We are just working on getting a usable heimdal into the gentoo tree. Therefore it's necessary to patch the nfs-utils. I've an already working overlay at git://git.overlays.gentoo.org/proj/kerberos.git. I'd like to ask you to inspect the suggested ebuild and the patches I've attached.
Kind regards, mueli
p.S.: to make this work we also have to patch librpcsecgss -> see bug #231395. You've to unmerge net-libs/libgssglue also! (should we make this a blocker for the case we use heimdal? einfo?)
Created attachment 160028 [details]
new ebuild with heimdal compatibility
Created attachment 160032 [details, diff]
for heimdal compatiblity
Created attachment 160033 [details, diff]
for heimdal compatiblity
Created attachment 160035 [details, diff]
for heimdal compatiblity
Any work on that? We'll need this one and bug #231395 to launch heimdal 1.2.x into tree - so please have a look on it!
you should be submitting this upstream to the nfs-utils guys ... the heimdal/kerberos stuff is a complete mess and i'm not about to start touching it. there's been too much churn on this front already.
(In reply to comment #6)
> you should be submitting this upstream to the nfs-utils guys ...
You are the package maintainer - could you get in touch with upstream?
> [...] there's been too much churn on this front already.
--verbose <- what do you mean? what happened?
vapier could you please comment my questions? It's really hard for me to maintain every kerberos related feature in all packages because these are a lot. I'd really appreciate if you could contact upstream for including a persistent fix to make heimdal nfs compatible.
i dont know squat about kerberos or heimdal or any of it. i cant go pushing changes i know nothing about.
You asked for further pointing on nfs-utils / heimdal compatibility
Created attachment 172863 [details, diff]
Since 1.1.3 version openssl tests in utils/gssd/krb5_util.c ccache validity in mit-krb5 specific way. This patch changes (#ifdef HAVE_HEIMDAL) the check_for_tgt function to the code used by the heimdal sources themselves (in kuser/klist.c).
Several lines of code lower, KRB5_TC_OPENCLOSE definition had to be added -- used by the openssl code, present in the heimdal sources (appl/dceutils/k5dce.h), but absent from among the headers installed (no k5dce.h there).
Created attachment 172865 [details, diff]
A diff for version upgrade of the heimdal aware nfs-utils ebuild (from 1.1.2-r1 to 1.1.4). Applies the patch above.
i dont really see much problem with the patches persay ... but until they get merged upstream, you'll have to commit & maintain ...
i simply know nothing about kerberos to assist
if you dont mind these stipulations, feel free to add kerberos markings to the metadata.xml and commit the patches here
Created attachment 180673 [details]
It would be nice if someone put the updates, if not into the tree (which is really where the patch belongs), then at least into the kerberos overlay.
I added the patch from down the link to my nfs-utils-1.2.3 ebuild to make it compile and work with heimdal. Care should be taken, however, for it not to pull in libgssglue includes (it is necessary when compiling against mit-krb5, but harmful with heimdal).
Can patches from other distros be added to portage tree?
Could we get some attention to this? It's blocks enabling kerberos system-wide on my server (where I have samba-4.0.3 installed, which depends on heimdal).
There's a comment in the ebuild for 1.2.6:
# kth-krb doesn't provide the right include
# files, and nfs-utils doesn't build against heimdal either,
# so don't depend on virtual/krb.
# (04 Feb 2005 agriffis)
This is 8 years old already! And I'm the first activity on this bug in four years!
Two years. :)
*** Bug 459088 has been marked as a duplicate of this bug. ***
This is still an issue. Now that OS X uses heimdal, persevering with mit-krb5 is causing some problems. Yes, it should still work, but it has some inconsistencies.
Adding proxy-maint@ just in case a user wants to help with that. I see many attachments here so a clear list of what needs and what does not need to be reviewed might be helpful (everything should be based on 1.2.6 ebuild)
I can't give a full list, but these are what my system is reporting:-
media # equery depends mit-krb5
* These packages depend on mit-krb5:
dev-libs/openssl-1.0.1c (kerberos ? app-crypt/mit-krb5)
net-fs/nfs-utils-1.2.6 (kerberos ? app-crypt/mit-krb5)
net-libs/c-client-2007f-r4 (kerberos ? app-crypt/mit-krb5)
And I understand that Samba4 requires heimdal.
Also http://forums.gentoo.org/viewtopic-p-6939946.html seems to suggest that Bind requires kit-krb5, so currently it appears to be impossible to run Samba4, NFS & Bind on the same machine.
Samba4 supports app-crypt/mit-krb5, but the ebuild doesn't reflect that. (See bug 195703, comment 173.)
It looks like nfs-utils explicitly supports heimdal, but it's bailing out because it's looking for libroken.a. My system, at least, only has a libroken.so. IIRC, there's a post-build step in portage that removes the libtool .a files, which is likely why this fails in this case. From nfs-util's ./configure script:
elif test \( -f $dir/include/heim_err.h -o\
-f $dir/include/heimdal/heim_err.h \) -a \
-f $dir/lib/libroken.a; then
$as_echo "#define HAVE_HEIMDAL 1" >>confdefs.h
... so the reason this doesn't work on Gentoo appears to be whatever is removing the .a file. Alternately, we could see about fixing the configure script to support shared libraries.
pld linux is maintainig a patch to get it compile againt heimdal
the new location for the patch is at github