/Makefile.inc1 > @@ -3379,8 +3379,8 @@ secure/lib/libssh__L: lib/libldns__L > > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" > .if ${MK_MITKRB5} != "no" > -secure/lib/libssh__L: lib/libgssapi__L krb5/lib/krb5__L \ > - krb5/util/et__L lib/libmd__L krb5/util/support__L > +secure/lib/libssh__L: krb5/lib/gssapi__L krb5/lib/krb5__L \ > + krb5/lib/crypto__L krb5/util/et__L lib/libmd__L krb5/util/support__L > .else > secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \ > kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \ > @@ -3437,8 +3437,10 @@ kerberos5/lib/libheimipcc__L: kerberos5/lib/libroken__ > L kerberos5/lib/libheimbas > lib/libsqlite3__L: lib/libthr__L > > .if ${MK_GSSAPI} != "no" > +.if ${MK_MITKRB5} == "no" > _lib_libgssapi= lib/libgssapi > .endif > +.endif > > .if ${MK_KERBEROS} != "no" > .if ${MK_MITKRB5} != "no" > diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc > index 86a449c80a76..2f63bbea5a49 100644 > --- a/ObsoleteFiles.inc > +++ b/ObsoleteFiles.inc > @@ -51,6 +51,12 @@ > # xargs -n1 | sort | uniq -d; > # done > > +# 20250807: Replace lib/libgssapi with krb5/lib/gssapi > +OLD_FILES+=usr/include/gssapi_krb5/gssapi/gssapi.h > +OLD_DIRS+=usr/include/gssapi_krb5/gssapi > +OLD_DIRS+=usr/include/gssapi_krb5 > +OLD_FILES+=etc/gssapi/qop > + > # 20250802: libutil bumped to 10 > OLD_LIBS+=lib/libutil.so.9 > > diff --git a/etc/gss-krb5/Makefile b/etc/gss-krb5/Makefile > index 301a8e074e8c..8886ed35e281 100644 > --- a/etc/gss-krb5/Makefile > +++ b/etc/gss-krb5/Makefile > @@ -1,4 +1,4 @@ > -FILES= mech qop > +FILES= mech > NO_OBJ= > FILESDIR= /etc/gss > > diff --git a/etc/gss-krb5/qop b/etc/gss-krb5/qop > deleted file mode 100644 > index 7d5b6b8f33dd..000000000000 > --- a/etc/gss-krb5/qop > +++ /dev/null > @@ -1 +0,0 @@ > -GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 kerberosv5 > diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist > index 0e9f739425a1..28c4d91ac1c0 100644 > --- a/etc/mtree/BSD.include.dist > +++ b/etc/mtree/BSD.include.dist > @@ -258,10 +258,6 @@ > .. > gssapi > .. > - gssapi_krb5 > - gssapi > - .. > - .. > gssrpc > .. > infiniband > diff --git a/include/Makefile b/include/Makefile > index af7ef2337941..2792d594a888 100644 > --- a/include/Makefile > +++ b/include/Makefile > @@ -293,7 +293,7 @@ LSUBSUBDIRS+= netgraph/bluetooth/include > LSUBDIRS+= fs/cuse > .endif > > -.if ${MK_GSSAPI} != "no" > +.if ${MK_GSSAPI} != "no" && ${MK_MITKRB5} == "no" > SUBDIR+= gssapi > INCS+= gssapi.h > .endif > diff --git a/krb5/include/Makefile b/krb5/include/Makefile > index 699211b9c3c9..64c5d39b867b 100644 > --- a/krb5/include/Makefile > +++ b/krb5/include/Makefile > @@ -17,13 +17,12 @@ SUBDIR= krb5 gssrpc gssapi > > SUBDIR_PARALLEL= > > -INCSGROUPS= INCS > - > INCSDIR= ${INCLUDEDIR} > > .PATH: ${KRB5_DIR}/include > > -INCS= kdb.h \ > +INCS= gssapi.h \ > + kdb.h \ > krad.h \ > krb5.h > > diff --git a/krb5/include/gssapi/Makefile b/krb5/include/gssapi/Makefile > index 4959bf78944d..b181187e9d95 100644 > --- a/krb5/include/gssapi/Makefile > +++ b/krb5/include/gssapi/Makefile > @@ -15,16 +15,11 @@ > > INCSGROUPS= INCS GSSAPI_KRB5 > INCSDIR= ${INCLUDEDIR}/gssapi > -GSSAPI_KRB5DIR= ${INCLUDEDIR}/gssapi_krb5 > > -INCS= gssapi_alloc.h \ > +INCS= gssapi.h \ > + gssapi_alloc.h \ > gssapi_ext.h \ > gssapi_generic.h \ > gssapi_krb5.h > > -# This gssapi header file is only needed should an app need > -# to build using the MIT KRB5 GSSAPI library. > - > -GSSAPI_KRB5= gssapi.h > - > .include > diff --git a/krb5/lib/gssapi/generic/Makefile.inc b/krb5/lib/gssapi/generic/M > akefile.inc > index 9de18079a341..ef76172655d6 100644 > --- a/krb5/lib/gssapi/generic/Makefile.inc > +++ b/krb5/lib/gssapi/generic/Makefile.inc > @@ -36,7 +36,7 @@ SRCS+= disp_com_err_status.c \ > INCSGROUPS= GSSAPI_INCS > GSSAPI_INCS= gssapi.h > INCS+= ${GENI} > -GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi_krb5/gssapi > +GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi > > CLEANFILES+= gssapi.h ${GGEN} ${GGENI} > > diff --git a/lib/Makefile b/lib/Makefile > index e5139b312a75..9447cc4551c0 100644 > --- a/lib/Makefile > +++ b/lib/Makefile > @@ -137,7 +137,9 @@ SUBDIR_DEPEND_libdevstat= libkvm > SUBDIR_DEPEND_libdpv= libfigpar ncurses libutil > SUBDIR_DEPEND_libedit= ncurses > SUBDIR_DEPEND_libgeom= libexpat libsbuf > +.if ${MK_MITKRB5} == "no" > SUBDIR_DEPEND_librpcsec_gss= libgssapi > +.endif > SUBDIR_DEPEND_libmagic= libz > SUBDIR_DEPEND_libmemstat= libkvm > SUBDIR_DEPEND_libpam= libcrypt ${_libradius} librpcsvc libtacplus libutil ${ > _libypclnt} ${_libcom_err} > @@ -176,7 +178,10 @@ SUBDIR.${MK_DIALOG}+= libdpv libfigpar > SUBDIR.${MK_FDT}+= libfdt > SUBDIR.${MK_FILE}+= libmagic > SUBDIR.${MK_GPIO}+= libgpio > -SUBDIR.${MK_GSSAPI}+= libgssapi librpcsec_gss > +.if ${MK_MITKRB5} == "no" > +SUBDIR.${MK_GSSAPI}+= libgssapi > +.endif > +SUBDIR.${MK_GSSAPI}+= librpcsec_gss > SUBDIR.${MK_ICONV}+= libiconv_modules > .if ${MK_MITKRB5} == "no" > SUBDIR.${MK_KERBEROS_SUPPORT}+= libcom_err > diff --git a/lib/librpcsec_gss/Makefile b/lib/librpcsec_gss/Makefile > index a29d9780c1ab..eebc975acbd2 100644 > --- a/lib/librpcsec_gss/Makefile > +++ b/lib/librpcsec_gss/Makefile > @@ -1,10 +1,16 @@ > +.include > + > PACKAGE=lib${LIB} > LIB= rpcsec_gss > SHLIB_MAJOR= 1 > SRCS+= rpcsec_gss.c rpcsec_gss_prot.c rpcsec_gss_conf.c rpcsec_gss_mis > c.c \ > svc_rpcsec_gss.c > > +.if ${MK_MITKRB5} == "no" > LIBADD= gssapi > +.else > +LIBADD= gssapi_krb5 > +.endif > > VERSION_DEF= ${SRCTOP}/lib/libc/Versions.def > SYMBOL_MAPS= ${.CURDIR}/Symbol.map > diff --git a/secure/libexec/sshd-session/Makefile b/secure/libexec/sshd-sessi > on/Makefile > index 8841cace5239..37e099794bd5 100644 > --- a/secure/libexec/sshd-session/Makefile > +++ b/secure/libexec/sshd-session/Makefile > @@ -39,15 +39,14 @@ LDFLAGS+=-L${LIBBLACKLISTDIR} > .endif > > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" > -LIBADD+= gssapi_krb5 gssapi krb5 > .if ${MK_MITKRB5} != "no" > +LIBADD+= gssapi_krb5 krb5 > .include "../../krb5/Makefile.inc" > CFLAGS+= -I${KRB5_DIR}/include \ > -I${KRB5_SRCTOP}/include \ > - -I${KRB5_OBJTOP}/lib \ > - -I${KRB5_DIR}/lib/gssapi/generic \ > - -I${KRB5_DIR}/lib/gssapi/krb5 \ > - -I${KRB5_DIR}/lib/gssapi/mechglue > + -I${KRB5_OBJTOP}/lib > +.else > +LIBADD+= gssapi_krb5 gssapi krb5 > .endif > .endif > > diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile > index acb1fd4eaa25..a4f36d0fe2df 100644 > --- a/secure/usr.bin/ssh/Makefile > +++ b/secure/usr.bin/ssh/Makefile > @@ -18,7 +18,11 @@ SRCS+= gss-genr.c > LIBADD= ssh > > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" > +.if ${MK_MITKRB5} == "no" > LIBADD+= gssapi > +.else > +LIBADD+= gssapi_krb5 > +.endif > .endif > > LIBADD+= crypto > diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile > index e6913cd9d0d6..f37dfe1c1b3a 100644 > --- a/secure/usr.sbin/sshd/Makefile > +++ b/secure/usr.sbin/sshd/Makefile > @@ -19,7 +19,11 @@ moduli: .MADE > LIBADD= ssh util > > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" > +.if ${MK_MITKRB5} == "no" > LIBADD+= gssapi_krb5 gssapi krb5 > +.else > +LIBADD+= gssapi_krb5 krb5 > +.endif > .endif > > .if ${MK_TCP_WRAPPERS} != "no" > diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk > index 283a99496b9f..9ca043e7733c 100644 > --- a/share/mk/src.libnames.mk > +++ b/share/mk/src.libnames.mk > @@ -472,7 +472,11 @@ _DP_ncursesw= tinfow > _DP_formw= ncursesw > _DP_nvpair= spl > _DP_panelw= ncursesw > +.if ${MK_MITKRB5} == "no" > _DP_rpcsec_gss= gssapi > +.else > +_DP_rpcsec_gss= gssapi_krb5 > +.endif > _DP_smb= kiconv > _DP_ulog= md > _DP_fifolog= z > diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/Option > alObsoleteFiles.inc > index aa6d04f1cc43..8e5ac7fa2a63 100644 > --- a/tools/build/mk/OptionalObsoleteFiles.inc > +++ b/tools/build/mk/OptionalObsoleteFiles.inc > @@ -4836,6 +4836,7 @@ OLD_FILES+=usr/share/man/man8/sserver.8.gz > .else > .if ${MK_MITKRB5} != "no" > # Remove Heimdal because we want MIT KRB5 but not Heimdal > +OLD_FILES+=etc/gss/qop > OLD_FILES+=etc/rc.d/ipropd_master > OLD_FILES+=etc/rc.d/ipropd_slave > OLD_FILES+=usr/bin/asn1_compile > @@ -4921,6 +4922,8 @@ OLD_LIBS+=usr/lib/libasn1.so.11 > OLD_FILES+=usr/lib/libasn1_p.a > OLD_LIBS+=usr/lib/libcom_err.so.5 > OLD_FILES+=usr/lib/libcom_err_p.a > +OLD_LIBS+=usr/lib/libgssapi.a > +OLD_LIBS+=usr/lib/libgssapi.so.10 > OLD_LIBS+=usr/lib/libgssapi_krb5.so.10 > OLD_FILES+=usr/lib/libgssapi_krb5_p.a > OLD_FILES+=usr/lib/libgssapi_mech.a > diff --git a/usr.sbin/gssd/Makefile b/usr.sbin/gssd/Makefile > index 569e2c7e18f5..336a1b49f696 100644 > --- a/usr.sbin/gssd/Makefile > +++ b/usr.sbin/gssd/Makefile > @@ -9,15 +9,14 @@ SRCS= gssd.c gssd.h gssd_svc.c gssd_xdr.c gssd_prot.c > CFLAGS+= -I. > WARNS?= 1 > > -LIBADD= gssapi > .if ${MK_KERBEROS_SUPPORT} != "no" > .if ${MK_MITKRB5} != "no" > # MIT KRB5 > -LIBADD+= krb5 k5crypto krb5profile krb5support > +LIBADD+= gssapi_krb5 krb5 k5crypto krb5profile krb5support > CFLAGS+= -DMK_MITKRB5=yes > .else > # Heimdal > -LIBADD+= krb5 roken > +LIBADD+= gssapi krb5 roken > .endif > .else > CFLAGS+= -DWITHOUT_KERBEROS > diff --git a/usr.sbin/gssd/gssd.c b/usr.sbin/gssd/gssd.c > index 94eb6ca575c8..2a3af05496cf 100644 > --- a/usr.sbin/gssd/gssd.c > +++ b/usr.sbin/gssd/gssd.c > @@ -53,6 +53,9 @@ > #include > #include > #include > +#ifdef MK_MITKRB5 > +#include > +#endif > #include > #include > >