The branch main has been updated by ivy:
URL:
https://cgit.FreeBSD.org/src/commit/?id=dc5ba6b8b4f028eb944434be82838d272330f26f
commit dc5ba6b8b4f028eb944434be82838d272330f26f
Author: Lexi Winter <i...@freebsd.org>
AuthorDate: 2025-08-20 18:42:20 +0000
Commit: Lexi Winter <i...@freebsd.org>
CommitDate: 2025-08-20 18:42:20 +0000
Remove MK_GSSAPI
For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the same way.
While here, change Heimdal's libcom_err and compile_et to be selected by
MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos
and third-party users might need it even if Kerberos support is disabled
in the base system. This means MK_KERBEROS_SUPPORT installs the same
files with both MIT and Heimdal.
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D51859
---
Makefile.inc1 | 6 ++----
UPDATING | 9 +++++++++
include/Makefile | 2 +-
kerberos5/Makefile.inc | 2 --
kerberos5/lib/Makefile | 2 --
kerberos5/libexec/Makefile | 2 --
lib/Makefile | 6 +++---
libexec/rc/rc.d/Makefile | 2 +-
secure/libexec/sshd-session/Makefile | 2 +-
secure/ssh.mk | 3 +--
secure/usr.bin/ssh/Makefile | 2 +-
secure/usr.sbin/sshd/Makefile | 2 +-
share/man/man5/src.conf.5 | 22 ++++++----------------
share/mk/local.dirdeps.mk | 2 +-
share/mk/src.opts.mk | 2 +-
tools/build/mk/OptionalObsoleteFiles.inc | 4 ++--
tools/build/options/WITHOUT_GSSAPI | 1 -
tools/build/options/WITHOUT_KERBEROS | 2 +-
usr.bin/Makefile | 2 +-
usr.sbin/Makefile | 4 +---
20 files changed, 33 insertions(+), 46 deletions(-)
diff --git a/Makefile.inc1 b/Makefile.inc1
index 861d368af838..d65d1c86deac 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -3387,7 +3387,7 @@ secure/lib/libssh__L: lib/libz__L secure/lib/libcrypto__L
lib/libcrypt__L
secure/lib/libssh__L: lib/libldns__L
.endif
-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
.if ${MK_MITKRB5} != "no"
secure/lib/libssh__L: krb5/lib/gssapi__L krb5/lib/krb5__L \
krb5/lib/crypto__L krb5/util/et__L lib/libmd__L krb5/util/support__L
@@ -3446,11 +3446,9 @@ kerberos5/lib/libheimipcc__L: kerberos5/lib/libroken__L
kerberos5/lib/libheimbas
lib/libsqlite3__L: lib/libthr__L
-.if ${MK_GSSAPI} != "no"
-.if ${MK_MITKRB5} == "no"
+.if ${MK_KERBEROS} != "no" && ${MK_MITKRB5} == "no"
_lib_libgssapi= lib/libgssapi
.endif
-.endif
.if ${MK_KERBEROS} != "no"
.if ${MK_MITKRB5} != "no"
diff --git a/UPDATING b/UPDATING
index 8620df648703..575669b8bc64 100644
--- a/UPDATING
+++ b/UPDATING
@@ -27,6 +27,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 15.x IS SLOW:
world, or to merely disable the most expensive debugging functionality
at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
+20250820:
+ The WITHOUT_GSSAPI src.conf knob has been removed. This was already
+ a no-op for MIT Kerberos, so this only affects builds which set
+ WITHOUT_MITKRB5=1, in which case you now always get libgssapi.
+
+ Also, Heimdal's compile_et and libcom_err are now controlled by
+ WITHOUT_KERBEROS, not WITHOUT_KERBEROS_SUPPORT. This matches
+ the behaviour of the MIT Kerberos versions.
+
20250820:
Commits 08c7dd2fbe4f and a4197ea47777 have changed the ABI between
libvmmapi and the vmm device. If using a custom kernel configuration,
diff --git a/include/Makefile b/include/Makefile
index 2792d594a888..07890362d7a6 100644
--- a/include/Makefile
+++ b/include/Makefile
@@ -293,7 +293,7 @@ LSUBSUBDIRS+= netgraph/bluetooth/include
LSUBDIRS+= fs/cuse
.endif
-.if ${MK_GSSAPI} != "no" && ${MK_MITKRB5} == "no"
+.if ${MK_KERBEROS} != "no" && ${MK_MITKRB5} == "no"
SUBDIR+= gssapi
INCS+= gssapi.h
.endif
diff --git a/kerberos5/Makefile.inc b/kerberos5/Makefile.inc
index 2525f3888806..e02e110b5786 100644
--- a/kerberos5/Makefile.inc
+++ b/kerberos5/Makefile.inc
@@ -29,9 +29,7 @@ ETSRCS= \
${KRB5DIR}/lib/wind/wind_err.et \
${KRB5DIR}/lib/ntlm/ntlm_err.et
-.if ${MK_GSSAPI} != "no"
ETSRCS+= ${KRB5DIR}/lib/gssapi/krb5/gkrb5_err.et
-.endif
.for ET in ${ETSRCS}
.for _ET in ${ET:T:R}
diff --git a/kerberos5/lib/Makefile b/kerberos5/lib/Makefile
index 7b63da16e360..1f631b48ce83 100644
--- a/kerberos5/lib/Makefile
+++ b/kerberos5/lib/Makefile
@@ -7,10 +7,8 @@ SUBDIR= libasn1 libhdb \
SUBDIR+= libkafs5 # requires krb_err.h from libkrb5
SUBDIR_DEPEND_libkafs5= libkrb5
-.if ${MK_GSSAPI} != "no"
SUBDIR+= libgssapi_krb5
SUBDIR+= libgssapi_ntlm
SUBDIR+= libgssapi_spnego
-.endif
.include <bsd.subdir.mk>
diff --git a/kerberos5/libexec/Makefile b/kerberos5/libexec/Makefile
index 543331d5029b..2ac9c2d45f28 100644
--- a/kerberos5/libexec/Makefile
+++ b/kerberos5/libexec/Makefile
@@ -4,8 +4,6 @@ SUBDIR= digest-service ipropd-master ipropd-slave hprop hpropd
kdc \
kdigest kfd kimpersonate kpasswdd kcm
SUBDIR_PARALLEL=
-.if ${MK_GSSAPI} != "no"
SUBDIR+= kadmind
-.endif
.include <bsd.subdir.mk>
diff --git a/lib/Makefile b/lib/Makefile
index 9447cc4551c0..2b7cf2fdcb7d 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -179,12 +179,12 @@ SUBDIR.${MK_FDT}+= libfdt
SUBDIR.${MK_FILE}+= libmagic
SUBDIR.${MK_GPIO}+= libgpio
.if ${MK_MITKRB5} == "no"
-SUBDIR.${MK_GSSAPI}+= libgssapi
+SUBDIR.${MK_KERBEROS}+= libgssapi
.endif
-SUBDIR.${MK_GSSAPI}+= librpcsec_gss
+SUBDIR.${MK_KERBEROS}+= librpcsec_gss
SUBDIR.${MK_ICONV}+= libiconv_modules
.if ${MK_MITKRB5} == "no"
-SUBDIR.${MK_KERBEROS_SUPPORT}+= libcom_err
+SUBDIR.${MK_KERBEROS}+= libcom_err
.endif
SUBDIR.${MK_LDNS}+= libldns
SUBDIR.${MK_STATS}+= libstats
diff --git a/libexec/rc/rc.d/Makefile b/libexec/rc/rc.d/Makefile
index d0c6fc1dee46..7c1f50b027a9 100644
--- a/libexec/rc/rc.d/Makefile
+++ b/libexec/rc/rc.d/Makefile
@@ -215,7 +215,7 @@ FTPD= ftpd
FTPDPACKAGE= ftpd
.endif
-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
CONFGROUPS+= GSSD
GSSD= gssd
GSSDPACKAGE= gssd
diff --git a/secure/libexec/sshd-session/Makefile
b/secure/libexec/sshd-session/Makefile
index 37e099794bd5..5ed459fe492a 100644
--- a/secure/libexec/sshd-session/Makefile
+++ b/secure/libexec/sshd-session/Makefile
@@ -38,7 +38,7 @@ LIBADD+= blacklist
LDFLAGS+=-L${LIBBLACKLISTDIR}
.endif
-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
.if ${MK_MITKRB5} != "no"
LIBADD+= gssapi_krb5 krb5
.include "../../krb5/Makefile.inc"
diff --git a/secure/ssh.mk b/secure/ssh.mk
index bb6dd9b748e4..97dd089d98e8 100644
--- a/secure/ssh.mk
+++ b/secure/ssh.mk
@@ -9,12 +9,11 @@ SKSRCS= ssh-sk-client.c
CFLAGS+= -I${SSHDIR} -include ssh_namespace.h
-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
CFLAGS+= -include krb5_config.h
.if ${MK_MITKRB5} == "no"
CFLAGS+= -DHEIMDAL=1
.endif
-
.endif
CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE:U/usr/local}/bin/xauth\"
diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile
index a4f36d0fe2df..2b11b783c007 100644
--- a/secure/usr.bin/ssh/Makefile
+++ b/secure/usr.bin/ssh/Makefile
@@ -17,7 +17,7 @@ SRCS+= gss-genr.c
LIBADD= ssh
-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
.if ${MK_MITKRB5} == "no"
LIBADD+= gssapi
.else
diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile
index f37dfe1c1b3a..433a87984e42 100644
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@@ -18,7 +18,7 @@ moduli: .MADE
LIBADD= ssh util
-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
.if ${MK_MITKRB5} == "no"
LIBADD+= gssapi_krb5 gssapi krb5
.else
diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5
index f79d160255bf..2895c0cf4746 100644
--- a/share/man/man5/src.conf.5
+++ b/share/man/man5/src.conf.5
@@ -1,5 +1,5 @@
.\" DO NOT EDIT-- this file is @generated by tools/build/options/makeman.
-.Dd August 19, 2025
+.Dd August 20, 2025
.Dt SRC.CONF 5
.Os
.Sh NAME
@@ -452,8 +452,6 @@ When set, it enforces these options:
.It
.Va WITHOUT_KERBEROS
.It
-.Va WITHOUT_KERBEROS_SUPPORT
-.It
.Va WITHOUT_LDNS
.It
.Va WITHOUT_LDNS_UTILS
@@ -480,9 +478,9 @@ When set, it enforces these options:
When set, these options are also in effect:
.Pp
.Bl -inset -compact
-.It Va WITHOUT_GSSAPI
+.It Va WITHOUT_KERBEROS_SUPPORT
(unless
-.Va WITH_GSSAPI
+.Va WITH_KERBEROS_SUPPORT
is set explicitly)
.El
.It Va WITH_CTF
@@ -739,8 +737,6 @@ and dependent tests.
Do not build
.Xr gpioctl 8
as part of the base system.
-.It Va WITHOUT_GSSAPI
-Do not build libgssapi.
.It Va WITHOUT_HAST
Do not build
.Xr hastd 8
@@ -840,14 +836,10 @@ Do not build
and
.Xr truss 1 .
.It Va WITHOUT_KERBEROS
-Set this to not build Kerberos 5 (KTH Heimdal).
+Set this to not build Kerberos.
When set, these options are also in effect:
.Pp
.Bl -inset -compact
-.It Va WITHOUT_GSSAPI
-(unless
-.Va WITH_GSSAPI
-is set explicitly)
.It Va WITHOUT_KERBEROS_SUPPORT
(unless
.Va WITH_KERBEROS_SUPPORT
@@ -1433,8 +1425,6 @@ When set, it enforces these options:
.It
.Va WITHOUT_KERBEROS
.It
-.Va WITHOUT_KERBEROS_SUPPORT
-.It
.Va WITHOUT_LDNS
.It
.Va WITHOUT_LDNS_UTILS
@@ -1459,9 +1449,9 @@ When set, it enforces these options:
When set, these options are also in effect:
.Pp
.Bl -inset -compact
-.It Va WITHOUT_GSSAPI
+.It Va WITHOUT_KERBEROS_SUPPORT
(unless
-.Va WITH_GSSAPI
+.Va WITH_KERBEROS_SUPPORT
is set explicitly)
.El
.It Va WITHOUT_OPENSSL_KTLS
diff --git a/share/mk/local.dirdeps.mk b/share/mk/local.dirdeps.mk
index a92539689a31..bdc7242d4bfd 100644
--- a/share/mk/local.dirdeps.mk
+++ b/share/mk/local.dirdeps.mk
@@ -185,7 +185,7 @@ C_DIRDEPS= \
# libgcc is needed as well but is added later.
-.if ${MK_GSSAPI} != "no"
+.if ${MK_KERBEROS} != "no" && ${MK_MITKRB5} == "no"
C_DIRDEPS+= include/gssapi
.endif
diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk
index 8a52fe03221e..85a003eb4eaf 100644
--- a/share/mk/src.opts.mk
+++ b/share/mk/src.opts.mk
@@ -508,7 +508,7 @@ MK_LOADER_VERIEXEC_PASS_MANIFEST := no
# MK_* options whose default value depends on another option.
#
.for vv in \
- GSSAPI/KERBEROS \
+ KERBEROS_SUPPORT/KERBEROS \
MAN_UTILS/MAN
.if defined(WITH_${vv:H})
MK_${vv:H}:= yes
diff --git a/tools/build/mk/OptionalObsoleteFiles.inc
b/tools/build/mk/OptionalObsoleteFiles.inc
index dcd606feea1d..27d03f13c4e3 100644
--- a/tools/build/mk/OptionalObsoleteFiles.inc
+++ b/tools/build/mk/OptionalObsoleteFiles.inc
@@ -2262,13 +2262,13 @@ OLD_FILES+=usr/share/man/man3/gpio_pin_tristate.3.gz
OLD_FILES+=usr/share/man/man8/gpioctl.8.gz
.endif
-.if ${MK_GSSAPI} == "no" || ${MK_KERBEROS_SUPPORT} == "no"
+.if ${MK_KERBEROS_SUPPORT} == "no"
OLD_FILES+=etc/rc.d/gssd
OLD_FILES+=usr/sbin/gssd
OLD_FILES+=usr/share/man/man8/gssd.8.gz
.endif
-.if ${MK_GSSAPI} == no
+.if ${MK_KERBEROS} == no
OLD_FILES+=usr/include/gssapi/gssapi.h
OLD_DIRS+=usr/include/gssapi
OLD_FILES+=usr/include/gssapi.h
diff --git a/tools/build/options/WITHOUT_GSSAPI
b/tools/build/options/WITHOUT_GSSAPI
deleted file mode 100644
index 3b208b6edecd..000000000000
--- a/tools/build/options/WITHOUT_GSSAPI
+++ /dev/null
@@ -1 +0,0 @@
-Do not build libgssapi.
diff --git a/tools/build/options/WITHOUT_KERBEROS
b/tools/build/options/WITHOUT_KERBEROS
index 98e1ffe3721d..e0301ee1d786 100644
--- a/tools/build/options/WITHOUT_KERBEROS
+++ b/tools/build/options/WITHOUT_KERBEROS
@@ -1 +1 @@
-Set this to not build Kerberos 5 (KTH Heimdal).
+Set this to not build Kerberos.
diff --git a/usr.bin/Makefile b/usr.bin/Makefile
index 512f75b5d093..da1a9b3a681f 100644
--- a/usr.bin/Makefile
+++ b/usr.bin/Makefile
@@ -219,7 +219,7 @@ SUBDIR.${MK_ISCSI}+= iscsictl
SUBDIR.${MK_KDUMP}+= kdump
SUBDIR.${MK_KDUMP}+= truss
.if ${MK_MITKRB5} == "no"
-SUBDIR.${MK_KERBEROS_SUPPORT}+= compile_et
+SUBDIR.${MK_KERBEROS}+= compile_et
.endif
SUBDIR.${MK_LDNS_UTILS}+= drill
SUBDIR.${MK_LDNS_UTILS}+= host
diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile
index dcfe2037f8ce..b97c22ffeb08 100644
--- a/usr.sbin/Makefile
+++ b/usr.sbin/Makefile
@@ -139,9 +139,7 @@ SUBDIR.${MK_FLOPPY}+= fdformat
SUBDIR.${MK_FLOPPY}+= fdread
SUBDIR.${MK_FLOPPY}+= fdwrite
SUBDIR.${MK_FREEBSD_UPDATE}+= freebsd-update
-.if ${MK_KERBEROS_SUPPORT} != "no"
-SUBDIR.${MK_GSSAPI}+= gssd
-.endif
+SUBDIR.${MK_KERBEROS_SUPPORT}+= gssd
SUBDIR.${MK_GPIO}+= gpioctl
SUBDIR.${MK_HYPERV}+= hyperv
SUBDIR.${MK_INET6}+= ip6addrctl
