Page MenuHomeFreeBSD

kgssapi: Fix the kgssapi so that it can use MIT Kerberos
ClosedPublic

Authored by rmacklem on Aug 4 2025, 11:16 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Oct 9, 8:06 PM
Unknown Object (File)
Thu, Oct 9, 5:22 PM
Unknown Object (File)
Thu, Oct 9, 5:21 PM
Unknown Object (File)
Thu, Oct 9, 5:21 PM
Unknown Object (File)
Thu, Oct 9, 3:23 PM
Unknown Object (File)
Fri, Oct 3, 5:37 AM
Unknown Object (File)
Wed, Oct 1, 4:56 PM
Unknown Object (File)
Tue, Sep 30, 9:01 AM
Subscribers

Details

Summary

Without this patch, the kgssapi uses detailed knowledge
of the internal context structure for Heimdal (up to vers 1.5).
It also does four upcalls to the gssd daemon to establish
a server side RPCSEC_GSS context.

This patch adds support for three new upcalls:
gss_init_sec_context_lucid_v1()
gss_accept_sec_context_lucid_v1()
gss_supports_lucid()

These are used to determine if the gssd can do the upcalls
and uses them to avoid needing detailed Heimdal knowledge
if they are supported.

gss_init_sec_context_lucid_v1() and
gss_accept_sec_context_lucid_v1() return the information
needed to complete the RPCSEC_GSS context.
They use gss_krb5_export_lucid_sec_context() to acquire
the information from the libraries. (MIT Kerberos supports
this and I believe newer versions of Heimdal does, as well).

This avoids the need for detailed knowledge about MIT's
internals and replaces the 2 or 4 (initiator or acceptor) upcalls
with a single upcall to create the RPCSEC_GSS context.

The old Heimdal (up to 1.5) support is left intact, but should
be removed whenever Heimdal 1.5 is removed from /usr/src.

The patch for the gssd daemon will be presented separately,
although both will need to be committed at the same time.

Test Plan

Tested (Kerberized mounts in both directions) against
an older pre-MIT FreeBSD, a recent MIT FreeBSD and a
Debian Linux system running a Linux 6.12 kernel.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable