Created attachment 147655 [details] Patches /usr/ports/dns/bind99/files/patch-configure Bind99 fails to build correctly using the heimdal port, on a FreeBSD 10.1-BETA2 #0 r271939 system. These appears in the config.log: /usr/bin/ld: warning: libgssapi.so.10, needed by /usr/lib/libgssapi_krb5.so, may conflict with libgssapi.so.3 /usr/bin/ld: warning: libkrb5.so.11, needed by /usr/lib/libgssapi_krb5.so, may conflict with libkrb5.so.26 /usr/bin/ld: warning: libcrypto.so.7, needed by /usr/lib/libgssapi_krb5.so, may conflict with libcrypto.so.8 /usr/bin/ld: warning: libroken.so.11, needed by /usr/lib/libgssapi_krb5.so, may conflict with libroken.so.18 /usr/bin/ld: warning: libasn1.so.11, needed by /usr/lib/libgssapi_krb5.so, may conflict with libasn1.so.8 Clearly the port is confusing the base and heimdal ports, which results in executables containing both heimdal port and heimdal base shareable libraries. This file seems to be the reason: /usr/ports/dns/bind99/files/patch-configure A closer examination revealed that: a) These do not exist in heimdal port -lgssapi_krb5 -lkrb5support -lk5crypto -lcom_err b) These do not exist in either the base nor heimdal port -lkrb5support -lk5crypto however these do exist in in the base system -lgssapi_krb5 -lcom_err Cutting a very long story short, to build bind99 (9.9.6) that pulls in the libraries from the heimdal port, the enclosed patch should be applied patch /usr/ports/dns/bind99/files/patch-configure < $ATTACHED_PATCH I appreciate that this is a particularly challenging feature (bind with heimdal) but it is extremely useful for those that use samba[4|41] to have a gssapi enabled bind, which requires one line change for the heimdal port. Ref: https://wiki.samba.org/index.php/DNS_Backend_BIND#Bind_9.8_.2F_9.9_2 I'm not entirely comfortable about leaving -lcom_err in the final executables, but I wasn't able to determine if its functions are actually called from within the executables (nslookup and friends). As I'm not very technical someone else may be able to make that call. Perhaps a quick solution is that there are two "patch-configure" files, one for the base and one for the heimdal port. But I'm bereft of how...
Auto-assigned to maintainer mat@FreeBSD.org
Adding hrs@ to the CC because he's my go-to guy when I have a PR related to kerberos, heimdal, gssapi and all :-)
Created attachment 147873 [details] Patch for dns/bind99 to fix GSS-API library detection Please test this patch and let us know if this problem still persist or not. Note that files/patch-configure is removed and files/extra-patch-configure-gssapi-* (3 files) are added.
Ping? We need feedback from the original submitter of this PR.
Thank-you for pursuing this issue. Yes, the approach taken is good, and enables a successful heimdal & bind build on 10.1Stable. Though you should note that with -lcom_err, both the heimdal port and bind99 will link with the /usr/lib/libcom_err.so from heimdal in base. If a system has both the heimdal port and base installed, this works. However if you don't have heimdal base, then it doesn't. So I have modified dns/bind99/files/extra-patch-configure-gssapi-heimdal to omit com_err. -+ "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ ++ "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken" \ I've also modified heimdal to build without base heimdal, by rm /usr/ports/security/heimdal/files/patch-lib-com_err-Makefile.in and force this result in the heimdal/Makefile PLIST_SUB+= LIBCOM_ERR="" Then everything is happy. As an aside, I also have in bind99/Makefile -BIND_DESTETC= /etc/namedb +BIND_DESTETC?= /etc/namedb so I can place namedb files under /var via a variable where, I think, they belong without (further) changing the Makefile ;) Dewayne
(In reply to dewayne from comment #5) > Though you should note that with -lcom_err, both the heimdal port and bind99 > will link with the /usr/lib/libcom_err.so from heimdal in base. libcom_err issue should be fixed in heimdal-1.5.2_17 or later. Are your binaries still linked with /usr/lib/libcom_err.so?
Unfortunately we undertake approx 3 weeks of integration testing before we release software to customers, and we're frozen from 17th. They aren't linked against heimdal base, but that's due to our patches. The bind99 testing of your patch(es) was against our modified heimdal-1.5.2_16, (we copy the tree for point testing).
(In reply to dewayne from comment #7) > Unfortunately we undertake approx 3 weeks of integration testing before we > release software to customers, and we're frozen from 17th. They aren't > linked against heimdal base, but that's due to our patches. The bind99 > testing of your patch(es) was against our modified heimdal-1.5.2_16, (we > copy the tree for point testing). So please report again if you get the same symptom by using the latest, unpatched tree. I think the libcom_err issue is already fixed.
Hiroki, I have attempted to rebuild our ports system. Heimdal builds nicely thank-you. Unfortunately other ports such as samba36 now fail to build because they can not find the libcom_err and other libraries libkrb5 etc. Samba36 appears to look within /usr/local/lib and not /usr/local/lib/heimdal where the libs are now stored. Interestingly cyrus-sasl-gssapi and bind99 did build using /usr/local/lib/heimdal. I guess this isn't being seen by others because they have libcom_err and other lib dependencies hidden by a base heimdal installation, which we've eliminated. (Our base system isn't polluted by the "older" ;) heimdal libs.) I think you should close this PR as bind99 builds successfully. Thank-you.
(In reply to dewayne from comment #9) > Hiroki, > I have attempted to rebuild our ports system. Heimdal builds nicely > thank-you. Thank you for your testing! > Unfortunately other ports such as samba36 now fail to build because they can > not find the libcom_err and other libraries libkrb5 etc. Samba36 appears to > look within /usr/local/lib and not /usr/local/lib/heimdal where the libs are > now stored. Interestingly cyrus-sasl-gssapi and bind99 did build using > /usr/local/lib/heimdal. Yes, several ports including samba should be fixed and I am working on it, too. They have had a dependency problem with security/heimdal regardless of the directory change of heimdal.
(In reply to Hiroki Sato from comment #10) Mmmm, is the patch here still needed ? If it's not needed, is it a good thing ? Should I apply it (to bind99 and bind910) ?
As a side note, shouldn't the patch remove all the -lgssapi and such lines from the configure and add only the ONE THAT WORKS ? it would make sure that only the right one is tested and used.
(In reply to Mathieu Arnold from comment #12) Mathieu, Thank-you for taking an interest. I don't think many people use the heimdal port to properly build their ports, so I'm not in a position to answer your question. When I say properly, I mean that I use libcom_err from the heimdal port (1.5.3 /usr/local/lib/heimdal/libcom_err.so.1) and not the base system (heimdal 1.5.2 which is /usr/lib/libcom_err.so.5) However, I do modify Index: /usr/ports/dns/bind99/files/patch-configure =================================================================== --- /usr/ports/dns/bind99/files/patch-configure (revision 379027) +++ /usr/ports/dns/bind99/files/patch-configure (working copy) @@ -5,7 +5,7 @@ "-lgssapi" \ "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \ + "-lkrb5 -lgssapi_krb5 -lkrb5support -lk5crypto -lcom_err" \ -+ "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ ++ "-lgssapi -lkrb5 -lgssapi -lcrypto -lcrypt -lasn1 -lroken" \ "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \ I think that this keeps the libraries consistent with the heimdal port.
(In reply to Mathieu Arnold from comment #12) This change is still required but yes, removing bogus options and adding a correct library option set for each package would be better. I will recreate and submit a new patch shortly.
(In reply to Hiroki Sato from comment #14) > (In reply to Mathieu Arnold from comment #12) > This change is still required but yes, removing bogus options and adding a > correct library option set for each package would be better. I will > recreate and submit a new patch shortly. ping ? :-)
Created attachment 160814 [details] New patch for dns/bind99 to fix GSS-API library detection I am sorry for the long delay. All of the Kerberos implementations have been changed to have krb5-config script correctly, so the attached patch should be simple and reliable, even for the other BIND ports. I tested if this works fine with base, security/heimdal, and security/krb5.
So, this should be fixed now.