Unfortunately, stabilizing mit-krb5 1.8.2 has had the undesirable side-effect of putting a blocker on apps that uses heimdal. equery d heimdal [ Searching for packages depending on heimdal... ] net-ftp/proftpd-1.3.2d (kerberos? app-crypt/heimdal) net-nds/openldap-2.4.19-r1 (!minimal & smbkrb5passwd? app-crypt/heimdal) This really needs sorting out as I use kerberos as one of my USE flags! # equery d mit-krb5 [ Searching for packages depending on mit-krb5... ] dev-lang/php-5.2.13 (kerberos? virtual/krb5) dev-libs/cyrus-sasl-2.1.23-r1 (kerberos? virtual/krb5) dev-libs/openssl-0.9.8o (kerberos? app-crypt/mit-krb5) dev-perl/GSSAPI-0.24 (virtual/krb5) dev-util/cvs-1.12.12-r6 (kerberos? virtual/krb5) gnome-base/gnome-vfs-2.24.3-r1 (kerberos? virtual/krb5) gnome-extra/evolution-data-server-2.28.3.1-r1 (kerberos? virtual/krb5) (krb4? app-crypt/mit-krb5[krb4]) mail-client/evolution-2.28.3.1 (kerberos? virtual/krb5) (krb4? app-crypt/mit-krb5[krb4]) net-fs/nfs-utils-1.1.4-r1 (!nonfsv4 & kerberos? app-crypt/mit-krb5) net-fs/samba-3.4.6 (ads? virtual/krb5) net-ftp/proftpd-1.3.2d (kerberos? <app-crypt/mit-krb5-1.7) net-im/pidgin-2.6.6 (zephyr? >=app-crypt/mit-krb5-1.3.6-r1[krb4]) net-mail/fetchmail-6.3.17 (kerberos? virtual/krb5) net-misc/curl-7.20.0-r2 (kerberos? virtual/krb5) net-misc/neon-0.29.3 (kerberos? virtual/krb5) net-misc/openssh-5.3_p1-r1 (kerberos? virtual/krb5) net-nds/openldap-2.4.19-r1 (!minimal & kerberos? virtual/krb5) net-print/cups-1.3.11-r1 (kerberos? virtual/krb5) Changing from proftpd to netkit-ftpd solved the problem for me but this shouldn't happen. Splitting the kerberos USE flag into kerberos-mit and kerberos-heimdal might solve the problem of depending on these two libraries?
(In reply to comment #0) > Changing from proftpd to netkit-ftpd solved the problem for me but this > shouldn't happen. proftpd is the culprit. des and krb4 is not considered secure anymore and is off by default in later versions of mit-krb5. proftpd configure script should not assume that it can link against des425 anymore. Following patch should work: Jun 21 14:10:38 mod_auth_gss/1.3.3[8173]: GSSAPI-UPENN User client_name.value: testuser@CAF.COM.TR cmd->argv[0]: testuser. Jun 21 14:10:38 mod_auth_gss/1.3.3[8173]: GSSAPI-UPENN User testuser@CAF.COM.TR is authorized as testuser. Jun 21 14:10:38 south proftpd[8173]: south.caf.com.tr (south.caf.com.tr[127.0.0.1]) - USER testuser: Authenticated without password Jun 21 14:10:38 south proftpd[8173]: south.caf.com.tr (south.caf.com.tr[127.0.0.1]) - Preparing to chroot to directory '/tmp' Jun 21 14:10:38 south proftpd[8173]: south.caf.com.tr (south.caf.com.tr[127.0.0.1]) - USER testuser: Login successful. @net-ftp herd: You will need to decide on the suitability of the patch for general consumption as I do not use ftp and can't do much of a test. --- proftpd-1.3.3.ebuild 2010-06-17 21:08:16.000000000 +0000 +++ proftpd-1.3.3-r1.ebuild 2010-06-21 14:17:25.000000000 +0000 @@ -31,7 +31,7 @@ DEPEND="acl? ( sys-apps/acl sys-apps/attr ) caps? ( sys-libs/libcap ) clamav? ( app-antivirus/clamav ) - kerberos? ( || ( <app-crypt/mit-krb5-1.7 app-crypt/heimdal ) ) + kerberos? ( virtual/krb5 ) ldap? ( net-nds/openldap ) mysql? ( virtual/mysql ) ncurses? ( sys-libs/ncurses ) @@ -85,6 +85,15 @@ # Manipulate build system sed -i -e "s/utils install-conf install/utils install/g" Makefile.in sed -i -e "s/ @INSTALL_STRIP@//g" Make.rules.in + + if use kerberos ; then + if has_version app-crypt/mit-krb5 ; then + cd "${WORKDIR}"/mod_gss-${GSS_VER} || die "cd failed" + sed -i -e '/ac_gss_libs/s/\-ldes425\ //' configure{,.in} || \ + die "sed failed" + fi + fi + } src_configure() { @@ -102,7 +111,7 @@ use exec && mym="${mym}:mod_exec" if use kerberos ; then cd "${WORKDIR}"/mod_gss-${GSS_VER} - if has_version <app-crypt/mit-krb5-1.7 ; then + if has_version app-crypt/mit-krb5 ; then econf --enable-mit else econf --enable-heimdal
Patch looks good, should go into proftpd ebuild for unstable testing.
Thanks both of you for the report and the patch! I've just added 1.3.3-r1 in CVS, with an adapted patch from this one. This will be the next version to be marked stable (if all goes fine)