curl-7.13.2 had no support for KRB5 and curl-7.15.0 has introduced it using app-crypt/mit-krb5. Could some kind developer please add patches for Heimdal support and change the dependency to virtual/krb5? Thanks Reproducible: Always Steps to Reproduce: 1. 2. 3.
Curl builds even if you change app-crypt/mit-krb5 to virtual/krb5 in the ebuild and use Heimdal. And the dependencies list (http://curl.haxx.se/docs/libs.html) even lists Heimdal as a dependency.
Sure, it builds but I don't think configure detects the Heimdal libraries. Does ldd on /usr/lib/libcurl.so.3 shown any Heimdal-related libraries for you?
Created attachment 71190 [details] configure output for curl-7.15.0 using virtual/krb5 This log shows that although --enable-gssapi is passed to configure, it doesn't actually detect and enable gssapi (Heimdal?)
Ok, I didn't check if krb5 support actually worked after building, my bad. But by adding this to the compile section of the ebuild, I got it to build against Heimdal for real: if use kerberos; then myconf="${myconf} --with-gssapi-includes=/usr/include/heimdal" fi I also removed the $(use_enable kerberos gssapi) line, since there is no --enable-gssapi flag in configure. After: # ldd /usr/lib/libcurl.so.3.0.0 linux-gate.so.1 => (0xffffe000) libgssapi.so.1 => /usr/lib/libgssapi.so.1 (0xb7f5d000) libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7f2b000) libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7e2a000) libdl.so.2 => /lib/libdl.so.2 (0xb7e26000) libz.so.1 => /lib/libz.so.1 (0xb7e14000) libc.so.6 => /lib/tls/libc.so.6 (0xb7cf9000) libkrb5.so.17 => /usr/lib/libkrb5.so.17 (0xb7cb9000) libasn1.so.6 => /usr/lib/libasn1.so.6 (0xb7c8e000) libroken.so.16 => /usr/lib/libroken.so.16 (0xb7c7c000) libresolv.so.2 => /lib/libresolv.so.2 (0xb7c68000) /lib/ld-linux.so.2 (0x80000000) libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7c3a000) libdb-4.2.so => /usr/lib/libdb-4.2.so (0xb7b5f000) libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7b5b000) libpthread.so.0 => /lib/tls/libpthread.so.0 (0xb7b49000)
Of course the above change will break with MIT... I'll have to leave it to the ebuild gurus to figure out how to get them both working :)
--with-gssapi=/usr seems to work with both.
(In reply to comment #6) > --with-gssapi=/usr seems to work with both. Yes, I came to the same conclusion. I modified the ${myconf} setup like this: myconf="$(use_enable ldap) $(use_with idn libidn) $(use_enable ipv6) --enable-http --enable-ftp --enable-gopher --enable-file --enable-dict --enable-manual --enable-telnet --enable-nonblocking --enable-largefile" if use kerberos; then myconf="${myconf} --with-gssapi=/usr" fi if use ipv6 && use ares; then ewarn "c-ares support disabled because it is incompatible with ipv6." myconf="${myconf} --disable-ares" else myconf="${myconf} $(use_enable ares)" fi if use ipv6 && use krb4; then ewarn "kerberos-4 support disabled because it is incompatible with ipv6." myconf="${myconf} --disable-krb4" else myconf="${myconf} $(use_enable krb4)" fi if use gnutls; then myconf="${myconf} --without-ssl --with-gnutls=/usr" elif use ssl; then myconf="${myconf} --without-gnutls --with-ssl=/usr" else myconf="${myconf} --without-gnutls --without-ssl" fi i.e. removed the (use_enable kerberos gssapi) and add the if use kerberos which specifies --with-gssapi=/usr. You can actually do (use_with kerberos gssapi=/usr) but I suspect that would be viewed as a dirty hack.
Neil, how did you handle the libfbopenssl dependency for krb5 ? I tried downloading it from sourceforge and a ./configure & make but curl wouldn't link against it.
(In reply to comment #8) > how did you handle the libfbopenssl dependency for krb5 ? I've done nothing special other than change the kerberos dependency to virtual/kr5b and put minor modifications in place for gssapi. If you mean openssl (I don't recognise libfbopenssl), I just have ssl in my useflags and I install from portage not manually.
I was under the impression you needed to use SPNEGO for krb5 to work properly. curl then requires libfbopenssl as explained in the curl documentation. background: i am trying to POST something to a kerberized IIS webserver. I got NTLM working, next is krb5. I may be using the wrong curl options to get this working (there is no -krb5, only --krb4).. that's why i asked.
Strike my comments on libfbopenssl and krb5, they're not relevant. The patch in #7 is sufficient but i had to work around curl know_bug #10 and use a fake user:pwd option. When will the patch of #7 make it to the ebuild ?
no ETA, but its on my list of todo.
Created attachment 74010 [details, diff] curl-7.15.0.ebuild.diff Diff to show the needed changes. Alastair, are you still around?
7.15.1 ebuild has the same problem.
Dear lord it's been a least 4 months can someone fix this already??? I am so tired of seeing every update: [blocks B ] app-crypt/heimdal (is blocking app-crypt/mit-krb5-1.4.1-r2) and then manually emerging every package thereafter on the list all because of this stupid bug. It seems like it's a very easy bug to fix. Heimdal's is better than MIT's kerberos anyway.
Hi, I have the same problem since I set kerberos USE flag: # emerge -uNp world These are the packages that would be merged, in order: Calculating world dependencies... done! [blocks B ] app-crypt/heimdal (is blocking app-crypt/mit-krb5-1.4.3) [ebuild R ] net-fs/samba-3.0.21c USE="kerberos*" [ebuild R ] net-fs/openafs-1.4.0-r2 USE="kerberos*" [ebuild U ] net-ftp/yafc-1.1.1-r1 [1.1.1] USE="kerberos*" [ebuild N ] app-crypt/mit-krb5-1.4.3 USE="berkdb doc ipv6 tcltk tetex -krb4 -static" [ebuild R ] net-misc/curl-7.15.2 USE="kerberos*" [ebuild R ] dev-lang/php-5.1.1 USE="kerberos*" [ebuild R ] mail-client/pine-4.64-r3 USE="kerberos*" [ebuild R ] x11-misc/xscreensaver-4.24 USE="kerberos*" Please either remove the kerberos USE flag dependency and depend directly on mit-krb5 if you have no time to fiddle with heimdal or better apply the patch to the ebuild, please. It applies even to 7.15.2: # patch -p1 curl-7.15.2.ebuild < a.patch missing header for unified diff at line 3 of patch patching file curl-7.15.2.ebuild Hunk #1 succeeded at 18 (offset -4 lines). Hunk #2 succeeded at 32 (offset -10 lines). Hunk #3 succeeded at 65 (offset -10 lines). # And finally I got: # ldd /usr/bin/curl linux-gate.so.1 => (0xffffe000) libgssapi.so.4 => /usr/lib/libgssapi.so.4 (0xb7f22000) libkrb5.so.17 => /usr/lib/libkrb5.so.17 (0xb7ec9000) libasn1.so.6 => /usr/lib/libasn1.so.6 (0xb7e8e000) libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7e8b000) libroken.so.16 => /usr/lib/libroken.so.16 (0xb7e76000) libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e49000) libresolv.so.2 => /lib/libresolv.so.2 (0xb7e36000) libpthread.so.0 => /lib/tls/libpthread.so.0 (0xb7e24000) libcurl.so.3 => /usr/lib/libcurl.so.3 (0xb7dea000) libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7dba000) libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7cbc000) libdl.so.2 => /lib/libdl.so.2 (0xb7cb8000) libz.so.1 => /lib/libz.so.1 (0xb7ca6000) libc.so.6 => /lib/tls/libc.so.6 (0xb7b91000) libdb-4.2.so => /usr/lib/libdb-4.2.so (0xb7ab9000) /lib/ld-linux.so.2 (0xb7f5b000) #
*bump* Another month has passed. Would some dev please apply the patch? @submitter: Please raise severity to normal or blocker, as it's getting really annoying.
changes are now in portage. sorry about the delay!