On 12/11/20 9:23 PM, Benjamin Kaduk wrote:
It would be useful to give more specifics on the failures, as there's a few
classes of things that can go wrong.
I thought this would be OT in this thread, but I'll gladly comply :)
It doesn't look like openssl from
ports attempts to support the TLS ciphers with kerberos, which would rule
out the "openssl tries to depend on kerberos" class of issues.
Not sure I understand (too much ignorance on my part).
I assume,
then, that you're running into API conflicts where hcrypto and libcrypto
present similar-named symbols
Actually, I didn't get that far: /usr/ports/Mk/Uses/gssapi.ml just
forbids compilation if using OpenSSL from ports and GSSAPI from base:
IGNORE= You are using OpenSSL from ports and have selected GSSAPI from base,
please select another GSSAPI value
Now that I know there are patches for 11.4, I hope I'm not going to need
OpenSSL from ports, so this is losing interest for me.
(The heimdal in base is quite old anyway, and using an external kerberos
would be recommended in general if you're using it for much.)
This is an interesting statement.
I barely know what Kerberos is: granted, I know what it was designed for
and what it provides, but for me it's more or less just a dependency of
Samba and related software.
My uses cases are:
_ Samba AD DC;
_ Samba AD member file server;
_ various ways of authenticating against Samba (winbindd, pam_ldap,
nss_ldap, saslauthd, etc...);
_ kerberizing NFSv4 has been in my todo list for a while (but with too
low priority for now :)
In spite of everything working, should I abandon Heimdal from base? For
Heimdal from ports?
(Consider Samba is using it's own bundled Heimdal, so this would be for
pam_ldap, nss_ldap, saslauthd, ....).
bye & Thanks
av.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
