[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 292098] www/squid: Build does not recognise GSSAPI in base system on 14.3-STABLE"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 01 Jan 2026 11:07:56 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=292098

            Bug ID: 292098
           Summary: www/squid: Build does not recognise GSSAPI in base
                    system on 14.3-STABLE
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: john@jmarshall.id.au
                CC: timp87@gmail.com
                CC: timp87@gmail.com
             Flags: maintainer-feedback?(timp87@gmail.com)

FreeBSD 14.3-STABLE amd64 stable/14-n272939-646c0a2fe646
www/squid 7.3

Port Options:
        AUTH_LDAP      : on
        DOCS           : on
        EXAMPLES       : on
        GSSAPI_BASE    : on
        IPV6           : on
        KQUEUE         : on

squid.conf:
  auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth
-s HTTP/cache1.example.com
  auth_param negotiate children 20
  auth_param negotiate keep_alive on

-------------

I've used squid with Kerberos authentication on FreeBSD for ~20 years. After
upgrading squid 6.14 -> 7.3 it stopped working. I see the following message
logged in cache.log when HTTP/407 codes are returned to the client. The client
requests and gets a service ticket for the squid server but the negotiation
fails.

  kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH,
notes={message=Kerberos authentication not supported }}
    current master transaction: master54

Diving into src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc, it appears
that the above ERROR message is generated only if HAVE_GSSAPI is not defined
during the build. The configure file shows that the definition of HAVE_GSSAPI
depends directly on the value of squid_cv_working_gssapi.

From config.log:
  squid_cv_working_gssapi=no
  squid_cv_working_krb5=yes

From config.status:
  D["HAVE_GSSAPI_H"]=" 1"
  D["HAVE_GSSAPI_GSSAPI_H"]=" 1"
  D["HAVE_GSSAPI_GSSAPI_KRB5_H"]=" 1"
  D["HAVE_KRB5_H"]=" 1"
  D["HAVE_COM_ERR_H"]=" 1"
  D["HAVE_BROKEN_HEIMDAL_KRB5_H"]=" 0"
  D["HAVE_KRB5_GET_ERR_TEXT"]=" 1"
  D["HAVE_KRB5_GET_ERROR_MESSAGE"]=" 1"
  D["HAVE_KRB5_FREE_ERROR_MESSAGE"]=" 1"
  D["HAVE_KRB5_FREE_ERROR_STRING"]=" 1"
  D["HAVE_DECL_KRB5_KT_FREE_ENTRY"]=" 1"
  D["HAVE_KRB5_PAC"]=" 1"
  D["HAVE_KRB5_KT_FREE_ENTRY"]=" 1"
  D["HAVE_GET_INIT_CREDS_KEYTAB"]=" 1"
  D["HAVE_KRB5_GET_RENEWED_CREDS"]=" 1"
  D["HAVE_KRB5_PRINCIPAL_GET_REALM"]=" 1"
  D["HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC"]=" 1"
  D["HAVE_KRB5_GET_INIT_CREDS_FREE_CONTEXT"]=" 1"
  D["HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT"]=" 1"
  D["HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT"]=" 1"
  D["HAVE_KRB5_MEMORY_CACHE"]=" 1"
  D["HAVE_KRB5_MEMORY_KEYTAB"]=" 1"
  D["HAVE_GSSAPI"]=" 0"
  D["HAVE_SPNEGO"]=" 0"
  D["HAVE_KRB5"]=" 1"
  D["HAVE_LIBHEIMDAL_KRB5"]=" 1"

I'd like to have taken this further by myself but get lost in this Configure
stuff.

Thank you for maintining this port!

Regards,
John.

-- 
You are receiving this mail because:
You are the assignee for the bug.