From nobody Sat Aug 02 23:17:11 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bvdyP2m0nz63hJ0 for ; Sat, 02 Aug 2025 23:17:33 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bvdyN2DQWz3vN4 for ; Sat, 02 Aug 2025 23:17:32 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=lsvpwpcy; spf=pass (mx1.freebsd.org: domain of rick.macklem@gmail.com designates 2a00:1450:4864:20::62b as permitted sender) smtp.mailfrom=rick.macklem@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-ae35f36da9dso603241766b.0 for ; Sat, 02 Aug 2025 16:17:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1754176643; x=1754781443; darn=freebsd.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=AUOkN0SwkTUaqTrRgBgNhGFTt6XGtugtf3tHNw4BvGU=; b=lsvpwpcynyXegRxd+MyVUwqnD7/TzHdVlxkyiBD9DXaat3RJebJfA0mXs3JQTukcvQ B1eapFANRACbiIfyF4PPtEF7iLFT5fCfngfbzgxGAzgRdCK3HGqt0wGnNvTVwVkjqNWc WFZh6oJIvOCLWKti2gxScOY78IRvkCdLeI4xV+7cOHQhzE7PwLcnv3ja1YJgIfNJkTnH lqG3UyDA7TUpFB6q43Vr/im+KmTrGZNPfqORnaIda7FvqsaiSyqNxx1hM2/DadkifaQ7 Z+/DEU5aooEpaP2KTg5KFRcFLYqBnXM08b3tW0jgSpwFcZBlHD9nggkcTAIxTOzS22EQ p9xA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754176643; x=1754781443; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=AUOkN0SwkTUaqTrRgBgNhGFTt6XGtugtf3tHNw4BvGU=; b=lJvO8o+zw8BGtUU/t0VwjdnKmAnJ1uhmBXLapTVKGxUSLPr56NO3JWadDzkM3oawRa yKv93Y5PvaIbrMQiqYDrhnmVqIJq9aH80Ui+iSysxTsd29HMuECLMscxQH+sGh94nNZ2 JbR2BDCpxBJKkVwSpUpjug6ho5SFuCpzRsmqIfPnRiESjuwqyxRsq1Mb/81+p2Pa4n1H wa0bi4r7yjbMsEaZcK8HSU4dLtFJlQdNdb4DCkMVYX20HpNHFwmfMZF0xDr76f8fce8M H3zcKAzYcuabsVef42pe/4LckcuTzYZkWPDpbMvFI9gCzDKfJ+FgC52Ktb0IUZ6f1TS9 VILQ== X-Gm-Message-State: AOJu0Yy3QcZBMPa8ELXq2rsWv4dX3stIu0WFP7v2tqvjV6vIJNwZ4qdD pkOHJYgHnjLQzrTzYtJtuEnu2XgSkBf43segrgO4uWHw/Ek1+nMOVOn4GLRPDrDh2N8CYDlpVlx CK1jiijk9oiE7WsKp5iUPuyfQRsv5QU4c X-Gm-Gg: ASbGncudR5jg0/MR2uOwHxeXXCNEQuMQzuJULLPtP01AnfSvlh8iLEfKwGzG3bAcFjm W0XDPyNIsor3neAVFG+yCZr5/8buwM4d51mpw7RfWMM6nuTZp1khfX6oofBCbTEU9P0rvn6A3sM 1APSZDElTb0C3cBT0U8ab6E+SAmvAHDtlbXSkNm96AatdittIxu20XrWaBVwjOj1GRGOh3uIMoT lV41ZoGMTfHVhX8cxO6rjZsSd/+x9sbkWZJNzE= X-Google-Smtp-Source: AGHT+IFFaYu0uWx9BeMHoFjdWs2x70z0Ap6DVxBtwjfjerB5G+WWUr+i3Q2Uz0MzV11gDytOYh0JDAUpVH5ddFJL73k= X-Received: by 2002:a17:907:7fa3:b0:af9:2bb9:ea36 with SMTP id a640c23a62f3a-af93ffbe3c3mr496268666b.7.1754176642999; Sat, 02 Aug 2025 16:17:22 -0700 (PDT) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 From: Rick Macklem Date: Sat, 2 Aug 2025 16:17:11 -0700 X-Gm-Features: Ac12FXy_oXpRdcj5mj-jmwnjSlHLDQUTU6gi8NewU_imDLwCoFMQAlCuitEDAak Message-ID: Subject: RFC: MIT kerberos and the gssd in main To: FreeBSD CURRENT Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.99 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.985]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MID_RHS_MATCH_FROMTLD(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; TAGGED_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MISSING_XM_UA(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::62b:from] X-Rspamd-Queue-Id: 4bvdyN2DQWz3vN4 X-Spamd-Bar: --- Hi, I've lost track of the discussions (or even where they are taking place, so I am going to post here and hope the discussion stays here. My personal preference (feel free to discuss this) is that, when MK_MITKRB5 == "yes" for the buildworld/installworld.. - The .h files under /usr/include are exactly the same ones that "pkg install krb5" generates and under the exact same names. (No Heimdal .h files under /usr/include and no renaming or putting them in a different subdir.) - The libraries under /usr/lib are exactly the same ones that "pkg install krb5" generates and under the exact same names. I think this will minimize confusion. Yes, anything that links to libgssapi will need to be fixed (Makefile plus ???) since there is no such library for MIT, but at least people will see what needs to be fixed. (There are a lot of places where code knows where MIT puts .h files and which MIT kerberos library names are used.) However (and this is the more important part for me), I'd like a resolution w.r.t.what file names and where they go soon, so I can get a patch for gssd.c needed to make it work for MIT straightened out. I do now have code that works when linked to the libraries in /usr/local/lib, using the MIT kerberos .h files. Thanks for any comments, rick ps: Unless someone complains about doing so, I intend to tweak /usr/src/usr.sbin/Makefile so that it only builds the gssd when both MK_GSSAPI and MK_KERBEROS_SUPPORT are not "no". This allows me to get rid of the cruft in gssd.c that makes it build for the MK_KERBEROS_SUPPORT == "no" case, since it won't do anything useful without kerberos anyhow.