Currently freebsd-lib installs gssapi headers and libraries. This creates file conflicts with heimdal and mit-krb5. Reproducible: Always Steps to Reproduce: emerge heimdal Actual Results: Install fails due to file collisions Expected Results: Heimdal is installed emerge seems to prefer mit-krb5 over heimdal. While it is possible to use mit-krb5 for other applications. It is currently not compatible with the kgssapi in the freebsd kernel, thus not allowing you to use nfs with kerberos authentication for example. There are at least 2 issues with using mit-krb5: 1. xdr_gss_OID_desc in kgssapi/gssd_prot.c writes to the OID. mit-krb5 seem to allocate this value in read only memory (lib/gssapi/krb5/gssapi_krb5.c krb5_gss_oid_array). This can however be solved by reallocating the object in the gssd. 2. krb5_import in kgssapi/krb5/krb5_mech.c only support importing heimdal security tokens. The makefiles in freebsd also need to be changed to link against libgssapi_krb5 instead of libgssapi.
Created attachment 351080 [details] heimdal build log
Created attachment 351092 [details, diff] patch for removing gssapi from freebsd-lib
Created attachment 351094 [details, diff] patch for freebsd-usbin With this patch gssd will only be built when the kerberos use-flag is specified. Another option for this would have been gssapi, other ebuilds seem to use this and it would fit better with the freebsd naming convension. I also picked to depend directly on app-crypt/heimdal. It would have been better to depend on virtual/krb5. But it doesn't feel right since it currently only works with hemidal.
(In reply to henning.f from comment #2) > Created attachment 351092 [details, diff] [details, diff] > patch for removing gssapi from freebsd-lib thanks for all the patches. one question though: why do you remove librpcsec_gss ? it is currently controled by the kerberos useflag in freebsd-lib, but it seems that this is not part of heimdal and that it could just simply be built on top of it
(In reply to Alexis Ballier from comment #4) > (In reply to henning.f from comment #2) > > Created attachment 351092 [details, diff] [details, diff] [details, diff] > > patch for removing gssapi from freebsd-lib > > thanks for all the patches. > > one question though: why do you remove librpcsec_gss ? it is currently > controled by the kerberos useflag in freebsd-lib, but it seems that this is > not part of heimdal and that it could just simply be built on top of it Once upon a time I thought it was related to the librpcgss when I was trying to get mit-krb5 working. When I look at it now it seems to be similar but unrelated. The only reason that it is still removed is probably because it built fine without it. I think the best thing would be to keep it though.
applied your patches (keeping librpcsec_gss in -lib), thanks a lot! if you have more changes you want merged to improve kerberos, feel free! it seems nobody is taking care of it :/
