Re: kgssapi and gssd patches for MIT's Kerberos

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Sat, 02 Aug 2025 21:54:24 UTC 
I don't have it here. I'm on my phone. I'll get it to you when I get back.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>  Web:  https://FreeBSD.org
NTP:            <cy@nwtime.org>    Web:  https://nwtime.org
                                                    e^(i*pi)+1=0

Pardon the typos. Tiny keyboard in use.

On August 2, 2025 2:30:35 p.m. PDT, Rick Macklem <rick.macklem@gmail.com> wrote:
>On Sat, Aug 2, 2025 at 1:33 PM Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>>
>> There is also a review in phabricator to switch the gssapi from lib/libgssapi to the MIT provided gssapi as a companion to the patches in this thread.
>So what Dnnn?
>
>I'll look, but I'm not sure what you mean?
>For Heimdal, there was a libgssapi and a libgssapi_krb5.
>(They kept the generic code separate from the krb5 mech code.)
>
>For MIT, it appears that they just put it all in libgssapi_krb5.
>
>If you mean renaming libgssapi_krb5 to libgssapi, I don't think that
>is a good idea (I think it will just cause more confusion). I suspect
>that will mean anything linked to libgssapi (really libgssapi_krb5)
>will also need libkrb5, etc.
>
>If applications currently try and link to libgssapi, the Makefile needs
>to be fixed. At least then they know they are switching to MIT and
>might get surprises.
>
>I have run into a related thing w.r.t. building the gssd. It currently
>builds when MK_KERBEROS_SUPPORT is set to "no".
>With MIT, that means a bunch of fake stub functions must be
>added for the WITHOUT_KERBEROS case. I was just about to
>do that, but I think it is just plain silly to even build it when
>MK_KERBEROS_SUPPORT is "no"?
>
>So, should I put stub functions in to get gssd.c to build or not
>when MK_KERBEROS_SUPPORT == "no"?
>
>rick
>>
>>
>> --
>> Cheers,
>> Cy Schubert <Cy.Schubert@cschubert.com>
>> FreeBSD UNIX:  <cy@FreeBSD.org>  Web:  https://FreeBSD.org
>> NTP:            <cy@nwtime.org>    Web:  https://nwtime.org
>>                                                     e^(i*pi)+1=0
>>
>> Pardon the typos. Tiny keyboard in use.
>>
>> On August 1, 2025 5:21:40 p.m. PDT, Rick Macklem <rick.macklem@gmail.com> wrote:
>> >Hi,
>> >
>> >The discussion seems to have not had a mailing list on it,
>> >so here's what I posted.
>> >
>> >Maybe some others can do testing (or take a look at them)?
>> >
>> >Well, here's patches for testing. They are still kinda rough,
>> >but I'll be cleaning them up in the coming days and putting
>> >them in phabricator.
>> >
>> >They are attached and can also be found here...
>> >https://people.freebsd.org/~rmacklem/gssd.patch
>> >https://people.freebsd.org/~rmacklem/kgssapi.patch
>> >
>> >To make it work, I did..
>> ># pkg install krb5
>> >--> The libraries in /usr/lib are broken, at least in the one
>> >     week old snapshot I am using for testing.
>> ># cp /usr/include/gssapi_krb5/gssapi/gssapi.h /usr/include/gssapi
>> >--> So that the correct (MIT) gssapi.h is in /usr/include/gssapi.
>> >
>> >Then after patching and building, I go into...
>> >/usr/obj/usr/src/amd64.amd64/usr.sbin/gssd
>> >and then I re-link gssd with
>> >cc -o gssd -L/usr/local/lib gssd.pieo gssd_prot.pieo gssd_svc.pieo
>> >gssd_xdr.pieo -lkrb5 -lk5crypto -lkrb5profile -lkrb5support
>> >-lgssapi_krb5
>> >and then
>> ># cp gssd /usr/sbin
>> >
>> >You might be able to just add "-L/usr/local/lib" to the gssd Makefile,
>> >but I didn't feel like messing with it.
>> >
>> >It now seems to be working ok, using a pre-MIT Heimdal 1.5.2 kdc
>> >and pre-MIT system. (I have not yet done any testing with non-FreeBSD
>> >systems. I have Solaris 11.4 and a fairly recent 6.12 kernel based Debian,
>> >but I haven't set either up for Kerberos.)
>> >
>> >Good luck with testing, rick
>> >ps: I'll post when cleaner patches are on phabricator.
>