Bug 193912
| Summary: | dns/bind99 with heimdal port brings in base heimdal libraries | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | dewayne | ||||||||
| Component: | Individual Port(s) | Assignee: | Mathieu Arnold <mat> | ||||||||
| Status: | Closed FIXED | ||||||||||
| Severity: | Affects Some People | CC: | hrs | ||||||||
| Priority: | --- | Flags: | dewayne:
maintainer-feedback?
(mat) |
||||||||
| Version: | Latest | ||||||||||
| Hardware: | Any | ||||||||||
| OS: | Any | ||||||||||
| Attachments: |
|
||||||||||
|
Description
dewayne
2014-09-25 04:47:53 UTC
Auto-assigned to maintainer mat@FreeBSD.org Adding hrs@ to the CC because he's my go-to guy when I have a PR related to kerberos, heimdal, gssapi and all :-) Created attachment 147873 [details]
Patch for dns/bind99 to fix GSS-API library detection
Please test this patch and let us know if this problem still persist or not. Note that files/patch-configure is removed and files/extra-patch-configure-gssapi-* (3 files) are added.
Ping? We need feedback from the original submitter of this PR. Thank-you for pursuing this issue. Yes, the approach taken is good, and enables a successful heimdal & bind build on 10.1Stable. Though you should note that with -lcom_err, both the heimdal port and bind99 will link with the /usr/lib/libcom_err.so from heimdal in base. If a system has both the heimdal port and base installed, this works. However if you don't have heimdal base, then it doesn't. So I have modified dns/bind99/files/extra-patch-configure-gssapi-heimdal to omit com_err. -+ "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ ++ "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken" \ I've also modified heimdal to build without base heimdal, by rm /usr/ports/security/heimdal/files/patch-lib-com_err-Makefile.in and force this result in the heimdal/Makefile PLIST_SUB+= LIBCOM_ERR="" Then everything is happy. As an aside, I also have in bind99/Makefile -BIND_DESTETC= /etc/namedb +BIND_DESTETC?= /etc/namedb so I can place namedb files under /var via a variable where, I think, they belong without (further) changing the Makefile ;) Dewayne (In reply to dewayne from comment #5) > Though you should note that with -lcom_err, both the heimdal port and bind99 > will link with the /usr/lib/libcom_err.so from heimdal in base. libcom_err issue should be fixed in heimdal-1.5.2_17 or later. Are your binaries still linked with /usr/lib/libcom_err.so? Unfortunately we undertake approx 3 weeks of integration testing before we release software to customers, and we're frozen from 17th. They aren't linked against heimdal base, but that's due to our patches. The bind99 testing of your patch(es) was against our modified heimdal-1.5.2_16, (we copy the tree for point testing). (In reply to dewayne from comment #7) > Unfortunately we undertake approx 3 weeks of integration testing before we > release software to customers, and we're frozen from 17th. They aren't > linked against heimdal base, but that's due to our patches. The bind99 > testing of your patch(es) was against our modified heimdal-1.5.2_16, (we > copy the tree for point testing). So please report again if you get the same symptom by using the latest, unpatched tree. I think the libcom_err issue is already fixed. Hiroki, I have attempted to rebuild our ports system. Heimdal builds nicely thank-you. Unfortunately other ports such as samba36 now fail to build because they can not find the libcom_err and other libraries libkrb5 etc. Samba36 appears to look within /usr/local/lib and not /usr/local/lib/heimdal where the libs are now stored. Interestingly cyrus-sasl-gssapi and bind99 did build using /usr/local/lib/heimdal. I guess this isn't being seen by others because they have libcom_err and other lib dependencies hidden by a base heimdal installation, which we've eliminated. (Our base system isn't polluted by the "older" ;) heimdal libs.) I think you should close this PR as bind99 builds successfully. Thank-you. (In reply to dewayne from comment #9) > Hiroki, > I have attempted to rebuild our ports system. Heimdal builds nicely > thank-you. Thank you for your testing! > Unfortunately other ports such as samba36 now fail to build because they can > not find the libcom_err and other libraries libkrb5 etc. Samba36 appears to > look within /usr/local/lib and not /usr/local/lib/heimdal where the libs are > now stored. Interestingly cyrus-sasl-gssapi and bind99 did build using > /usr/local/lib/heimdal. Yes, several ports including samba should be fixed and I am working on it, too. They have had a dependency problem with security/heimdal regardless of the directory change of heimdal. (In reply to Hiroki Sato from comment #10) Mmmm, is the patch here still needed ? If it's not needed, is it a good thing ? Should I apply it (to bind99 and bind910) ? As a side note, shouldn't the patch remove all the -lgssapi and such lines from the configure and add only the ONE THAT WORKS ? it would make sure that only the right one is tested and used. (In reply to Mathieu Arnold from comment #12) Mathieu, Thank-you for taking an interest. I don't think many people use the heimdal port to properly build their ports, so I'm not in a position to answer your question. When I say properly, I mean that I use libcom_err from the heimdal port (1.5.3 /usr/local/lib/heimdal/libcom_err.so.1) and not the base system (heimdal 1.5.2 which is /usr/lib/libcom_err.so.5) However, I do modify Index: /usr/ports/dns/bind99/files/patch-configure =================================================================== --- /usr/ports/dns/bind99/files/patch-configure (revision 379027) +++ /usr/ports/dns/bind99/files/patch-configure (working copy) @@ -5,7 +5,7 @@ "-lgssapi" \ "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \ + "-lkrb5 -lgssapi_krb5 -lkrb5support -lk5crypto -lcom_err" \ -+ "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ ++ "-lgssapi -lkrb5 -lgssapi -lcrypto -lcrypt -lasn1 -lroken" \ "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ I think that this keeps the libraries consistent with the heimdal port. (In reply to Mathieu Arnold from comment #12) This change is still required but yes, removing bogus options and adding a correct library option set for each package would be better. I will recreate and submit a new patch shortly. (In reply to Hiroki Sato from comment #14) > (In reply to Mathieu Arnold from comment #12) > This change is still required but yes, removing bogus options and adding a > correct library option set for each package would be better. I will > recreate and submit a new patch shortly. ping ? :-) Created attachment 160814 [details]
New patch for dns/bind99 to fix GSS-API library detection
I am sorry for the long delay. All of the Kerberos implementations have been changed to have krb5-config script correctly, so the attached patch should be simple and reliable, even for the other BIND ports. I tested if this works fine with base, security/heimdal, and security/krb5.
So, this should be fixed now. |
