Bug 265682 - net/samba413: Fails to build with the latest security/krb5 (1.20)
Summary: net/samba413: Fails to build with the latest security/krb5 (1.20)
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-07 03:13 UTC by Ting-Wei Lan
Modified: 2022-09-10 22:56 UTC (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ting-Wei Lan 2022-08-07 03:13:45 UTC
When choosing GSSAPI_MIT, samba413 fails to build with krb5 1.20. It builds fine with krb5 1.19.3, though.

===> The following configuration options are available for samba413-4.13.17_1:
     ADS=on: Active Directory client(implies LDAP)
     AD_DC=on: Active Directory Domain Controller(implies PYTHON3)
     CLUSTER=off: Clustering support
     CUPS=off: CUPS printing system support
     DOCS=on: Build and/or install documentation
     FAM=on: File Alteration Monitor
     GPGME=off: GpgME support
     LDAP=on: LDAP client
     MANDOC=off: Build manpages from DOCBOOK templates
     NTVFS=off: Build *DEPRECATED* NTVFS file server
     PROFILE=on: Profiling data
     PYTHON3=on: Python 3.x bindings or support
     QUOTAS=on: Disk quota support
     SPOTLIGHT=off: Spotlight server-side search support
     SYSLOG=on: Syslog logging support
     UTMP=on: UTMP accounting
====> VFS modules
     FRUIT=on: MacOSX and TimeMachine support
     GLUSTERFS=off: GlusterFS support
====> GSSAPI Security API support: you have to select exactly one of them
     GSSAPI_BUILTIN=off: GSSAPI support via bundled Heimdal
     GSSAPI_MIT=on: GSSAPI support via security/krb5
====> Zero configuration networking: you have to select exactly one of them
     ZEROCONF_NONE=off: Zeroconf support is absent
     AVAHI=on: Zeroconf support via Avahi
     MDNSRESPONDER=off: Zeroconf support via mDNSResponder
====> DNS frontend: you can only select none or one of them
     NSUPDATE=off: Use samba NSUPDATE utility for AD DC
     BIND911=off: Use Bind 9.11 as AD DC DNS server frontend
     BIND916=off: Use Bind 9.16 as AD DC DNS server frontend

[2758/3370] Compiling source4/kdc/mit_samba.c
runner ['cc', '-D_SAMBA_BUILD_=4', '-DHAVE_CONFIG_H=1', '-O2', '-pipe', '-DLIBICONV_PLUG', '-fno-color-diagnostics', '-fstack-protector-strong', '-DLDAP_DEPRECATED', '-isystem', '/usr/local/include', '-fno-strict-aliasing', '-fno-omit-frame-pointer', '-MMD', '-D_GNU_SOURCE=1', '-D_XOPEN_SOURCE_EXTENDED=1', '-DHAVE_CONFIG_H=1', '-fPIC', '-D__STDC_WANT_LIB_EXT1__=1', '-D_REENTRANT', '-fstack-protector-strong', '-fstack-clash-protection', '-DSTATIC_MIT_SAMBA_MODULES=NULL', '-DSTATIC_MIT_SAMBA_MODULES_PROTO=extern void __MIT_SAMBA_dummy_module_proto(void)', '-fstack-protector-strong', '-fstack-protector-strong', '-fstack-protector-strong', '-Isource4/kdc', '-I../../source4/kdc', '-Iinclude/public', '-I../../include/public', '-Isource4', '-I../../source4', '-Ilib', '-I../../lib', '-Isource4/lib', '-I../../source4/lib', '-Isource4/include', '-I../../source4/include', '-Iinclude', '-I../../include', '-Ilib/replace', '-I../../lib/replace', '-I.', '-I../..', '-Ilibrpc', '-I../../librpc', '-Ilibcli/auth', '-I../../libcli/auth', '-Isource4/heimdal/kdc', '-I../../source4/heimdal/kdc', '-Idynconfig', '-I../../dynconfig', '-Ilibcli/nbt', '-I../../libcli/nbt', '-Isource4/libcli', '-I../../source4/libcli', '-Isource4/librpc', '-I../../source4/librpc', '-Ilibcli/dns', '-I../../libcli/dns', '-Ilibcli/lsarpc', '-I../../libcli/lsarpc', '-Isource4/libcli/ldap', '-I../../source4/libcli/ldap', '-Isource4/lib/socket', '-I../../source4/lib/socket', '-Ilibcli/util', '-I../../libcli/util', '-Isource4/lib/messaging', '-I../../source4/lib/messaging', '-Isource4/dsdb', '-I../../source4/dsdb', '-Isource4/lib/tls', '-I../../source4/lib/tls', '-Ilibds/common', '-I../../libds/common', '-Iauth/credentials', '-I../../auth/credentials', '-Iauth/gensec', '-I../../auth/gensec', '-Ilib/param', '-I../../lib/param', '-Isource3', '-I../../source3', '-Isource3/include', '-I../../source3/include', '-Isource3/lib', '-I../../source3/lib', '-Isource3/librpc/usr/local/include', '-I../../source3/librpc/usr/local/include', '-Isource3/librpc', '-I../../source3/librpc', '-Isource3/usr/local/include', '-I../../source3/usr/local/include', '-Ilib/krb5_wrap', '-I../../lib/krb5_wrap', '-Ilibcli/smb', '-I../../libcli/smb', '-Insswitch/libwbclient', '-I../../nsswitch/libwbclient', '-Isource4/lib/events', '-I../../source4/lib/events', '-Ilibcli/ldap', '-I../../libcli/ldap', '-Isource4/auth/kerberos', '-I../../source4/auth/kerberos', '-Ilib/ldb/include', '-I../../lib/ldb/include', '-Ilib/ldb', '-I../../lib/ldb', '-Isource4/param', '-I../../source4/param', '-Ilib/addns', '-I../../lib/addns', '-Ilibcli/netlogon', '-I../../libcli/netlogon', '-Iauth', '-I../../auth', '-Ilib/util/charset', '-I../../lib/util/charset', '-Ilib/messaging', '-I../../lib/messaging', '-Iauth/kerberos', '-I../../auth/kerberos', '-Ilib/ldb-samba', '-I../../lib/ldb-samba', '-Isource4/auth/gensec', '-I../../source4/auth/gensec', '-Ilib/tsocket', '-I../../lib/tsocket', '-Ilibcli/http', '-I../../libcli/http', '-Ilib/audit_logging', '-I../../lib/audit_logging', '-Isource4/libcli/smb2', '-I../../source4/libcli/smb2', '-Ilib/async_req', '-I../../lib/async_req', '-Ilib/dbwrap', '-I../../lib/dbwrap', '-Ilibcli/security', '-I../../libcli/security', '-Ilib/pthreadpool', '-I../../lib/pthreadpool', '-Insswitch', '-I../../nsswitch', '-Ilibcli/cldap', '-I../../libcli/cldap', '-Ilibcli/drsuapi', '-I../../libcli/drsuapi', '-Ilib/socket', '-I../../lib/socket', '-Ilib/crypto', '-I../../lib/crypto', '-Iauth/ntlmssp', '-I../../auth/ntlmssp', '-Isource4/auth', '-I../../source4/auth', '-Isource4/cluster', '-I../../source4/cluster', '-Isource4/lib/stream', '-I../../source4/lib/stream', '-Ilib/compression', '-I../../lib/compression', '-I/usr/local/include', '-I/usr/local/include/p11-kit-1', '../../source4/kdc/mit_samba.c', '-c', '-o/wrkdirs/usr/ports/net/samba413/work/samba-4.13.17/bin/default/source4/kdc/mit_samba.c.18.o', '-DLIBICONV_PLUG', '-isystem', '/usr/local/include']
../../source4/kdc/mit_samba.c:73:2: warning: 'tevent_loop_allow_nesting' is deprecated [-Wdeprecated-declarations]
        tevent_loop_allow_nesting(base_ctx.ev_ctx);
        ^
/usr/local/include/tevent.h:2370:59: note: 'tevent_loop_allow_nesting' has been explicitly marked deprecated here
void tevent_loop_allow_nesting(struct tevent_context *ev) _DEPRECATED_;
                                                          ^
../../lib/replace/../replace/replace.h:469:38: note: expanded from macro '_DEPRECATED_'
#define _DEPRECATED_ __attribute__ ((deprecated))
                                     ^
../../source4/kdc/mit_samba.c:198:15: error: use of undeclared identifier 'KRB5_KDB_FLAG_CANONICALIZE'
        if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
                     ^
../../source4/kdc/mit_samba.c:201:16: error: use of undeclared identifier 'KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY'
        if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
                      ^
../../source4/kdc/mit_samba.c:202:9: error: use of undeclared identifier 'KRB5_KDB_FLAG_INCLUDE_PAC'
                      KRB5_KDB_FLAG_INCLUDE_PAC)) {
                      ^
1 warning and 3 errors generated.

Waf: Leaving directory `/wrkdirs/usr/ports/net/samba413/work/samba-4.13.17/bin/default'
Build failed
 -> task in 'MIT_SAMBA' failed with exit status 1:
        {task 34464479040: c mit_samba.c -> mit_samba.c.18.o}
['cc', '-D_SAMBA_BUILD_=4', '-DHAVE_CONFIG_H=1', '-O2', '-pipe', '-DLIBICONV_PLUG', '-fno-color-diagnostics', '-fstack-protector-strong', '-DLDAP_DEPRECATED', '-isystem', '/usr/local/include', '-fno-strict-aliasing', '-fno-omit-frame-pointer', '-MMD', '-D_GNU_SOURCE=1', '-D_XOPEN_SOURCE_EXTENDED=1', '-DHAVE_CONFIG_H=1', '-fPIC', '-D__STDC_WANT_LIB_EXT1__=1', '-D_REENTRANT', '-fstack-protector-strong', '-fstack-clash-protection', '-DSTATIC_MIT_SAMBA_MODULES=NULL', '-DSTATIC_MIT_SAMBA_MODULES_PROTO=extern void __MIT_SAMBA_dummy_module_proto(void)', '-fstack-protector-strong', '-fstack-protector-strong', '-fstack-protector-strong', '-Isource4/kdc', '-I../../source4/kdc', '-Iinclude/public', '-I../../include/public', '-Isource4', '-I../../source4', '-Ilib', '-I../../lib', '-Isource4/lib', '-I../../source4/lib', '-Isource4/include', '-I../../source4/include', '-Iinclude', '-I../../include', '-Ilib/replace', '-I../../lib/replace', '-I.', '-I../..', '-Ilibrpc', '-I../../librpc', '-Ilibcli/auth', '-I../../libcli/auth', '-Isource4/heimdal/kdc', '-I../../source4/heimdal/kdc', '-Idynconfig', '-I../../dynconfig', '-Ilibcli/nbt', '-I../../libcli/nbt', '-Isource4/libcli', '-I../../source4/libcli', '-Isource4/librpc', '-I../../source4/librpc', '-Ilibcli/dns', '-I../../libcli/dns', '-Ilibcli/lsarpc', '-I../../libcli/lsarpc', '-Isource4/libcli/ldap', '-I../../source4/libcli/ldap', '-Isource4/lib/socket', '-I../../source4/lib/socket', '-Ilibcli/util', '-I../../libcli/util', '-Isource4/lib/messaging', '-I../../source4/lib/messaging', '-Isource4/dsdb', '-I../../source4/dsdb', '-Isource4/lib/tls', '-I../../source4/lib/tls', '-Ilibds/common', '-I../../libds/common', '-Iauth/credentials', '-I../../auth/credentials', '-Iauth/gensec', '-I../../auth/gensec', '-Ilib/param', '-I../../lib/param', '-Isource3', '-I../../source3', '-Isource3/include', '-I../../source3/include', '-Isource3/lib', '-I../../source3/lib', '-Isource3/librpc/usr/local/include', '-I../../source3/librpc/usr/local/include', '-Isource3/librpc', '-I../../source3/librpc', '-Isource3/usr/local/include', '-I../../source3/usr/local/include', '-Ilib/krb5_wrap', '-I../../lib/krb5_wrap', '-Ilibcli/smb', '-I../../libcli/smb', '-Insswitch/libwbclient', '-I../../nsswitch/libwbclient', '-Isource4/lib/events', '-I../../source4/lib/events', '-Ilibcli/ldap', '-I../../libcli/ldap', '-Isource4/auth/kerberos', '-I../../source4/auth/kerberos', '-Ilib/ldb/include', '-I../../lib/ldb/include', '-Ilib/ldb', '-I../../lib/ldb', '-Isource4/param', '-I../../source4/param', '-Ilib/addns', '-I../../lib/addns', '-Ilibcli/netlogon', '-I../../libcli/netlogon', '-Iauth', '-I../../auth', '-Ilib/util/charset', '-I../../lib/util/charset', '-Ilib/messaging', '-I../../lib/messaging', '-Iauth/kerberos', '-I../../auth/kerberos', '-Ilib/ldb-samba', '-I../../lib/ldb-samba', '-Isource4/auth/gensec', '-I../../source4/auth/gensec', '-Ilib/tsocket', '-I../../lib/tsocket', '-Ilibcli/http', '-I../../libcli/http', '-Ilib/audit_logging', '-I../../lib/audit_logging', '-Isource4/libcli/smb2', '-I../../source4/libcli/smb2', '-Ilib/async_req', '-I../../lib/async_req', '-Ilib/dbwrap', '-I../../lib/dbwrap', '-Ilibcli/security', '-I../../libcli/security', '-Ilib/pthreadpool', '-I../../lib/pthreadpool', '-Insswitch', '-I../../nsswitch', '-Ilibcli/cldap', '-I../../libcli/cldap', '-Ilibcli/drsuapi', '-I../../libcli/drsuapi', '-Ilib/socket', '-I../../lib/socket', '-Ilib/crypto', '-I../../lib/crypto', '-Iauth/ntlmssp', '-I../../auth/ntlmssp', '-Isource4/auth', '-I../../source4/auth', '-Isource4/cluster', '-I../../source4/cluster', '-Isource4/lib/stream', '-I../../source4/lib/stream', '-Ilib/compression', '-I../../lib/compression', '-I/usr/local/include', '-I/usr/local/include/p11-kit-1', '../../source4/kdc/mit_samba.c', '-c', '-o/wrkdirs/usr/ports/net/samba413/work/samba-4.13.17/bin/default/source4/kdc/mit_samba.c.18.o', '-DLIBICONV_PLUG', '-isystem', '/usr/local/include']
*** Error code 1

Stop.
make: stopped in /usr/ports/net/samba413
Comment 1 Cy Schubert freebsd_committer 2022-08-07 05:06:50 UTC
This is due to this (https://github.com/krb5/krb5/commit/a441fbe329ebbd7775eb5d4ccc4a05eef370f08b) change in MIT KRB5. They have redefined "Entry get flags" in kdb.h. We don't have 4.16 yet but it appears that 4.16 also has the problem. We will need samba depend on krb5-119 until samba.org adds support for this change to 4.16.
Comment 2 Felix Palmen freebsd_committer 2022-08-09 07:29:10 UTC
Additinal info: The commit fixing it is here: https://github.com/samba-team/samba/commit/f1ca16f309a1794f7ce44c4112d3c0d458169158

Looks like it will be in samba 4.17. I tried backporting it to 4.13, and although I somehow got it to compile, I failed. Just maybe, it would be easier on 4.16, if someone wants to try.
Comment 3 Timur I. Bakeyev freebsd_committer 2022-08-10 10:46:26 UTC
(In reply to Felix Palmen from comment #2)

Hi, Felix and Cy!

Thanks for pointing to that relevant patch in the Samba tree, I've cherry-picked it into the samba416 and, at least, it compiles now with the current MIT Kerberos. Checking how it works would be another tricky thing :)

With regards,
Timur
Comment 4 Timur I. Bakeyev freebsd_committer 2022-08-10 10:48:12 UTC
(In reply to Ting-Wei Lan from comment #0)

Hi Ting-Wei!

Out of curiosity I wonder, why do you actually need to build Samba with MIT Kerberos? While it's possible, it is less featurefull than default Heimdal build.

With regards,
Timur
Comment 5 Cy Schubert freebsd_committer 2022-08-10 17:14:33 UTC
(In reply to Timur I. Bakeyev from comment #4)

I don't want to argue with your point asking why the user wants to use MIT KRB5 when Heimdal KRB5 builds. But, can you explain how Heimdal is "more featureful" than MIT KRB5, please?

Still, your answer to why you believe Heimdal is "more featureful" than MIT doesn't mitigate your point that the user should try to build against base Heimdal.

Which BTW, I've been asked to upgrade our ancient Heimdal 1.5 in base to 7.7.0. Heimdal 7.7.0 may pose the same challenge as MIT 1.20 whereas Heimdal 1.5 in base does not. (I would think both MIT 1.20 and Heimdal 7.7.0 support newer KRB5 standards than our ancient 1.5 in base.)

Can the user please try building Samba413 with Heimdal 7.7.0 in ports. I'm interested in what the result might be.
Comment 6 Ting-Wei Lan 2022-08-13 08:03:26 UTC
(In reply to Timur I. Bakeyev from comment #4)
The reason I have to use MIT Kerberos is that gnome-control-center upstream only supports MIT Kerberos. I know that FreeBSD ports patch gnome-control-center in an unsupported way to make it use Heimdal Kerberos, but I want to be able to directly build from upstream sources.

Since installing security/krb5 port causes many things to automatically pick up MIT Kerberos at the build time, I switch all ports installed on my systems to use MIT Kerberos to prevent executables and libraries from linking to two libkrb5.so.
Comment 7 Antonio Huete Jimenez 2022-08-26 12:26:55 UTC
I've backported a number of patches to net/samba412 so that it builds in DPorts (2022Q3).
 
Just in case somebody wants to give it a go in FreeBSD Ports: https://github.com/DragonFlyBSD/DeltaPorts/commit/2bc2d1f517ba8476b

No testing whatsoever has been done but I'm happy to test it if anybody knows how to do it. Also, if anybody wants to test it themselves, I'm happy to help too.