Re: How do we like our base kerberos? Will it flee soon?
On Thu, Nov 11, 2010 at 04:22:57PM +0100, Joerg Pulz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 10 Nov 2010, Leon Meßner wrote: Hi, What i didn't try: - Use the port. please take a look at ports/152030 and the patches i mentioned in the PR. With applied ports/152030 and the world patch applied, you should be able to build a world fully against the security/heimdal port by simply specifying WITH_KERBEROS_PORT=1 in /etc/src.conf and HEIMDAL_HOME=prefix (normally /usr/local) in /etc/make.conf. You should specify WITHOUT_KERBEROS=1 in /etc/src.conf to avoid mess and confusion with two different heimdal version installed. Don't forget to install the security/heimdal port first. Comments are welcome. Did exactly as told and everything worked fine. Im currently in the process of rebuilding gssapi dependent software. Will tell if it fixed my issue. thanks, Leon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How do we like our base kerberos? Will it flee soon?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 12 Nov 2010, Leon Meßner wrote: On Thu, Nov 11, 2010 at 04:22:57PM +0100, Joerg Pulz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 10 Nov 2010, Leon Meßner wrote: Hi, What i didn't try: - Use the port. please take a look at ports/152030 and the patches i mentioned in the PR. With applied ports/152030 and the world patch applied, you should be able to build a world fully against the security/heimdal port by simply specifying WITH_KERBEROS_PORT=1 in /etc/src.conf and HEIMDAL_HOME=prefix (normally /usr/local) in /etc/make.conf. You should specify WITHOUT_KERBEROS=1 in /etc/src.conf to avoid mess and confusion with two different heimdal version installed. Don't forget to install the security/heimdal port first. Comments are welcome. Did exactly as told and everything worked fine. Im currently in the process of rebuilding gssapi dependent software. Will tell if it fixed my issue. Hi, good to hear that everything went fine for you. If you're using 8.x you should remove some of the leftover kerberos/gssapi libraries by yourself as the ObsoleteFiles list is still incomplete in 8.x and 'make delete-old delete-old-libs' will not remove everything. E.g. in /usr/lib and /usr/lib32 libasn1* libgssapi* libhdb* libheimntlm* libhx509* libkadm5* libkafs5* libkrb5* in /usr/libexec kcm If you're using CURRENT then everything is removed by 'make delete-old delete-old-libs'. Btw. If you're using security/cyrus-sasl2 with GSSAPI please take a look at PR/152071. If you're using databases/postgresql*-server, net/freeradius(2) or security/openssh-portable please take a look at PR/152029. Kind regards Joerg - -- The beginning is the most important part of the work. -Plato -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (FreeBSD) iD8DBQFM3XNoSPOsGF+KA+MRAovlAKC/2aDRz2mydpO8wz+Cgzt79W8WaQCgmmI3 gGWX7HXD4KoUSFrfgaHj3OI= =eFIp -END PGP SIGNATURE-___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How do we like our base kerberos? Will it flee soon?
On Fri, Nov 12, 2010 at 06:03:33PM +0100, Joerg Pulz wrote: On Fri, 12 Nov 2010, Leon Meßner wrote: On Thu, Nov 11, 2010 at 04:22:57PM +0100, Joerg Pulz wrote: On Wed, 10 Nov 2010, Leon Meßner wrote: Did exactly as told and everything worked fine. Im currently in the process of rebuilding gssapi dependent software. Will tell if it fixed my issue. Hi, good to hear that everything went fine for you. If you're using 8.x you should remove some of the leftover kerberos/gssapi libraries by yourself as the ObsoleteFiles list is still incomplete in 8.x and 'make delete-old delete-old-libs' will not remove everything. E.g. in /usr/lib and /usr/lib32 libasn1* libgssapi* libhdb* libheimntlm* libhx509* libkadm5* libkafs5* libkrb5* in /usr/libexec kcm It looks like i do also still have the old kerberos tools (kinit,kadmin etc.) in the base prefix and they do now segfault: /libexec/ld-elf.so.1: Shared object libkafs5.so.10 not found, required by kinit # ls /usr/local/lib/libkafs* /usr/local/lib/libkafs.a/usr/local/lib/libkafs.la /usr/local/lib/libkafs.so /usr/local/lib/libkafs.so.5 Btw. If you're using security/cyrus-sasl2 with GSSAPI please take a look at PR/152071. Using that. Patch applied and build cleanly. saslauthd starts as expected. But i do have some problems now getting tickets. This machine is a kerberos slave. if i start ipropd-slave with local kdc running i get: krb5_get_init_creds: Client (iprop/lise.physik-pool.tu-berlin...@pcpool.physik.tu-berlin.de) unknown when local kdc is not running authentication works but i get: ipropd-slave[28610]: connection successful to master: marie.physik-pool.tu-berlin.de[130.149.58.147] ipropd-slave[28610]: ipropd-slave started at version: 10166 ipropd-slave[28610]: db-open: dbm_open(/var/heimdal/heimdal): Inappropriate file type or format Which i can understand because the db is at /var/heimdal/heimdal.db which in turn is correctly specified in /etc/krb5.conf. Are there any config syntax changes between 0.6.3 and 1.4, so i have to modify my krb5.conf ? Thanks, Leon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How do we like our base kerberos? Will it flee soon?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 10 Nov 2010, Leon Meßner wrote: Hi, I'm looking for workarounds for this crappy situation which currently prevents FreeBSD8 from working together with libgssapi (see kern/147454) and multiple threads on -questions. What i tried: - Use old RELENG_8 and RELENG_8_1 sources where Benjamin's patch still applied. (Can't build world then). - Modify /usr/bin/krb5-config to include -lgssapi_spnego -lgssapi_krb5 at the right place (works on some machines). What i didn't try: - Use the port. How are you handling this situation. Does anyone know a cvs tag= and date= combination which lets you build world with Benjamin's patch (tried RELENG_8 and _8_1 from 24.6 and 19.7 and now)? Actually a complete base kerberos would be much appreciated. Hi, please take a look at ports/152030 and the patches i mentioned in the PR. With applied ports/152030 and the world patch applied, you should be able to build a world fully against the security/heimdal port by simply specifying WITH_KERBEROS_PORT=1 in /etc/src.conf and HEIMDAL_HOME=prefix (normally /usr/local) in /etc/make.conf. You should specify WITHOUT_KERBEROS=1 in /etc/src.conf to avoid mess and confusion with two different heimdal version installed. Don't forget to install the security/heimdal port first. Comments are welcome. I will send out a CFT/RFC as soon as the PR is committed. Kind regards Joerg - -- The beginning is the most important part of the work. -Plato -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (FreeBSD) iD8DBQFM3ApTSPOsGF+KA+MRApnEAJ9G5xQ0dAaEX3a1gDweFdu13aPlCACfd5w8 XzalkEA6/BAsZ0ahtCrIop8= =1dPp -END PGP SIGNATURE-___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
How do we like our base kerberos? Will it flee soon?
Hi, I'm looking for workarounds for this crappy situation which currently prevents FreeBSD8 from working together with libgssapi (see kern/147454) and multiple threads on -questions. What i tried: - Use old RELENG_8 and RELENG_8_1 sources where Benjamin's patch still applied. (Can't build world then). - Modify /usr/bin/krb5-config to include -lgssapi_spnego -lgssapi_krb5 at the right place (works on some machines). What i didn't try: - Use the port. How are you handling this situation. Does anyone know a cvs tag= and date= combination which lets you build world with Benjamin's patch (tried RELENG_8 and _8_1 from 24.6 and 19.7 and now)? Actually a complete base kerberos would be much appreciated. best regards, Leon pgpNaCkW0QB3v.pgp Description: PGP signature