I don't have it here. I'm on my phone. I'll get it to you when I get back.
-- Cheers, Cy Schubert <[email protected]> FreeBSD UNIX: <[email protected]> Web: https://FreeBSD.org NTP: <[email protected]> Web: https://nwtime.org e^(i*pi)+1=0 Pardon the typos. Tiny keyboard in use. On August 2, 2025 2:30:35 p.m. PDT, Rick Macklem <[email protected]> wrote: >On Sat, Aug 2, 2025 at 1:33 PM Cy Schubert <[email protected]> wrote: >> >> There is also a review in phabricator to switch the gssapi from >> lib/libgssapi to the MIT provided gssapi as a companion to the patches in >> this thread. >So what Dnnn? > >I'll look, but I'm not sure what you mean? >For Heimdal, there was a libgssapi and a libgssapi_krb5. >(They kept the generic code separate from the krb5 mech code.) > >For MIT, it appears that they just put it all in libgssapi_krb5. > >If you mean renaming libgssapi_krb5 to libgssapi, I don't think that >is a good idea (I think it will just cause more confusion). I suspect >that will mean anything linked to libgssapi (really libgssapi_krb5) >will also need libkrb5, etc. > >If applications currently try and link to libgssapi, the Makefile needs >to be fixed. At least then they know they are switching to MIT and >might get surprises. > >I have run into a related thing w.r.t. building the gssd. It currently >builds when MK_KERBEROS_SUPPORT is set to "no". >With MIT, that means a bunch of fake stub functions must be >added for the WITHOUT_KERBEROS case. I was just about to >do that, but I think it is just plain silly to even build it when >MK_KERBEROS_SUPPORT is "no"? > >So, should I put stub functions in to get gssd.c to build or not >when MK_KERBEROS_SUPPORT == "no"? > >rick >> >> >> -- >> Cheers, >> Cy Schubert <[email protected]> >> FreeBSD UNIX: <[email protected]> Web: https://FreeBSD.org >> NTP: <[email protected]> Web: https://nwtime.org >> e^(i*pi)+1=0 >> >> Pardon the typos. Tiny keyboard in use. >> >> On August 1, 2025 5:21:40 p.m. PDT, Rick Macklem <[email protected]> >> wrote: >> >Hi, >> > >> >The discussion seems to have not had a mailing list on it, >> >so here's what I posted. >> > >> >Maybe some others can do testing (or take a look at them)? >> > >> >Well, here's patches for testing. They are still kinda rough, >> >but I'll be cleaning them up in the coming days and putting >> >them in phabricator. >> > >> >They are attached and can also be found here... >> >https://people.freebsd.org/~rmacklem/gssd.patch >> >https://people.freebsd.org/~rmacklem/kgssapi.patch >> > >> >To make it work, I did.. >> ># pkg install krb5 >> >--> The libraries in /usr/lib are broken, at least in the one >> > week old snapshot I am using for testing. >> ># cp /usr/include/gssapi_krb5/gssapi/gssapi.h /usr/include/gssapi >> >--> So that the correct (MIT) gssapi.h is in /usr/include/gssapi. >> > >> >Then after patching and building, I go into... >> >/usr/obj/usr/src/amd64.amd64/usr.sbin/gssd >> >and then I re-link gssd with >> >cc -o gssd -L/usr/local/lib gssd.pieo gssd_prot.pieo gssd_svc.pieo >> >gssd_xdr.pieo -lkrb5 -lk5crypto -lkrb5profile -lkrb5support >> >-lgssapi_krb5 >> >and then >> ># cp gssd /usr/sbin >> > >> >You might be able to just add "-L/usr/local/lib" to the gssd Makefile, >> >but I didn't feel like messing with it. >> > >> >It now seems to be working ok, using a pre-MIT Heimdal 1.5.2 kdc >> >and pre-MIT system. (I have not yet done any testing with non-FreeBSD >> >systems. I have Solaris 11.4 and a fairly recent 6.12 kernel based Debian, >> >but I haven't set either up for Kerberos.) >> > >> >Good luck with testing, rick >> >ps: I'll post when cleaner patches are on phabricator. >
