Created attachment 162660 [details] security/py-kerberos: update to 1.2.2 Changelog: * Update to 1.2.2 * Patch setup.py to enable py3k * Refactor setup.py patching QA: See attached portlint and poudriere logs.
Created attachment 162661 [details] security/py-kerberos: portlint output
Created attachment 162662 [details] security/py-kerberos: poudriere testport output (2.7)
Created attachment 162663 [details] security/py-kerberos: poudriere testport output (3.4)
@John, can you confirm this links against the expected krb5 library? I have a work in progress patch to this port which added OPTIONS to switch between: +OPTIONS_SINGLE_GSSAPI= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT If you want to take a look at it to integrate those changes let me know
@koobs: I expected it to link against MIT Kerberos, and it does. % ldd /usr/local/lib/python2.7/site-packages/kerberos.so /usr/local/lib/python2.7/site-packages/kerberos.so: libpython2.7.so.1 => /usr/local/lib/libpython2.7.so.1 (0x801608000) libgssapi_krb5.so.2.2 => /usr/local/lib/libgssapi_krb5.so.2.2 (0x8019c3000) libkrb5.so.3.3 => /usr/local/lib/libkrb5.so.3.3 (0x801c0a000) libk5crypto.so.3.1 => /usr/local/lib/libk5crypto.so.3.1 (0x801eea000) libcom_err.so.3.0 => /usr/local/lib/libcom_err.so.3.0 (0x802119000) libc.so.7 => /lib/libc.so.7 (0x800821000) libthr.so.3 => /lib/libthr.so.3 (0x80231c000) libintl.so.8 => /usr/local/lib/libintl.so.8 (0x802540000) libutil.so.9 => /lib/libutil.so.9 (0x80274b000) libm.so.5 => /lib/libm.so.5 (0x80295d000) libkrb5support.so.0.1 => /usr/local/lib/libkrb5support.so.0.1 (0x802b86000) I would also be interested in testing your work. However, first there are some basic smoke tests that are failing, and I'm not sure yet if it's me or v1.2.2.
Something changed from 1.1.1 to 1.2.2 to break (at least) the following. % pkg info -x kerberos py27-kerberos-1.1.1_1 % sudo python -c " import kerberos result, ctx = kerberos.authGSSServerInit('HTTP') print(result==kerberos.AUTH_GSS_COMPLETE) " True vs. % pkg info -x kerberos py27-kerberos-1.2.2 % sudo python -c " import kerberos result, ctx = kerberos.authGSSServerInit('HTTP') print(result==kerberos.AUTH_GSS_COMPLETE) " Traceback (most recent call last): File "<string>", line 3, in <module> kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('No Kerberos credentials available', -1765328243)) I've done a little bit of digging, and I suspect a change to the way that kerberosgss.c:authenticate_gss_server_init() calls gss_acquire_cred(), but I don't yet have proof. The point is that we may wish to defer this update.
@John, if/when in situations such as this (attached patch may not be ready) always obsolete it, then set 'needs-patch' and/or 'needs-qa' as necessary. YOu can always 'unobsolete' an attachment later if necessary. Descriptions of keywords and what theyre used for can be found here: https://bugs.freebsd.org/bugzilla/describekeywords.cgi
Comment on attachment 162660 [details] security/py-kerberos: update to 1.2.2 Obsoleting this patch pending investigation and resolution of apparent regressions in 1.2.2.
@koobs: The keywords do not appear editable to me.
That's annoying.
This is the upstream commit and associated ticket that breaks my test case. https://trac.calendarserver.org/changeset/14486 https://trac.calendarserver.org/ticket/862 I have opened a new upstream ticket to the effect. https://trac.calendarserver.org/ticket/924
@John, what needs to be done to progress this issue, or resolve it?
@koobs: I will rebase my patch on r401816 (dvl's work) and add a new patch that reverts the upstream r14486. This will break support for S4U2Proxy, but I have a hard time seeing how that's really a problem.
@John, Understood thank you.
I'm blocked on this for the time being. I was having trouble getting tests to pass with my patch, so I rolled back to make sure I could get them to pass on the current version, and they don't. I've submitted bug #204899 to address some apparent problems with dvl's patches that add support for BASE and HEIMDAL Kerberos, and will resume work on this patch once that is resolved. Also, adding dvl@ to the CC list for this bug as the new maintainer for security/py-kerberos. Hi Dan!
(In reply to John W. O'Brien from comment #15) Sadly John, I don't know what to do in order to fix this. I was working on it for a $WORK project and will see if I can devote time to it this week.
(In reply to Dan Langille from comment #16) @dvl, I'm in no particular rush, and will be glad to help you track down the root cause. I've been trying to get up to speed on how to use GSSAPI directly in C so that I can make more sense of how PyKerberos is using it.
Created attachment 169898 [details] py-kerberos-1.2.4.diff The bug listed in comment 6 appears to have been fixed upstream in 1.2.3. This patch updates the port to 1.2.4.
A commit references this bug: Author: dvl Date: Tue May 3 00:46:43 UTC 2016 New revision: 414499 URL: https://svnweb.freebsd.org/changeset/ports/414499 Log: Upgrade to 1.2.4 Fixed bug noticed by John W. O'Brien <john@saltant.com> PR: 204185 Submitted by: David Shane Holden <dpejesh@yahoo.com> Changes: head/security/py-kerberos/Makefile head/security/py-kerberos/distinfo head/security/py-kerberos/files/extra-patch-src_kerberosgss.c
John: please test. re #204899
Makefile shows 1.2.5 I think this could closed.
(In reply to w.schwarzenfeld from comment #21) I will defer to John Baldwin.
(In reply to Dan Langille from comment #22) I'm guessing you mean me. The tests in comment #6 now pass with all three GSSAPI libs and all four versions of python. That plus the fact that the port has been upgraded past 1.2.2 adds up to closing this bug. I believe I can still reproduce the failing tests I reported in bug #204899, but it clearly didn't block this upgrade.