net-fs/samba-4.19.2 does not depend directly on sys-apps/keyutils, they get in through net-fs/cifs, net-fs/cifs-utils does not use multilib but net-fs/samba, at least in the actual 4.19.2 version, if compiled with abi_x86_32 use flag, needs sys-apps/keyutils[abi_x86_32]. With amd64 and some abi_x86_32 support (mainly for virtual/wine, I think) I get error in net-fs/samba-4.19.2 compilation: /usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../x86_64-pc-linux-gnu/bin/ld: third_party/heimdal/lib/krb5/krcache.c.55.o: in function `find_or_create_keyring': krcache.c:(.text+0x219): undefined reference to `keyctl_search' /usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../x86_64-pc-linux-gnu/bin/ld: krcache.c:(.text+0x23e): undefined reference to `add_key' /usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../x86_64-pc-linux-gnu/bin/ld: krcache.c:(.text+0x252): undefined reference to `keyctl_link' /usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../x86_64-pc-linux-gnu/bin/ld: krcache.c:(.text+0x27b): undefined reference to `add_key' and so on up to /usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../x86_64-pc-linux-gnu/bin/ld: third_party/heimdal/lib/krb5/krcache.c.55.o: in function `krcc_gen_new': krcache.c:(.text+0x2c38): undefined reference to `keyctl_search' /usr/lib/gcc/x86_64-pc-linux-gnu/13/../../../../x86_64-pc-linux-gnu/bin/ld: krcache.c:(.text+0x2d16): undefined reference to `add_key' collect2: error: ld returned 1 exit status Waf: Leaving directory `/var/tmp/portage/net-fs/samba-4.19.2/work/samba-4.19.2-abi_x86_32.x86/bin/default' Build failed Setting for sys-apps/keyutils abi_x86_32 use flag removes this error. As sys-apps/keyutils is not among the direct dependencies of net-fs/samba-4.19.2, and the requirement of the abi_x86_32 use flag does not seep to it through net-fs/cifs-utils, I had to find out myself that I must set the flag for that package.
Can you share your "emerge --info samba" output? What I believe is happening here is that most people are actually getting keyutils[abi_x86_32] enforced via this dep chain: net-fs/samba[abi_x86_32,system-mitkrb5] -> app-crypt/mit-krb5[abi_x86_32] -> sys-apps/keyutils[abi_x86_32] But if you disable the system-mitkrb5 flag, then it uses a bundled copy, which itself requires sys-apps/keyutils[${MULTILIB_USEDEP}]. Can you confirm if you have disabled the system-mitkrb5 flag? Thanks!
(In reply to Ben Kohler from comment #1) > Can you share your "emerge --info samba" output? What I believe is > happening here is that most people are actually getting keyutils[abi_x86_32] > enforced via this dep chain: > > net-fs/samba[abi_x86_32,system-mitkrb5] -> app-crypt/mit-krb5[abi_x86_32] -> > sys-apps/keyutils[abi_x86_32] I'm using app-crypt/heimdal, not app-crypt/mit-krb5.
I wish you would share emerge --info samba but I think my same logic applies. The reason most people are not hitting this bug is because the default of +system-mitk5b5 takes care of them. Do you have system-heimdal enabled, or not?
To clarify-- I realize you do not have mit-krb5 installed, but without the system-mitkrb5 flag, samba will build its OWN mit-krb5 libraries, and that's what is requiring keyutils (with abi_x86_32).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4f3c4ecb9f1686c2ff66192c673b419344e9575 commit d4f3c4ecb9f1686c2ff66192c673b419344e9575 Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2024-04-18 11:58:16 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2024-04-18 12:00:00 +0000 net-fs/samba: add missing dep for bundled mit-krb5 Bug: https://bugs.gentoo.org/917006 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-fs/samba/samba-4.18.11.ebuild | 1 + net-fs/samba/samba-4.19.6.ebuild | 1 + net-fs/samba/samba-4.20.0.ebuild | 1 + 3 files changed, 3 insertions(+)
(In reply to Ben Kohler from comment #4) > To clarify-- I realize you do not have mit-krb5 installed, but without the > system-mitkrb5 flag, samba will build its OWN mit-krb5 libraries, and that's > what is requiring keyutils (with abi_x86_32). In fact, samba never builds its own mit-krb5, the kerberos implementation inside samba is heimdal. Nevertheless, you were right about the need to check emerge --info net-fs/samba, only after I did it I realised that with no regard to my system-wide system-heimdal USE flag, my net-fs/samba was build without this flag set, its negative value reported in parentheses. The system-heimdal USE flag is masked for net-fs/samba in "${PORTDIR}"/profiles/base/package.use.mask Only when I unmasked it, I got in the Package Settings part of emerge --info net-fs/samba (do you expect any useful information in the rest of its output?) this: net-fs/samba-4.19.4::gentoo was built with the following: USE="acl client cups ldap pam python regedit system-heimdal systemd winbind zeroconf -addc -ads -ceph -cluster -debug (-fam) -glusterfs -gpg -iprint -json -llvm-libunwind -profiling-data -quota (-selinux) -snapper -spotlight -syslog -system-mitkrb5 (-test) -unwind" ABI_X86="32 (64) (-x32)" PYTHON_SINGLE_TARGET="python3_11 -python3_10" FEATURES="multilib-strict merge-sync ebuild-locks sfperms qa-unresolved-soname-deps strict binpkg-dostrip distlocks usersync usersandbox unmerge-logs assume-digests unmerge-orphans binpkg-docompress splitdebug ipc-sandbox fixlafiles protect-owned preserve-libs pid-sandbox fakeroot pkgdir-index-trusted compressdebug merge-wait xattr userfetch sandbox buildpkg-live userpriv news parallel-fetch network-sandbox binpkg-logs config-protect-if-modified unknown-features-warn" However, I still did not get any warning from emerge when I unset the abi_x86_32 flag for sys-apps/keyutils in my configuration, and the net-fs/samba compilation failed without it. After I set the flag and recompiled finally net-fs/samba with the system-heimdal flag really set, I found out that the flag may not have had any effect, there apparently still are samba's internal heimdal libraries, and no samba library depends on the system heimdal, for example: $ ldd /usr/lib/samba/libkrb5-samba4.so linux-gate.so.1 (0xf7f0b000) libcom-err-samba4.so => /usr/lib/samba/libcom-err-samba4.so (0xf7e58000) libroken-samba4.so => /usr/lib/samba/libroken-samba4.so (0xf7e44000) libhcrypto-samba4.so => /usr/lib/samba/libhcrypto-samba4.so (0xf7e03000) libwind-samba4.so => /usr/lib/samba/libwind-samba4.so (0xf7dd9000) libreplace-samba4.so => /usr/lib/samba/libreplace-samba4.so (0xf7dd4000) libasn1-samba4.so => /usr/lib/samba/libasn1-samba4.so (0xf7d40000) libheimbase-samba4.so => /usr/lib/samba/libheimbase-samba4.so (0xf7d1f000) libhx509-samba4.so => /usr/lib/samba/libhx509-samba4.so (0xf7cd5000) libbsd.so.0 => /usr/lib/libbsd.so.0 (0xf7c88000) libkeyutils.so.1 => /usr/lib/libkeyutils.so.1 (0xf7c7f000) libc.so.6 => /usr/lib/libc.so.6 (0xf7a5c000) /lib/ld-linux.so.2 (0xf7f0d000) libmd.so.0 => /usr/lib/libmd.so.0 (0xf7a48000) That seems to be in accord with https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller which says: Samba provides experimental support for the MIT Kerberos KDC provided by your operating system if you run Samba 4.7 or later and has been built using the --with-system-mitkrb5 option. In other cases Samba uses the Heimdal KDC included in Samba. For further details about Samba using the MIT KDC, and why it is experimental see Running a Samba AD DC with MIT Kerberos KDC.
Ok thanks for that clarification. It looks like (for some reason?) the bundled heimdal uses keyctl_* functions from keyutils, but the system/standalone copy (app-crypt/heimdal) does not. So we need to add a keyutils dep for USE="-system-heimdal" (which ends up being for almost anyone, since the flag is masked).
Ok I think I have this sorted out-- it's only for the specific case of USE="-system-heimdal -system-mitkrb5" that the bundled heimdal is built and links to libkeyutils. If either system-* flag is enabled, then no internal heimdal is built. This agrees with my testing and with your initial report. Let me know if you see any errors in my logic. New fix incoming soon.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bce3dbc4692bc0ba4f0853e14ac509ce4d84f62 commit 9bce3dbc4692bc0ba4f0853e14ac509ce4d84f62 Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2024-04-18 16:13:33 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2024-04-18 16:17:13 +0000 profiles: force samba[system-mitkrb5] on ppc32 & sparc When samba is built with -system-heimdal -system-mitkrb5, it builds a bundled heimdal implementation which links to libkeyutils. This is unavailable on stable pp32 & sparc. Since system-heimdal is globally masked, we must force system-mitkrb5 for these arches to ensure they don't try to build the bundled heimdal. Bug: https://bugs.gentoo.org/917006 Signed-off-by: Ben Kohler <bkohler@gentoo.org> profiles/arch/powerpc/ppc32/package.use.stable.force | 7 +++++++ profiles/arch/sparc/package.use.stable.force | 7 +++++++ 2 files changed, 14 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d703862d3aaff18c541184abb3631327775c5de commit 0d703862d3aaff18c541184abb3631327775c5de Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2024-04-18 16:07:39 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2024-04-18 16:17:13 +0000 net-fs/samba: require keyutils only for -system-heimdal -system-mitkrb5 Only when both of these flags are turned disabled will samba build its own heimdal libraries which link to keyutils. Bug: https://bugs.gentoo.org/917006 Signed-off-by: Ben Kohler <bkohler@gentoo.org> net-fs/samba/samba-4.18.11.ebuild | 1 + net-fs/samba/samba-4.19.6.ebuild | 1 + net-fs/samba/samba-4.20.0.ebuild | 1 + 3 files changed, 3 insertions(+)
(In reply to Ben Kohler from comment #8) > Ok I think I have this sorted out-- it's only for the specific case of > USE="-system-heimdal -system-mitkrb5" that the bundled heimdal is built and > links to libkeyutils. > > If either system-* flag is enabled, then no internal heimdal is built. This > agrees with my testing and with your initial report. > > Let me know if you see any errors in my logic. As the samba documentation, I've quoted, says, there is ony one functional system- flag. There is no --system-heimdal configuration in samba, and whatever the system-heimdal USE flag tries to do, is completely ignored by the samba build system.
