Bug 247940

Comment 1 Li-Wen Hsu 2020-07-20 15:05:13 UTC

CC Uses/gssapi.mk maintainer.

Comment 2 Tobias C. Berner 2022-09-07 16:22:05 UTC

Moin moin 

This looks like something that could be done -- could you provide a patch with your proposed change?


mfg Tobias

(In reply to Tobias C. Berner from comment #2)

In theory yes, but it will require some time. I need first to study how other DEFAULT_VERSIONS work. Don't expect a patch before November.

Comment 4 Tobias C. Berner 2022-09-08 07:40:17 UTC

(In reply to Michael Osipov from comment #3)
Sounds good, thanks for looking into it :)

Comment 5 Joseph Mingrone 2023-09-07 20:35:20 UTC

Michael,

tl;dr I don't think using Mk/bsd.default-versions.mk for building ports with different Kerberos implementations is feasible.

For the default versions feature to make sense, we need ports to have USES=gssapi without specifying a Kerberos implementation.  That way, a value set for DEFAULT_VERSIONS+=gssapi= can be used, or if that isn't set, we can fall back to the default of using Kerberos from base.  However, this isn't how our 58 ports with USES=gssapi currently work.

Twelve ports have USES=gssapi without an OPTION, but they all hardcode the Kerberos implementation.

Of the remaining ports, the ones that have OPTION knobs for all of the Kerberos implementations could, in theory, be converted to use a default version, but there are complications.  For example, many of them require different configure flags.  For example, here is what we have in security/cyrus-sasl2-gssapi/Makefile

GSSAPI_HEIMDAL_USES=   	 gssapi:heimdal,flags
GSSAPI_HEIMDAL_CONFIGURE_ON=    --enable-gssapi="${GSSAPIBASEDIR}" \
   			 --with-gss_impl=heimdal

but other ports like security/samba416 have

GSSAPI_HEIMDAL_CONFIGURE_ON=    --with-system-heimdalkrb5 ${GSSAPIBASEDIR}
GSSAPI_HEIMDAL_USES=   	 gssapi:heimdal
GSSAPI_HEIMDAL_PREVENTS=    AD_DC
GSSAPI_HEIMDAL_PREVENTS_MSG=    GSSAPI_HEIMDAL and AD_DC enable conflicting options

A workaround is to specify something like this in /etc/make.conf.

.if ${.CURDIR:M*/net/samba*}
WITHOUT=GSSAPI_BUILTIN
WITH=GSSAPI_MIT
.endif

You still have to think about individual ports, but at least you can share this configuration between systems, and you won't have to go through the configuration dialogs manually.

I hope this helps.

Joe

Comment 6 Joseph Mingrone 2023-09-08 01:22:48 UTC

(In reply to Joseph Mingrone from comment #5)

I reread the comments in Mk/bsd.options.mk.  Rather than setting WITH and WITHOUT in /etc/make.conf, it's recommended to use something like this:

net_samba416_UNSET+=GSSAPI_BUILTIN
net_samba416_SET+=GSSAPI_MIT

WITH= and WITHOUT= can be set on the command line, and the values override those set in /etc/make.conf.

(In reply to Joseph Mingrone from comment #5)

This I have partially assumed, but there is still room for improvement even if it cannnot be fully generalized. Consider that we have gssapi=base|mit|heimdal which can first define the OPTIONS and their descriptions, much like with X11 AND the options can globally be preset in make.conf and all ports follow suit the way they think is right.

I have plenty of ports which should have MIT Kerberos, instead of doing gssapi=mit, I need to touch every single options file. I don't explicitly strive to set the exact same flags for the every Kerberos flavor to all ports, but pull up that flavor decision globally.

At least these I need to touch instead of setting it globally. Yet another benefit could be that if gssapi=base is the default, all default packages provided by FreeBSD.org would link against base Heimdal. Those, like me, who need something else can use ports.

dns/bind-tools
ftp/curl
security/cyrus-sasl2-gssapi
sysutils/msktutil
www/serf
databases/postgresql13-server
www/mod_auth_gssapi
security/py-gssapi

At least some of them are automatic dependencies which I still need to document because I need to provide an options file in /var/db/ports.

May a call would be better to discuss this further?

Comment 9 Joseph Mingrone 2023-09-08 14:01:54 UTC

(In reply to Michael Osipov from comment #8)
A call sounds good.  I'll contact you by email.

Comment 10 Joseph Mingrone 2023-09-11 17:06:30 UTC

(In reply to Michael Osipov from comment #7)
Based on your latest comment, there may be a few improvements we can
make.

- Update the default options for some ports, so hopefully you have fewer
  packages to build yourself.

- Ensure that more ports use standardized names for the GSSAPI/Kerberos
  options.  Of the ports you listed, most have the option names
  GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT, so we're close.  A few also
  have GSSAPI_NONE.

  This is good because it means you can put something like what's below
  in make.conf to configure most ports that have a GSSAPI knob and avoid
  the port dialogues.

  OPTIONS_SET_FORCE+=GSSAPI_MIT
  OPTIONS_UNSET_FORCE+=GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_NONE

  If there is a specific port, like ftp/curl, that you want configured
  differently, you also add this to make.conf.

  ftp_curl_SET_FORCE+=GSSAPI_HEIMDAL
  ftp_curl_UNSET_FORCE+=GSSAPI_BASE GSSAPI_MIT GSSAPI_NONE

  I tested by putting these lines in
  /usr/local/etc/poudriere.d/15amd64-make.conf and built the ports
  without answering any dialogues.  This is the result.

  % pkg info dns/bind918 | grep GSSAPI
        GSSAPI_BASE    : off
        GSSAPI_HEIMDAL : off
        GSSAPI_MIT     : on
        GSSAPI_NONE    : off

  # pkg info curl | grep GSSAPI
        GSSAPI_BASE    : off
        GSSAPI_HEIMDAL : on
        GSSAPI_MIT     : off
        GSSAPI_NONE    : off

Is this helpful?

Joe

(In reply to Joseph Mingrone from comment #10)

Yes, this is helpful, but still circumvents DEFAULT_VERSIONS. This causes another question: Can't make it even simpler by defining the OPTIONS (4) in gssapi.mk and remove them from the Makefile so they are injected into the port with USES=gssapi. Similar I do with X11, I just say that I need it, that's it. WDYT?

Adding to this discussion due to a new issue that comes up with the move to OpenSSL 3 in FreeBSD 14.

I use heimdal as my preferred kerberos implementation. Heimdal upstream hasn't seen a release in a while (current version is 7.8), and heimdal-devel (tracking git HEAD) fixes a bunch of issues related to OpenSSL 3 support. I'd ideally like to use heimdal-devel as my gssapi provider in all ports that support it.

Currently, I don't see an option to use heimdal-devel (or even MIT krb5-devel) as the gssapi provider in any ports. I do mostly see the following OPTIONS being supported across the board in a mostly-standard way as comment #10 suggests:
* GSSAPI_NONE
* GSSAPI_BASE
* GSSAPI_HEIMDAL
* GSSAPI_MIT

I'd additionally like to see the following:
* GSSAPI_HEIMDAL_DEVEL
* GSSAPI_MIT_DEVEL

But instead of adding support for these to every port that can support them, I'd like to see support for choosing the version added to the DEFAULT_VERSIONS framework. I am in support of the proposal to:
* Replace all port OPTIONS of the form GSSAPI_* to simply GSSAPI, which will enable or disable GSSAPI support in a given port
* Move the choice of the GSSAPI provider to the DEFAULT_VERSIONS framework in the form of 'gssapi=(heimdal|heimdal-devel|mit|mit-devel)'

If there is consensus, I can help prepare a patchset (if one doesn't already exist as a work-in-progress) for converting all ports, along with adding the support to the DEFAULT_VERSIONS framework.

Created attachment 247505 [details]
[PATCH] USES=gssapi: allow provider choice using DEFAULT_VERSIONS

Here is a patch that adds gssapi to DEFAULT_VERSIONS and makes the necessary changes to an example port (in this case, mail/dovecot) for end-users to use DEFAULT_VERSIONS to select their gssapi provider instead of port OPTIONS.

Let me know if this is suitable and I will make the necessary changes to all ports that enable GSSAPI support and submit a patchset for it.

Created attachment 247558 [details]
[PATCH v2] USES=gssapi: allow provider choice using DEFAULT_VERSIONS

Fixed the patch to correctly read all USES arguments

(In reply to Siva Mahadevan from comment #12)

Any feedback on this proposal? I now have the bandwidth to work on moving all ports to use the gssapi DEFAULT_VERSIONS change (with my patch from comment #14 as an example of what I mean). I can work on it and submit a patchset if it sounds good to everyone.

Comment 16 Joseph Mingrone 2024-03-28 20:03:03 UTC

Hi Siva,

Thanks for your submission.  I think we need to hear from osipov@ (OP and heavy kerberos user) and hrs@ (gssapi.mk maintainer).  Let's give it another week and if we don't hear back from them, I'll try taking a closer look.

Comment 17 Gleb Popov 2024-03-30 08:30:31 UTC

Cy Shubert is working on importing MIT Kerberos into base. This should probably allow us to get rid of USES=gssapi altogether, if I understand it right.

(In reply to Gleb Popov from comment #17)

Wouldn't this just change the default base version from 'heimdal' to 'mit'? We would still need some way of choosing the GSSAPI provider for ports that depend on it right? I thought USES=gssapi allows passing in args to choose the provider.

Comment 19 Gleb Popov 2024-03-30 16:24:17 UTC

That's right, but I remember someone saying that most ports are actually using MIT implementation as it is more contemporary. I hope we can just get rid of Heimdal at some point.

(In reply to Gleb Popov from comment #19)

I don't necessarily think we can make this conclusion. Heimdal is still actively developed, with a new release soon to come with a lot of fixes. I still personally use it in all my projects, and if I understand correctly, some very crucial ports like net/samba* only officially support Heimdal (with experimental support for MIT).

In fact, the purpose of my patch is to allow users to choose heimdal-devel and mit-devel as GSSAPI providers.

Comment 21 Gleb Popov 2024-03-31 17:33:13 UTC

Ok, the change makes sense and looks pretty good to me.

I don't like the idea of changing the default based on some file presence. I think the default should be just "base" - it is simple and foolproof.

Another little nitpick is a bit a misleading name of the GSSAPI_VER variable. But I don't have an idea how to name it better.

Thanks for working on this!

Comment 22 Gleb Popov 2024-03-31 17:35:03 UTC

The patch does not apply to the current tree, can you please rebase?

Comment 23 Michael Osipov 2024-03-31 19:33:01 UTC

I will get back to this next week. Currently absent.

Created attachment 249611 [details]
[PATCH] USES=gssapi: allow provider choice using DEFAULT_VERSIONS

Rebased and added changes based on feedback. Still keeping mail/dovecot as an example change. If accepted, I'll prepare the patchset for all ports that need this change.

Comment 25 Michael Osipov 2024-04-02 15:05:40 UTC

GSSAPI_PROJECT should be renamed to GSSAPI_VENDOR just like "krb5-config --vendor".

Comment 26 Michael Osipov 2024-04-02 15:54:31 UTC

There is a problem with the patch. mail/dovecot was likely a bad example neither after not before the match "make debug-krb" work.

I have also patched ftp/curl and I see:
root@deblndw011x:/var/poudriere/ports/default-head/ftp/curl (main *%=)
# make debug-krb
make: "/var/poudriere/ports/default-head/Mk/Uses/gssapi.mk" line 110: Unknown directive "GSSAPI"
make: "/var/poudriere/ports/default-head/Mk/Uses/gssapi.mk" line 153: Unknown directive "GSSAPI"
make: "/var/poudriere/ports/default-head/Mk/Uses/gssapi.mk" line 160: Unknown directive "GSSAPI"
make: Fatal errors encountered -- cannot continue
make: stopped in /var/poudriere/ports/default-head/ftp/curl

after removing the dangling GSSAPI_PROVIDER I am able to call (gssapi=mit):
root@deblndw011x:/var/poudriere/ports/default-head/ftp/curl (main *%=)
# make debug-krb
cc -O2 -pipe  -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing  -o /tmp/debug-krb.x -I"/usr/local/include"  -lkrb5 -lgssapi_krb5 -L"/usr/local/lib" -Wl,-rpath,/usr/local/lib  /tmp/debug-krb.c &&  ldd /tmp/debug-krb.x;  /bin/rm -f /tmp/debug-krb.x
/tmp/debug-krb.x:
        libkrb5.so.3.3 => /usr/local/lib/libkrb5.so.3.3 (0x3071b77d5000)
        libgssapi_krb5.so.2.2 => /usr/local/lib/libgssapi_krb5.so.2.2 (0x3071b7d90000)
        libc.so.7 => /lib/libc.so.7 (0x3071b92fb000)
        libk5crypto.so.3.1 => /usr/local/lib/libk5crypto.so.3.1 (0x3071b8057000)
        libcom_err.so.3.0 => /usr/local/lib/libcom_err.so.3.0 (0x3071b8465000)
        libkrb5support.so.0.1 => /usr/local/lib/libkrb5support.so.0.1 (0x3071ba5bb000)
        libintl.so.8 => /usr/local/lib/libintl.so.8 (0x3071bb43d000)
        [vdso] (0x7ffffffff000)
PREFIX: /usr/local
GSSAPIBASEDIR: /usr/local
GSSAPIINCDIR: /usr/local/include
GSSAPILIBDIR: /usr/local/lib
GSSAPILIBS: -lkrb5 -lgssapi_krb5
GSSAPICPPFLAGS: -I/usr/local/include
GSSAPILDFLAGS: -L/usr/local/lib
GSSAPI_PROJECT: mit
GSSAPI_PROVIDER: mit
GSSAPI_CONFIGURE_ARGS: CFLAGS=-I/usr/local/include -O2 -pipe -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing   LDFLAGS=-L/usr/local/lib -L/usr/local/lib -L/usr/lib -L/usr/lib -fstack-protector-strong   LIBS=-lkrb5 -lgssapi_krb5 -lkrb5 -lgssapi_krb5 -L/usr/local/lib  KRB5CONFIG=/usr/local/bin/krb5-config
KRB5CONFIG: /usr/local/bin/krb5-config
CFLAGS: -O2 -pipe  -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing
LDFLAGS:  -L/usr/local/lib -L/usr/lib -L/usr/lib -fstack-protector-strong
LDADD:

Please double check

Created attachment 249668 [details]
[PATCH v3] USES=gssapi: allow provider choice using DEFAULT_VERSIONS

Sorry about that, somehow all the ".else" directives in my patch got replaced with GSSAPI_PROVIDER. I think it was a bad merge :)

I tested this one with building dovecot and choosing different providers with DEFAULT_VERSIONS works. Please test on your end as well.

Comment 28 Michael Osipov 2024-04-02 20:29:36 UTC

(In reply to Siva Mahadevan from comment #27)

Did some basic testing on my end, at least for those two ports it does work. I'll modify some more ports I need with Kerberos support and run a poudriere build of them:
dns/bind-tools
security/cyrus-sasl2-gssapi
www/serf
ftp/curl
net/openldap26-client
sysutils/msktutil

Comment 29 Michael Osipov 2024-04-03 16:35:08 UTC

Created attachment 249682 [details]
My attempt

So I took your patch and gave it a spin with the mentioned ports. See my incomplete patch to those ports. In general it does magically and actually the way I wanted it in the first place: one knob and there you go. There are a few problems though and I don't know whether they exist as of today already especially with Heimdal from ports and base. I issues I have observed:
cyrus-sasl2-gssapi: heimdal no plugin, order of configure args is a problem (tricky)
serf: heimdal ports libs is mixed with base (ldd output)

mit-devel worked. Moreover, this will also need a patch for https://docs.freebsd.org/en/books/porters-handbook/book/#uses-gssapi

To move this foward this needs several reviewers: jrm@, cy@, several port maintainers and some kind of exp-run with those args.

Can you identify all affected ports?

Thanks for working on this.

Created attachment 250138 [details]
List of affected ports using GSSAPI

At a first glance, here's the list of affected ports. For the large majority of them, it's trivial to add support for DEFAULT_VERSIONS. I already have a patchlist that covers most of them. I can easily make commits for all the affected ports and send a `git request-pull` here for everyone to review. I'll also add a commit to the docs tree for the requested porters handbook change.

Comment 31 Michael Osipov 2024-04-22 18:18:56 UTC

(In reply to Siva Mahadevan from comment #30)

Please do so.