Squid 3.0.9 includes support for the squid_kerb_auth helper program but is never built. This patch adds the 'kerberos' use flag to configure squid with --enable-negotiate-auth-helpers="squid_kerb_auth" Reproducible: Always Steps to Reproduce: 1. USE="kerberos" emerge -av squid Actual Results: Squid is build without the squid_kerb_auth helper. Expected Results: Squid is build with the squid_kerb_auth helper.
Created attachment 168428 [details, diff] Add 'kerberos' use flag for squid. This patch solves the problem.
Fixed in versions 3.0.9 and 2.7.4-r2. Thanks! The only thing I changed is the dependency atom. According to the readme file, app-crypt/heimdal can also be used.
Created attachment 168790 [details, diff] Change squid_kerb_auth Makefiles to use heimdal (In reply to comment #2) > According to the readme file, app-crypt/heimdal can also be used. It might, but not out of the box. Looking at section 2 of the file helpers/negotiate_auth/squid_kerb_auth/readme.txt there are some settings different for heimdal than for MIT kerberos. Most importantly the -DHEIMDAL switch needs to be passed to the compiler, but isn't right now, leading to these errors: squid_kerb_auth.c:59:35: error: gssapi/gssapi_generic.h: No such file or directory squid_kerb_auth.c: In function ‘main’: squid_kerb_auth.c:395: error: ‘gss_nt_service_name’ undeclared (first use in this function) squid_kerb_auth.c:395: error: (Each undeclared identifier is reported only once squid_kerb_auth.c:395: error: for each function it appears in.) make[3]: *** [squid_kerb_auth.o] Error 1 It looks like the build system doesn't provide any flags to change the configuration, so one has to in fact patch the Makefiles for this helper. The attached patch does so. I'd leave the decision whether or not to use it to the ebuild. The following line seems to get the job done. [[ "$(best_version app-crypt/heimdal)" ]] \ && epatch "${FILESDIR}"/squid-3.0.9-heimdal.patch By the way: I'm using the kerberos overlay from bug 185899, so other heimdal setups out there, especially pre-1.x, might work different yet again.
Oops, fixed in versions 3.0.9 and 2.7.4-r2 (no revbumps). Thanks again! I made 2 changes: 1) patched only the Makefile.am file (eautoreconf is called after patching) 2) since mit-krb5 is the preferred alternative, I've used this line to apply the patch: has_version app-crypt/mit-krb5 || epatch "${FILESDIR}"/${P}-heimdal.patch
Created attachment 170713 [details, diff] Add 'SQUID_KEYTAB' to /etc/conf.d/squid
Created attachment 170714 [details, diff] Make the init-script pass KRB5_KTNAME to the squid executable
Created attachment 170715 [details, diff] Make the init-script pass KRB5_KTNAME to the squid executable With kerberos support enabled, I propose that these new patches be applied. I don't know if this is too much, but I think that the init-script should be ready for kerberos support too.
Your patches have been merged in our source tree. Thanks!
