Re: RFC: MIT kerberos and the gssd in main

In reply to: Rick Macklem : "RFC: MIT kerberos and the gssd in main"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Tue, 05 Aug 2025 16:25:45 UTC

In message <CAM5tNy4W-YgNG0waGCnXLoQBR35V5BFNHKyhC5bjy4ekT19Mtg@mail.gmail.c
om>
, Rick Macklem writes:
> Hi,
>
> I've lost track of the discussions (or even where they are
> taking place, so I am going to post here and hope the
> discussion stays here.
>
> My personal preference (feel free to discuss this) is that,
> when MK_MITKRB5 == "yes"  for the buildworld/installworld..
> - The .h files under /usr/include are exactly the same ones that
>    "pkg install krb5" generates and under the exact same names.
>    (No Heimdal .h files under /usr/include and no renaming or
>     putting them in a different subdir.)
> - The libraries under /usr/lib are exactly the same ones that
>   "pkg install krb5" generates and under the exact same names.

D51661 fixes this. It removes libgssapi.so, keeping libgssapi_krb5.so as we 
see on Linux systems with MIT KRB5 installed and as port installs them.

> I think this will minimize confusion. Yes, anything that links to
> libgssapi will need to be fixed (Makefile plus ???) since there
> is no such library for MIT, but at least people will see what needs
> to be fixed. (There are a lot of places where code knows where
> MIT puts .h files and which MIT kerberos library names are used.)

This is the reason for D51661.

>
> However (and this is the more important part for me), I'd like
> a resolution w.r.t.what file names and where they go soon, so
> I can get a patch for gssd.c needed to make it work for MIT
> straightened out.
>
> I do now have code that works when linked to the libraries
> in /usr/local/lib, using the MIT kerberos .h files.
>
> Thanks for any comments, rick
> ps: Unless someone complains about doing so, I intend to
>       tweak /usr/src/usr.sbin/Makefile so that it only builds the
>       gssd when both MK_GSSAPI and MK_KERBEROS_SUPPORT
>       are not "no". This allows me to get rid of the cruft in gssd.c
>       that makes it build for the MK_KERBEROS_SUPPORT == "no"
>       case, since it won't do anything useful without kerberos anyhow.
>

All of the above are addressed/fixed by D51661.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e**(i*pi)+1=0