On Thu, Aug 7, 2025 at 10:21 AM Cy Schubert <cy.schub...@cschubert.com> wrote: > > CAUTION: This email originated from outside of the University of Guelph. Do > not click links or open attachments unless you recognize the sender and know > the content is safe. If in doubt, forward suspicious emails to > ith...@uoguelph.ca. > > Rick, > > Please go ahead with your kgssapi patches. I have applied them here. > Kerberized NFS works again. Thanks. It's back in main and at least survived a make buildworld. (timderbox just takes too long, even on the universe14a to-day.)
rick > > > -- > Cheers, > Cy Schubert <cy.schub...@cschubert.com> > FreeBSD UNIX: <c...@freebsd.org> Web: https://FreeBSD.org > NTP: <c...@nwtime.org> Web: https://nwtime.org > > e**(i*pi)+1=0 > > > In message <202508071717.577hhbfi052...@gitrepo.freebsd.org>, Cy Schubert > write > s: > > The branch main has been updated by cy: > > > > URL: > > https://cgit.FreeBSD.org/src/commit/?id=e26259f48afe98022d885f02fbb8abcd > > 7878e41a > > > > commit e26259f48afe98022d885f02fbb8abcd7878e41a > > Author: Cy Schubert <c...@freebsd.org> > > AuthorDate: 2025-07-31 16:51:20 +0000 > > Commit: Cy Schubert <c...@freebsd.org> > > CommitDate: 2025-08-07 17:17:00 +0000 > > > > gssapi,krb5: Replace libgssapi with the MIT version > > > > lib/libgssapi is based on Heimdal. As on Linux systems, the MIT > > libgssapi_krb5 replaces it. With both gssapi libraries and header files > > installed results in broken buildworld (gssd) and ports that will not > > build without modifications to support the MIT gssapi in an alternate > > location. > > > > 73ed0c7992fd removed the MIT GSSAPI headers from /usr/include. Apps > > using > > MIT KRB5 gssapi functions and structures will fail to build without this > > patch. > > > > This patch includes a temporary patch to usr.sbin/gssd to allow it > > to build with this patch. rmacklem@ has a patch for this and for > > kgssapi that uses this patch to resolve kgssapi issues for NFS with > > Kerberos. > > > > This patch is an updated version of D51661 to allow it to build > > following > > additional patchs to the tree. > > > > This should have been implmented with 7e35117eb07f. > > > > Fixes: 7e35117eb07f, 73ed0c7992fd > > Differential Revision: https://reviews.freebsd.org/D51661 > > --- > > Makefile.inc1 | 6 ++++-- > > ObsoleteFiles.inc | 6 ++++++ > > etc/gss-krb5/Makefile | 2 +- > > etc/gss-krb5/qop | 1 - > > etc/mtree/BSD.include.dist | 4 ---- > > include/Makefile | 2 +- > > krb5/include/Makefile | 5 ++--- > > krb5/include/gssapi/Makefile | 9 ++------- > > krb5/lib/gssapi/generic/Makefile.inc | 2 +- > > lib/Makefile | 7 ++++++- > > lib/librpcsec_gss/Makefile | 6 ++++++ > > secure/libexec/sshd-session/Makefile | 9 ++++----- > > secure/usr.bin/ssh/Makefile | 4 ++++ > > secure/usr.sbin/sshd/Makefile | 4 ++++ > > share/mk/src.libnames.mk | 4 ++++ > > tools/build/mk/OptionalObsoleteFiles.inc | 3 +++ > > usr.sbin/gssd/Makefile | 5 ++--- > > usr.sbin/gssd/gssd.c | 3 +++ > > 18 files changed, 53 insertions(+), 29 deletions(-) > > > > diff --git a/Makefile.inc1 b/Makefile.inc1 > > index e6c9b49eefa3..9128d1d8ee77 100644 > > --- a/Makefile.inc1 > > +++ b/Makefile.inc1 > > @@ -3379,8 +3379,8 @@ secure/lib/libssh__L: lib/libldns__L > > > > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" > > .if ${MK_MITKRB5} != "no" > > -secure/lib/libssh__L: lib/libgssapi__L krb5/lib/krb5__L \ > > - krb5/util/et__L lib/libmd__L krb5/util/support__L > > +secure/lib/libssh__L: krb5/lib/gssapi__L krb5/lib/krb5__L \ > > + krb5/lib/crypto__L krb5/util/et__L lib/libmd__L krb5/util/support__L > > .else > > secure/lib/libssh__L: lib/libgssapi__L kerberos5/lib/libkrb5__L \ > > kerberos5/lib/libhx509__L kerberos5/lib/libasn1__L lib/libcom_err__L \ > > @@ -3437,8 +3437,10 @@ kerberos5/lib/libheimipcc__L: > > kerberos5/lib/libroken__ > > L kerberos5/lib/libheimbas > > lib/libsqlite3__L: lib/libthr__L > > > > .if ${MK_GSSAPI} != "no" > > +.if ${MK_MITKRB5} == "no" > > _lib_libgssapi= lib/libgssapi > > .endif > > +.endif > > > > .if ${MK_KERBEROS} != "no" > > .if ${MK_MITKRB5} != "no" > > diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc > > index 86a449c80a76..2f63bbea5a49 100644 > > --- a/ObsoleteFiles.inc > > +++ b/ObsoleteFiles.inc > > @@ -51,6 +51,12 @@ > > # xargs -n1 | sort | uniq -d; > > # done > > > > +# 20250807: Replace lib/libgssapi with krb5/lib/gssapi > > +OLD_FILES+=usr/include/gssapi_krb5/gssapi/gssapi.h > > +OLD_DIRS+=usr/include/gssapi_krb5/gssapi > > +OLD_DIRS+=usr/include/gssapi_krb5 > > +OLD_FILES+=etc/gssapi/qop > > + > > # 20250802: libutil bumped to 10 > > OLD_LIBS+=lib/libutil.so.9 > > > > diff --git a/etc/gss-krb5/Makefile b/etc/gss-krb5/Makefile > > index 301a8e074e8c..8886ed35e281 100644 > > --- a/etc/gss-krb5/Makefile > > +++ b/etc/gss-krb5/Makefile > > @@ -1,4 +1,4 @@ > > -FILES= mech qop > > +FILES= mech > > NO_OBJ= > > FILESDIR= /etc/gss > > > > diff --git a/etc/gss-krb5/qop b/etc/gss-krb5/qop > > deleted file mode 100644 > > index 7d5b6b8f33dd..000000000000 > > --- a/etc/gss-krb5/qop > > +++ /dev/null > > @@ -1 +0,0 @@ > > -GSS_KRB5_CONF_C_QOP_DES3_KD 0x0200 kerberosv5 > > diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist > > index 0e9f739425a1..28c4d91ac1c0 100644 > > --- a/etc/mtree/BSD.include.dist > > +++ b/etc/mtree/BSD.include.dist > > @@ -258,10 +258,6 @@ > > .. > > gssapi > > .. > > - gssapi_krb5 > > - gssapi > > - .. > > - .. > > gssrpc > > .. > > infiniband > > diff --git a/include/Makefile b/include/Makefile > > index af7ef2337941..2792d594a888 100644 > > --- a/include/Makefile > > +++ b/include/Makefile > > @@ -293,7 +293,7 @@ LSUBSUBDIRS+= netgraph/bluetooth/include > > LSUBDIRS+= fs/cuse > > .endif > > > > -.if ${MK_GSSAPI} != "no" > > +.if ${MK_GSSAPI} != "no" && ${MK_MITKRB5} == "no" > > SUBDIR+= gssapi > > INCS+= gssapi.h > > .endif > > diff --git a/krb5/include/Makefile b/krb5/include/Makefile > > index 699211b9c3c9..64c5d39b867b 100644 > > --- a/krb5/include/Makefile > > +++ b/krb5/include/Makefile > > @@ -17,13 +17,12 @@ SUBDIR= krb5 gssrpc gssapi > > > > SUBDIR_PARALLEL= > > > > -INCSGROUPS= INCS > > - > > INCSDIR= ${INCLUDEDIR} > > > > .PATH: ${KRB5_DIR}/include > > > > -INCS= kdb.h \ > > +INCS= gssapi.h \ > > + kdb.h \ > > krad.h \ > > krb5.h > > > > diff --git a/krb5/include/gssapi/Makefile b/krb5/include/gssapi/Makefile > > index 4959bf78944d..b181187e9d95 100644 > > --- a/krb5/include/gssapi/Makefile > > +++ b/krb5/include/gssapi/Makefile > > @@ -15,16 +15,11 @@ > > > > INCSGROUPS= INCS GSSAPI_KRB5 > > INCSDIR= ${INCLUDEDIR}/gssapi > > -GSSAPI_KRB5DIR= ${INCLUDEDIR}/gssapi_krb5 > > > > -INCS= gssapi_alloc.h \ > > +INCS= gssapi.h \ > > + gssapi_alloc.h \ > > gssapi_ext.h \ > > gssapi_generic.h \ > > gssapi_krb5.h > > > > -# This gssapi header file is only needed should an app need > > -# to build using the MIT KRB5 GSSAPI library. > > - > > -GSSAPI_KRB5= gssapi.h > > - > > .include <bsd.prog.mk> > > diff --git a/krb5/lib/gssapi/generic/Makefile.inc > > b/krb5/lib/gssapi/generic/M > > akefile.inc > > index 9de18079a341..ef76172655d6 100644 > > --- a/krb5/lib/gssapi/generic/Makefile.inc > > +++ b/krb5/lib/gssapi/generic/Makefile.inc > > @@ -36,7 +36,7 @@ SRCS+= disp_com_err_status.c \ > > INCSGROUPS= GSSAPI_INCS > > GSSAPI_INCS= gssapi.h > > INCS+= ${GENI} > > -GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi_krb5/gssapi > > +GSSAPI_INCSDIR= ${INCLUDEDIR}/gssapi > > > > CLEANFILES+= gssapi.h ${GGEN} ${GGENI} > > > > diff --git a/lib/Makefile b/lib/Makefile > > index e5139b312a75..9447cc4551c0 100644 > > --- a/lib/Makefile > > +++ b/lib/Makefile > > @@ -137,7 +137,9 @@ SUBDIR_DEPEND_libdevstat= libkvm > > SUBDIR_DEPEND_libdpv= libfigpar ncurses libutil > > SUBDIR_DEPEND_libedit= ncurses > > SUBDIR_DEPEND_libgeom= libexpat libsbuf > > +.if ${MK_MITKRB5} == "no" > > SUBDIR_DEPEND_librpcsec_gss= libgssapi > > +.endif > > SUBDIR_DEPEND_libmagic= libz > > SUBDIR_DEPEND_libmemstat= libkvm > > SUBDIR_DEPEND_libpam= libcrypt ${_libradius} librpcsvc libtacplus libutil > > ${ > > _libypclnt} ${_libcom_err} > > @@ -176,7 +178,10 @@ SUBDIR.${MK_DIALOG}+= libdpv libfigpar > > SUBDIR.${MK_FDT}+= libfdt > > SUBDIR.${MK_FILE}+= libmagic > > SUBDIR.${MK_GPIO}+= libgpio > > -SUBDIR.${MK_GSSAPI}+= libgssapi librpcsec_gss > > +.if ${MK_MITKRB5} == "no" > > +SUBDIR.${MK_GSSAPI}+= libgssapi > > +.endif > > +SUBDIR.${MK_GSSAPI}+= librpcsec_gss > > SUBDIR.${MK_ICONV}+= libiconv_modules > > .if ${MK_MITKRB5} == "no" > > SUBDIR.${MK_KERBEROS_SUPPORT}+= libcom_err > > diff --git a/lib/librpcsec_gss/Makefile b/lib/librpcsec_gss/Makefile > > index a29d9780c1ab..eebc975acbd2 100644 > > --- a/lib/librpcsec_gss/Makefile > > +++ b/lib/librpcsec_gss/Makefile > > @@ -1,10 +1,16 @@ > > +.include <src.opts.mk> > > + > > PACKAGE=lib${LIB} > > LIB= rpcsec_gss > > SHLIB_MAJOR= 1 > > SRCS+= rpcsec_gss.c rpcsec_gss_prot.c rpcsec_gss_conf.c > > rpcsec_gss_mis > > c.c \ > > svc_rpcsec_gss.c > > > > +.if ${MK_MITKRB5} == "no" > > LIBADD= gssapi > > +.else > > +LIBADD= gssapi_krb5 > > +.endif > > > > VERSION_DEF= ${SRCTOP}/lib/libc/Versions.def > > SYMBOL_MAPS= ${.CURDIR}/Symbol.map > > diff --git a/secure/libexec/sshd-session/Makefile > > b/secure/libexec/sshd-sessi > > on/Makefile > > index 8841cace5239..37e099794bd5 100644 > > --- a/secure/libexec/sshd-session/Makefile > > +++ b/secure/libexec/sshd-session/Makefile > > @@ -39,15 +39,14 @@ LDFLAGS+=-L${LIBBLACKLISTDIR} > > .endif > > > > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" > > -LIBADD+= gssapi_krb5 gssapi krb5 > > .if ${MK_MITKRB5} != "no" > > +LIBADD+= gssapi_krb5 krb5 > > .include "../../krb5/Makefile.inc" > > CFLAGS+= -I${KRB5_DIR}/include \ > > -I${KRB5_SRCTOP}/include \ > > - -I${KRB5_OBJTOP}/lib \ > > - -I${KRB5_DIR}/lib/gssapi/generic \ > > - -I${KRB5_DIR}/lib/gssapi/krb5 \ > > - -I${KRB5_DIR}/lib/gssapi/mechglue > > + -I${KRB5_OBJTOP}/lib > > +.else > > +LIBADD+= gssapi_krb5 gssapi krb5 > > .endif > > .endif > > > > diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile > > index acb1fd4eaa25..a4f36d0fe2df 100644 > > --- a/secure/usr.bin/ssh/Makefile > > +++ b/secure/usr.bin/ssh/Makefile > > @@ -18,7 +18,11 @@ SRCS+= gss-genr.c > > LIBADD= ssh > > > > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" > > +.if ${MK_MITKRB5} == "no" > > LIBADD+= gssapi > > +.else > > +LIBADD+= gssapi_krb5 > > +.endif > > .endif > > > > LIBADD+= crypto > > diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile > > index e6913cd9d0d6..f37dfe1c1b3a 100644 > > --- a/secure/usr.sbin/sshd/Makefile > > +++ b/secure/usr.sbin/sshd/Makefile > > @@ -19,7 +19,11 @@ moduli: .MADE > > LIBADD= ssh util > > > > .if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" > > +.if ${MK_MITKRB5} == "no" > > LIBADD+= gssapi_krb5 gssapi krb5 > > +.else > > +LIBADD+= gssapi_krb5 krb5 > > +.endif > > .endif > > > > .if ${MK_TCP_WRAPPERS} != "no" > > diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk > > index 283a99496b9f..9ca043e7733c 100644 > > --- a/share/mk/src.libnames.mk > > +++ b/share/mk/src.libnames.mk > > @@ -472,7 +472,11 @@ _DP_ncursesw= tinfow > > _DP_formw= ncursesw > > _DP_nvpair= spl > > _DP_panelw= ncursesw > > +.if ${MK_MITKRB5} == "no" > > _DP_rpcsec_gss= gssapi > > +.else > > +_DP_rpcsec_gss= gssapi_krb5 > > +.endif > > _DP_smb= kiconv > > _DP_ulog= md > > _DP_fifolog= z > > diff --git a/tools/build/mk/OptionalObsoleteFiles.inc > > b/tools/build/mk/Option > > alObsoleteFiles.inc > > index aa6d04f1cc43..8e5ac7fa2a63 100644 > > --- a/tools/build/mk/OptionalObsoleteFiles.inc > > +++ b/tools/build/mk/OptionalObsoleteFiles.inc > > @@ -4836,6 +4836,7 @@ OLD_FILES+=usr/share/man/man8/sserver.8.gz > > .else > > .if ${MK_MITKRB5} != "no" > > # Remove Heimdal because we want MIT KRB5 but not Heimdal > > +OLD_FILES+=etc/gss/qop > > OLD_FILES+=etc/rc.d/ipropd_master > > OLD_FILES+=etc/rc.d/ipropd_slave > > OLD_FILES+=usr/bin/asn1_compile > > @@ -4921,6 +4922,8 @@ OLD_LIBS+=usr/lib/libasn1.so.11 > > OLD_FILES+=usr/lib/libasn1_p.a > > OLD_LIBS+=usr/lib/libcom_err.so.5 > > OLD_FILES+=usr/lib/libcom_err_p.a > > +OLD_LIBS+=usr/lib/libgssapi.a > > +OLD_LIBS+=usr/lib/libgssapi.so.10 > > OLD_LIBS+=usr/lib/libgssapi_krb5.so.10 > > OLD_FILES+=usr/lib/libgssapi_krb5_p.a > > OLD_FILES+=usr/lib/libgssapi_mech.a > > diff --git a/usr.sbin/gssd/Makefile b/usr.sbin/gssd/Makefile > > index 569e2c7e18f5..336a1b49f696 100644 > > --- a/usr.sbin/gssd/Makefile > > +++ b/usr.sbin/gssd/Makefile > > @@ -9,15 +9,14 @@ SRCS= gssd.c gssd.h gssd_svc.c gssd_xdr.c > > gssd_prot.c > > CFLAGS+= -I. > > WARNS?= 1 > > > > -LIBADD= gssapi > > .if ${MK_KERBEROS_SUPPORT} != "no" > > .if ${MK_MITKRB5} != "no" > > # MIT KRB5 > > -LIBADD+= krb5 k5crypto krb5profile krb5support > > +LIBADD+= gssapi_krb5 krb5 k5crypto krb5profile krb5support > > CFLAGS+= -DMK_MITKRB5=yes > > .else > > # Heimdal > > -LIBADD+= krb5 roken > > +LIBADD+= gssapi krb5 roken > > .endif > > .else > > CFLAGS+= -DWITHOUT_KERBEROS > > diff --git a/usr.sbin/gssd/gssd.c b/usr.sbin/gssd/gssd.c > > index 94eb6ca575c8..2a3af05496cf 100644 > > --- a/usr.sbin/gssd/gssd.c > > +++ b/usr.sbin/gssd/gssd.c > > @@ -53,6 +53,9 @@ > > #include <arpa/inet.h> > > #include <netinet/in.h> > > #include <gssapi/gssapi.h> > > +#ifdef MK_MITKRB5 > > +#include <gssapi/gssapi_krb5.h> > > +#endif > > #include <rpc/rpc.h> > > #include <rpc/rpc_com.h> > > > > > >
