Re: kgssapi and gssd patches for MIT's Kerberos
- Reply: Cy Schubert : "Re: kgssapi and gssd patches for MIT's Kerberos"
- In reply to: Cy Schubert : "Re: kgssapi and gssd patches for MIT's Kerberos"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 02 Aug 2025 21:30:35 UTC
On Sat, Aug 2, 2025 at 1:33 PM Cy Schubert <Cy.Schubert@cschubert.com> wrote: > > There is also a review in phabricator to switch the gssapi from lib/libgssapi to the MIT provided gssapi as a companion to the patches in this thread. So what Dnnn? I'll look, but I'm not sure what you mean? For Heimdal, there was a libgssapi and a libgssapi_krb5. (They kept the generic code separate from the krb5 mech code.) For MIT, it appears that they just put it all in libgssapi_krb5. If you mean renaming libgssapi_krb5 to libgssapi, I don't think that is a good idea (I think it will just cause more confusion). I suspect that will mean anything linked to libgssapi (really libgssapi_krb5) will also need libkrb5, etc. If applications currently try and link to libgssapi, the Makefile needs to be fixed. At least then they know they are switching to MIT and might get surprises. I have run into a related thing w.r.t. building the gssd. It currently builds when MK_KERBEROS_SUPPORT is set to "no". With MIT, that means a bunch of fake stub functions must be added for the WITHOUT_KERBEROS case. I was just about to do that, but I think it is just plain silly to even build it when MK_KERBEROS_SUPPORT is "no"? So, should I put stub functions in to get gssd.c to build or not when MK_KERBEROS_SUPPORT == "no"? rick > > > -- > Cheers, > Cy Schubert <Cy.Schubert@cschubert.com> > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org > NTP: <cy@nwtime.org> Web: https://nwtime.org > e^(i*pi)+1=0 > > Pardon the typos. Tiny keyboard in use. > > On August 1, 2025 5:21:40 p.m. PDT, Rick Macklem <rick.macklem@gmail.com> wrote: > >Hi, > > > >The discussion seems to have not had a mailing list on it, > >so here's what I posted. > > > >Maybe some others can do testing (or take a look at them)? > > > >Well, here's patches for testing. They are still kinda rough, > >but I'll be cleaning them up in the coming days and putting > >them in phabricator. > > > >They are attached and can also be found here... > >https://people.freebsd.org/~rmacklem/gssd.patch > >https://people.freebsd.org/~rmacklem/kgssapi.patch > > > >To make it work, I did.. > ># pkg install krb5 > >--> The libraries in /usr/lib are broken, at least in the one > > week old snapshot I am using for testing. > ># cp /usr/include/gssapi_krb5/gssapi/gssapi.h /usr/include/gssapi > >--> So that the correct (MIT) gssapi.h is in /usr/include/gssapi. > > > >Then after patching and building, I go into... > >/usr/obj/usr/src/amd64.amd64/usr.sbin/gssd > >and then I re-link gssd with > >cc -o gssd -L/usr/local/lib gssd.pieo gssd_prot.pieo gssd_svc.pieo > >gssd_xdr.pieo -lkrb5 -lk5crypto -lkrb5profile -lkrb5support > >-lgssapi_krb5 > >and then > ># cp gssd /usr/sbin > > > >You might be able to just add "-L/usr/local/lib" to the gssd Makefile, > >but I didn't feel like messing with it. > > > >It now seems to be working ok, using a pre-MIT Heimdal 1.5.2 kdc > >and pre-MIT system. (I have not yet done any testing with non-FreeBSD > >systems. I have Solaris 11.4 and a fairly recent 6.12 kernel based Debian, > >but I haven't set either up for Kerberos.) > > > >Good luck with testing, rick > >ps: I'll post when cleaner patches are on phabricator.