Re: git: e26259f48afe - main - gssapi,krb5: Replace libgssapi with the MIT version
Date: Thu, 07 Aug 2025 21:54:41 UTC
On Thu, Aug 7, 2025 at 10:21 AM Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>
> CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca.
>
> Rick,
>
> Please go ahead with your kgssapi patches. I have applied them here.
> Kerberized NFS works again.
Thanks. It's back in main and at least survived a make buildworld.
(timderbox just takes too long, even on the universe14a to-day.)
rick
>
>
> --
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> NTP: <cy@nwtime.org> Web: https://nwtime.org
>
> e**(i*pi)+1=0
>
>
> In message <202508071717.577HHbfI052679@gitrepo.freebsd.org>, Cy Schubert
> write
> s:
> > The branch main has been updated by cy:
> >
> > URL: https://cgit.FreeBSD.org/src/commit/?id=e26259f48afe98022d885f02fbb8abcd
> > 7878e41a
> >
> > commit e26259f48afe98022d885f02fbb8abcd7878e41a
> > Author: Cy Schubert <cy@FreeBSD.org>
> > AuthorDate: 2025-07-31 16:51:20 +0000
> > Commit: Cy Schubert <cy@FreeBSD.org>
> > CommitDate: 2025-08-07 17:17:00 +0000
> >
> > gssapi,krb5: Replace libgssapi with the MIT version
> >
> > lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
> > libgssapi_krb5 replaces it. With both gssapi libraries and header files
> > installed results in broken buildworld (gssd) and ports that will not
> > build without modifications to support the MIT gssapi in an alternate
> > location.
> >
> > 73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps using
> > MIT KRB5 gssapi functions and structures will fail to build without this
> > patch.
> >
> > This patch includes a temporary patch to usr.sbin/gssd to allow it
> > to build with this patch. rmacklem@ has a patch for this and for
> > kgssapi that uses this patch to resolve kgssapi issues for NFS with
> > Kerberos.
> >
> > This patch is an updated version of D51661 to allow it to build following
> > additional patchs to the tree.
> >
> > This should have been implmented with 7e35117eb07f.
> >
> > Fixes: 7e35117eb07f, 73ed0c7992fd
> > Differential Revision: https://reviews.freebsd.org/D51661
> > ---
> > Makefile.inc1 | 6 ++++--
> > ObsoleteFiles.inc | 6 ++++++
> > etc/gss-krb5/Makefile | 2 +-
> > etc/gss-krb5/qop | 1 -
> > etc/mtree/BSD.include.dist | 4 ----
> > include/Makefile | 2 +-
> > krb5/include/Makefile | 5 ++---
> > krb5/include/gssapi/Makefile | 9 ++-------
> > krb5/lib/gssapi/generic/Makefile.inc | 2 +-
> > lib/Makefile | 7 ++++++-
> > lib/librpcsec_gss/Makefile | 6 ++++++
> > secure/libexec/sshd-session/Makefile | 9 ++++-----
> > secure/usr.bin/ssh/Makefile | 4 ++++
> > secure/usr.sbin/sshd/Makefile | 4 ++++
> > share/mk/src.libnames.mk | 4 ++++
> > tools/build/mk/OptionalObsoleteFiles.inc | 3 +++
> > usr.sbin/gssd/Makefile | 5 ++---
> > usr.sbin/gssd/gssd.c | 3 +++
> > 18 files changed, 53 insertions(+), 29 deletions(-)
> >
> > diff --git a/Makefile.inc1 b/Makefile.inc1
> > index e6c9b49eefa3..9128d1d8ee77 100644
> > --- a/Makefile.inc1
> > +++ b/Makefile.inc1
> > @@ -3379,8 +3379,8 @@ secure/lib/libssh__L: lib/libldns__L
> >
> > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
> > .if ${MK_MITKRB5} != "no"
> > -secure/lib/libssh__L: lib/libgssapi__L krb5/lib/krb5__L \
> > - krb5/util/et__L lib/libmd__L krb5/util/support__L
> > +secure/lib/libssh__L: krb5/lib/gssapi__L krb5/lib/krb5__L \
> > + krb5/lib/crypto__L krb5/util/et__L lib/libmd__L krb5/util/support__L
> > .else
> > secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \
> > kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \
> > @@ -3437,8 +3437,10 @@ kerberos5/lib/libheimipcc__L: kerberos5/lib/libroken__
> > L kerberos5/lib/libheimbas
> > lib/libsqlite3__L: lib/libthr__L
> >
> > .if ${MK_GSSAPI} != "no"
> > +.if ${MK_MITKRB5} == "no"
> > _lib_libgssapi= lib/libgssapi
> > .endif
> > +.endif
> >
> > .if ${MK_KERBEROS} != "no"
> > .if ${MK_MITKRB5} != "no"
> > diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
> > index 86a449c80a76..2f63bbea5a49 100644
> > --- a/ObsoleteFiles.inc
> > +++ b/ObsoleteFiles.inc
> > @@ -51,6 +51,12 @@
> > # xargs -n1 | sort | uniq -d;
> > # done
> >
> > +# 20250807: Replace lib/libgssapi with krb5/lib/gssapi
> > +OLD_FILES+=usr/include/gssapi_krb5/gssapi/gssapi.h
> > +OLD_DIRS+=usr/include/gssapi_krb5/gssapi
> > +OLD_DIRS+=usr/include/gssapi_krb5
> > +OLD_FILES+=etc/gssapi/qop
> > +
> > # 20250802: libutil bumped to 10
> > OLD_LIBS+=lib/libutil.so.9
> >
> > diff --git a/etc/gss-krb5/Makefile b/etc/gss-krb5/Makefile
> > index 301a8e074e8c..8886ed35e281 100644
> > --- a/etc/gss-krb5/Makefile
> > +++ b/etc/gss-krb5/Makefile
> > @@ -1,4 +1,4 @@
> > -FILES= mech qop
> > +FILES= mech
> > NO_OBJ=
> > FILESDIR= /etc/gss
> >
> > diff --git a/etc/gss-krb5/qop b/etc/gss-krb5/qop
> > deleted file mode 100644
> > index 7d5b6b8f33dd..000000000000
> > --- a/etc/gss-krb5/qop
> > +++ /dev/null
> > @@ -1 +0,0 @@
> > -GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 kerberosv5
> > diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist
> > index 0e9f739425a1..28c4d91ac1c0 100644
> > --- a/etc/mtree/BSD.include.dist
> > +++ b/etc/mtree/BSD.include.dist
> > @@ -258,10 +258,6 @@
> > ..
> > gssapi
> > ..
> > - gssapi_krb5
> > - gssapi
> > - ..
> > - ..
> > gssrpc
> > ..
> > infiniband
> > diff --git a/include/Makefile b/include/Makefile
> > index af7ef2337941..2792d594a888 100644
> > --- a/include/Makefile
> > +++ b/include/Makefile
> > @@ -293,7 +293,7 @@ LSUBSUBDIRS+= netgraph/bluetooth/include
> > LSUBDIRS+= fs/cuse
> > .endif
> >
> > -.if ${MK_GSSAPI} != "no"
> > +.if ${MK_GSSAPI} != "no" && ${MK_MITKRB5} == "no"
> > SUBDIR+= gssapi
> > INCS+= gssapi.h
> > .endif
> > diff --git a/krb5/include/Makefile b/krb5/include/Makefile
> > index 699211b9c3c9..64c5d39b867b 100644
> > --- a/krb5/include/Makefile
> > +++ b/krb5/include/Makefile
> > @@ -17,13 +17,12 @@ SUBDIR= krb5 gssrpc gssapi
> >
> > SUBDIR_PARALLEL=
> >
> > -INCSGROUPS= INCS
> > -
> > INCSDIR= ${INCLUDEDIR}
> >
> > .PATH: ${KRB5_DIR}/include
> >
> > -INCS= kdb.h \
> > +INCS= gssapi.h \
> > + kdb.h \
> > krad.h \
> > krb5.h
> >
> > diff --git a/krb5/include/gssapi/Makefile b/krb5/include/gssapi/Makefile
> > index 4959bf78944d..b181187e9d95 100644
> > --- a/krb5/include/gssapi/Makefile
> > +++ b/krb5/include/gssapi/Makefile
> > @@ -15,16 +15,11 @@
> >
> > INCSGROUPS= INCS GSSAPI_KRB5
> > INCSDIR= ${INCLUDEDIR}/gssapi
> > -GSSAPI_KRB5DIR= ${INCLUDEDIR}/gssapi_krb5
> >
> > -INCS= gssapi_alloc.h \
> > +INCS= gssapi.h \
> > + gssapi_alloc.h \
> > gssapi_ext.h \
> > gssapi_generic.h \
> > gssapi_krb5.h
> >
> > -# This gssapi header file is only needed should an app need
> > -# to build using the MIT KRB5 GSSAPI library.
> > -
> > -GSSAPI_KRB5= gssapi.h
> > -
> > .include <bsd.prog.mk>
> > diff --git a/krb5/lib/gssapi/generic/Makefile.inc b/krb5/lib/gssapi/generic/M
> > akefile.inc
> > index 9de18079a341..ef76172655d6 100644
> > --- a/krb5/lib/gssapi/generic/Makefile.inc
> > +++ b/krb5/lib/gssapi/generic/Makefile.inc
> > @@ -36,7 +36,7 @@ SRCS+= disp_com_err_status.c \
> > INCSGROUPS= GSSAPI_INCS
> > GSSAPI_INCS= gssapi.h
> > INCS+= ${GENI}
> > -GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi_krb5/gssapi
> > +GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi
> >
> > CLEANFILES+= gssapi.h ${GGEN} ${GGENI}
> >
> > diff --git a/lib/Makefile b/lib/Makefile
> > index e5139b312a75..9447cc4551c0 100644
> > --- a/lib/Makefile
> > +++ b/lib/Makefile
> > @@ -137,7 +137,9 @@ SUBDIR_DEPEND_libdevstat= libkvm
> > SUBDIR_DEPEND_libdpv= libfigpar ncurses libutil
> > SUBDIR_DEPEND_libedit= ncurses
> > SUBDIR_DEPEND_libgeom= libexpat libsbuf
> > +.if ${MK_MITKRB5} == "no"
> > SUBDIR_DEPEND_librpcsec_gss= libgssapi
> > +.endif
> > SUBDIR_DEPEND_libmagic= libz
> > SUBDIR_DEPEND_libmemstat= libkvm
> > SUBDIR_DEPEND_libpam= libcrypt ${_libradius} librpcsvc libtacplus libutil ${
> > _libypclnt} ${_libcom_err}
> > @@ -176,7 +178,10 @@ SUBDIR.${MK_DIALOG}+= libdpv libfigpar
> > SUBDIR.${MK_FDT}+= libfdt
> > SUBDIR.${MK_FILE}+= libmagic
> > SUBDIR.${MK_GPIO}+= libgpio
> > -SUBDIR.${MK_GSSAPI}+= libgssapi librpcsec_gss
> > +.if ${MK_MITKRB5} == "no"
> > +SUBDIR.${MK_GSSAPI}+= libgssapi
> > +.endif
> > +SUBDIR.${MK_GSSAPI}+= librpcsec_gss
> > SUBDIR.${MK_ICONV}+= libiconv_modules
> > .if ${MK_MITKRB5} == "no"
> > SUBDIR.${MK_KERBEROS_SUPPORT}+= libcom_err
> > diff --git a/lib/librpcsec_gss/Makefile b/lib/librpcsec_gss/Makefile
> > index a29d9780c1ab..eebc975acbd2 100644
> > --- a/lib/librpcsec_gss/Makefile
> > +++ b/lib/librpcsec_gss/Makefile
> > @@ -1,10 +1,16 @@
> > +.include <src.opts.mk>
> > +
> > PACKAGE=lib${LIB}
> > LIB= rpcsec_gss
> > SHLIB_MAJOR= 1
> > SRCS+= rpcsec_gss.c rpcsec_gss_prot.c rpcsec_gss_conf.c rpcsec_gss_mis
> > c.c \
> > svc_rpcsec_gss.c
> >
> > +.if ${MK_MITKRB5} == "no"
> > LIBADD= gssapi
> > +.else
> > +LIBADD= gssapi_krb5
> > +.endif
> >
> > VERSION_DEF= ${SRCTOP}/lib/libc/Versions.def
> > SYMBOL_MAPS= ${.CURDIR}/Symbol.map
> > diff --git a/secure/libexec/sshd-session/Makefile b/secure/libexec/sshd-sessi
> > on/Makefile
> > index 8841cace5239..37e099794bd5 100644
> > --- a/secure/libexec/sshd-session/Makefile
> > +++ b/secure/libexec/sshd-session/Makefile
> > @@ -39,15 +39,14 @@ LDFLAGS+=-L${LIBBLACKLISTDIR}
> > .endif
> >
> > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
> > -LIBADD+= gssapi_krb5 gssapi krb5
> > .if ${MK_MITKRB5} != "no"
> > +LIBADD+= gssapi_krb5 krb5
> > .include "../../krb5/Makefile.inc"
> > CFLAGS+= -I${KRB5_DIR}/include \
> > -I${KRB5_SRCTOP}/include \
> > - -I${KRB5_OBJTOP}/lib \
> > - -I${KRB5_DIR}/lib/gssapi/generic \
> > - -I${KRB5_DIR}/lib/gssapi/krb5 \
> > - -I${KRB5_DIR}/lib/gssapi/mechglue
> > + -I${KRB5_OBJTOP}/lib
> > +.else
> > +LIBADD+= gssapi_krb5 gssapi krb5
> > .endif
> > .endif
> >
> > diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile
> > index acb1fd4eaa25..a4f36d0fe2df 100644
> > --- a/secure/usr.bin/ssh/Makefile
> > +++ b/secure/usr.bin/ssh/Makefile
> > @@ -18,7 +18,11 @@ SRCS+= gss-genr.c
> > LIBADD= ssh
> >
> > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
> > +.if ${MK_MITKRB5} == "no"
> > LIBADD+= gssapi
> > +.else
> > +LIBADD+= gssapi_krb5
> > +.endif
> > .endif
> >
> > LIBADD+= crypto
> > diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile
> > index e6913cd9d0d6..f37dfe1c1b3a 100644
> > --- a/secure/usr.sbin/sshd/Makefile
> > +++ b/secure/usr.sbin/sshd/Makefile
> > @@ -19,7 +19,11 @@ moduli: .MADE
> > LIBADD= ssh util
> >
> > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
> > +.if ${MK_MITKRB5} == "no"
> > LIBADD+= gssapi_krb5 gssapi krb5
> > +.else
> > +LIBADD+= gssapi_krb5 krb5
> > +.endif
> > .endif
> >
> > .if ${MK_TCP_WRAPPERS} != "no"
> > diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk
> > index 283a99496b9f..9ca043e7733c 100644
> > --- a/share/mk/src.libnames.mk
> > +++ b/share/mk/src.libnames.mk
> > @@ -472,7 +472,11 @@ _DP_ncursesw= tinfow
> > _DP_formw= ncursesw
> > _DP_nvpair= spl
> > _DP_panelw= ncursesw
> > +.if ${MK_MITKRB5} == "no"
> > _DP_rpcsec_gss= gssapi
> > +.else
> > +_DP_rpcsec_gss= gssapi_krb5
> > +.endif
> > _DP_smb= kiconv
> > _DP_ulog= md
> > _DP_fifolog= z
> > diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/Option
> > alObsoleteFiles.inc
> > index aa6d04f1cc43..8e5ac7fa2a63 100644
> > --- a/tools/build/mk/OptionalObsoleteFiles.inc
> > +++ b/tools/build/mk/OptionalObsoleteFiles.inc
> > @@ -4836,6 +4836,7 @@ OLD_FILES+=usr/share/man/man8/sserver.8.gz
> > .else
> > .if ${MK_MITKRB5} != "no"
> > # Remove Heimdal because we want MIT KRB5 but not Heimdal
> > +OLD_FILES+=etc/gss/qop
> > OLD_FILES+=etc/rc.d/ipropd_master
> > OLD_FILES+=etc/rc.d/ipropd_slave
> > OLD_FILES+=usr/bin/asn1_compile
> > @@ -4921,6 +4922,8 @@ OLD_LIBS+=usr/lib/libasn1.so.11
> > OLD_FILES+=usr/lib/libasn1_p.a
> > OLD_LIBS+=usr/lib/libcom_err.so.5
> > OLD_FILES+=usr/lib/libcom_err_p.a
> > +OLD_LIBS+=usr/lib/libgssapi.a
> > +OLD_LIBS+=usr/lib/libgssapi.so.10
> > OLD_LIBS+=usr/lib/libgssapi_krb5.so.10
> > OLD_FILES+=usr/lib/libgssapi_krb5_p.a
> > OLD_FILES+=usr/lib/libgssapi_mech.a
> > diff --git a/usr.sbin/gssd/Makefile b/usr.sbin/gssd/Makefile
> > index 569e2c7e18f5..336a1b49f696 100644
> > --- a/usr.sbin/gssd/Makefile
> > +++ b/usr.sbin/gssd/Makefile
> > @@ -9,15 +9,14 @@ SRCS= gssd.c gssd.h gssd_svc.c gssd_xdr.c gssd_prot.c
> > CFLAGS+= -I.
> > WARNS?= 1
> >
> > -LIBADD= gssapi
> > .if ${MK_KERBEROS_SUPPORT} != "no"
> > .if ${MK_MITKRB5} != "no"
> > # MIT KRB5
> > -LIBADD+= krb5 k5crypto krb5profile krb5support
> > +LIBADD+= gssapi_krb5 krb5 k5crypto krb5profile krb5support
> > CFLAGS+= -DMK_MITKRB5=yes
> > .else
> > # Heimdal
> > -LIBADD+= krb5 roken
> > +LIBADD+= gssapi krb5 roken
> > .endif
> > .else
> > CFLAGS+= -DWITHOUT_KERBEROS
> > diff --git a/usr.sbin/gssd/gssd.c b/usr.sbin/gssd/gssd.c
> > index 94eb6ca575c8..2a3af05496cf 100644
> > --- a/usr.sbin/gssd/gssd.c
> > +++ b/usr.sbin/gssd/gssd.c
> > @@ -53,6 +53,9 @@
> > #include <arpa/inet.h>
> > #include <netinet/in.h>
> > #include <gssapi/gssapi.h>
> > +#ifdef MK_MITKRB5
> > +#include <gssapi/gssapi_krb5.h>
> > +#endif
> > #include <rpc/rpc.h>
> > #include <rpc/rpc_com.h>
> >
> >
>
>