From nobody Sat Aug 02 21:54:24 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bvc6c2S0Qz63cy5 for ; Sat, 02 Aug 2025 21:54:32 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bvc6b1Zd7z3m4H; Sat, 02 Aug 2025 21:54:31 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.33 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com; dmarc=permerror reason="p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com" header.from=cschubert.com (policy=permerror) Received: from shw-obgw-4002a.ext.cloudfilter.net ([10.228.9.250]) by cmsmtp with ESMTPS id iCOJu3Tnz5MqyiKBSuR6eC; Sat, 02 Aug 2025 21:54:30 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id iKBQuaQvLl5eGiKBRuq1ZN; Sat, 02 Aug 2025 21:54:30 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=EO6l0EZC c=1 sm=1 tr=0 ts=688e8916 a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=IkcTkHD0fZMA:10 a=2OwXVqhp2XgA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=YxBL1-UpAAAA:8 a=pGLkceISAAAA:8 a=7vv1Amu5_2hREmTvbDAA:9 a=QEXdDO2ut3YA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from [127.0.0.1] (walden_pond_ng [70.66.136.190]) by spqr.komquats.com (Postfix) with ESMTPSA id 48D3AA6D; Sat, 02 Aug 2025 14:54:28 -0700 (PDT) Date: Sat, 02 Aug 2025 14:54:24 -0700 From: Cy Schubert To: Rick Macklem CC: FreeBSD CURRENT , Gleb Smirnoff , Benjamin Kaduk Subject: Re: kgssapi and gssd patches for MIT's Kerberos In-Reply-To: References: <447F3CFA-E4B8-4283-ACB5-DFE571F00554@cschubert.com> Message-ID: List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfEDuBZ/sg4VP2Gsp+QLQSTcOf6sMKt6pDPf1bnVfFhyaqcLSD7gWt40N+wWcikALPE1KdEES3D7P/aCqL1tYphoOXxaTxrRKUR5nc1Bz2/i2uy3MKsV/ pFs6CUoQQxtQfdtzmuJzpFhCSDcEVJZBwuZcqRJzX2YZ2b64o7Dj8NU8nMNnXitOgwgJnnNlTcVsT27501fuwyYRSH5xU08gS7GWNBxyKHoMImOQIoBaL9ib lq7ulW7YhVqr6FoZ/0JnTI93UJi92P0Q5kfwwDL/mxB+hoiXM717+Fj5adOC+qNI+Z9XZ7BO8WMYmskH1XvdQw== X-Spamd-Result: default: False [-3.73 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.93)[-0.928]; RWL_MAILSPIKE_EXCELLENT(-0.40)[3.97.99.33:from]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.33:from]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_THREE(0.00)[3]; RCPT_COUNT_THREE(0.00)[4]; RCVD_TLS_ALL(0.00)[]; DMARC_BAD_POLICY(0.00)[cschubert.com : p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com]; FREEMAIL_CC(0.00)[freebsd.org,gmail.com]; FREEMAIL_TO(0.00)[gmail.com]; RECEIVED_HELO_LOCALHOST(0.00)[]; TO_DN_ALL(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MISSING_XM_UA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TAGGED_RCPT(0.00)[]; MIME_TRACE(0.00)[0:+] X-Rspamd-Queue-Id: 4bvc6b1Zd7z3m4H X-Spamd-Bar: --- I don't have it here=2E I'm on my phone=2E I'll get it to you when I get ba= ck=2E --=20 Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD=2Eorg NTP: Web: https://nwtime=2Eorg e^(i*pi)+1=3D0 Pardon the typos=2E Tiny keyboard in use=2E On August 2, 2025 2:30:35=E2=80=AFp=2Em=2E PDT, Rick Macklem wrote: >On Sat, Aug 2, 2025 at 1:33=E2=80=AFPM Cy Schubert wrote: >> >> There is also a review in phabricator to switch the gssapi from lib/lib= gssapi to the MIT provided gssapi as a companion to the patches in this thr= ead=2E >So what Dnnn? > >I'll look, but I'm not sure what you mean? >For Heimdal, there was a libgssapi and a libgssapi_krb5=2E >(They kept the generic code separate from the krb5 mech code=2E) > >For MIT, it appears that they just put it all in libgssapi_krb5=2E > >If you mean renaming libgssapi_krb5 to libgssapi, I don't think that >is a good idea (I think it will just cause more confusion)=2E I suspect >that will mean anything linked to libgssapi (really libgssapi_krb5) >will also need libkrb5, etc=2E > >If applications currently try and link to libgssapi, the Makefile needs >to be fixed=2E At least then they know they are switching to MIT and >might get surprises=2E > >I have run into a related thing w=2Er=2Et=2E building the gssd=2E It curr= ently >builds when MK_KERBEROS_SUPPORT is set to "no"=2E >With MIT, that means a bunch of fake stub functions must be >added for the WITHOUT_KERBEROS case=2E I was just about to >do that, but I think it is just plain silly to even build it when >MK_KERBEROS_SUPPORT is "no"? > >So, should I put stub functions in to get gssd=2Ec to build or not >when MK_KERBEROS_SUPPORT =3D=3D "no"? > >rick >> >> >> -- >> Cheers, >> Cy Schubert >> FreeBSD UNIX: Web: https://FreeBSD=2Eorg >> NTP: Web: https://nwtime=2Eorg >> e^(i*pi)+1=3D0 >> >> Pardon the typos=2E Tiny keyboard in use=2E >> >> On August 1, 2025 5:21:40=E2=80=AFp=2Em=2E PDT, Rick Macklem wrote: >> >Hi, >> > >> >The discussion seems to have not had a mailing list on it, >> >so here's what I posted=2E >> > >> >Maybe some others can do testing (or take a look at them)? >> > >> >Well, here's patches for testing=2E They are still kinda rough, >> >but I'll be cleaning them up in the coming days and putting >> >them in phabricator=2E >> > >> >They are attached and can also be found here=2E=2E=2E >> >https://people=2Efreebsd=2Eorg/~rmacklem/gssd=2Epatch >> >https://people=2Efreebsd=2Eorg/~rmacklem/kgssapi=2Epatch >> > >> >To make it work, I did=2E=2E >> ># pkg install krb5 >> >--> The libraries in /usr/lib are broken, at least in the one >> > week old snapshot I am using for testing=2E >> ># cp /usr/include/gssapi_krb5/gssapi/gssapi=2Eh /usr/include/gssapi >> >--> So that the correct (MIT) gssapi=2Eh is in /usr/include/gssapi=2E >> > >> >Then after patching and building, I go into=2E=2E=2E >> >/usr/obj/usr/src/amd64=2Eamd64/usr=2Esbin/gssd >> >and then I re-link gssd with >> >cc -o gssd -L/usr/local/lib gssd=2Epieo gssd_prot=2Epieo gssd_svc=2Epi= eo >> >gssd_xdr=2Epieo -lkrb5 -lk5crypto -lkrb5profile -lkrb5support >> >-lgssapi_krb5 >> >and then >> ># cp gssd /usr/sbin >> > >> >You might be able to just add "-L/usr/local/lib" to the gssd Makefile, >> >but I didn't feel like messing with it=2E >> > >> >It now seems to be working ok, using a pre-MIT Heimdal 1=2E5=2E2 kdc >> >and pre-MIT system=2E (I have not yet done any testing with non-FreeBS= D >> >systems=2E I have Solaris 11=2E4 and a fairly recent 6=2E12 kernel bas= ed Debian, >> >but I haven't set either up for Kerberos=2E) >> > >> >Good luck with testing, rick >> >ps: I'll post when cleaner patches are on phabricator=2E >