Page MenuHomeFreeBSD
Differential D51733

gssd.c: Add support for new lucid upcalls for MIT Kerberos
ClosedPublic
Actions

Authored by rmacklem on Aug 5 2025, 12:22 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Oct 18, 4:35 PM
Unknown Object (File)
Sun, Oct 12, 3:42 PM
Unknown Object (File)
Thu, Oct 9, 8:06 PM
Unknown Object (File)
Thu, Oct 9, 5:22 PM
Unknown Object (File)
Thu, Oct 9, 3:23 PM
Unknown Object (File)
Tue, Oct 7, 5:46 AM
Unknown Object (File)
Sun, Oct 5, 10:28 PM
Unknown Object (File)
Thu, Oct 2, 12:01 PM
View All 25 Files
Subscribers
imp

Details

Reviewers
glebius
asomers
bjk
cy
Summary

The kgssapi used detailed internal knowledge of
the Heimdal (up to vers 1.5) kerberos context.
This would not work for MIT Kerberos.

D51731 patches the kgssapi so that it acquires
the information needed to establish a RPCSEC_GSS
context via new upcalls to the gssd daemon.
This avoids needing internal knowledge of MIT's
Kerberos, by using the gss_krb5_export_lucid_sec_context()
library function to acquire the needed information.

This patch adds these upcalls.

I left the old upcalls intact, although they should
be removed once the old Heimdal 1.5 code is
removed from /usr/src.

Test Plan

Tested (mounts in both directions) against a pre-MIT
FreeBSD system, a post-MIT FreeBSD system and a
Debian system using a Linux 6.12 kernel.
(With D51731 applied to the kernel.)

To make it work correctly, I needed to link the gssd
code to libraries installed under /usr/local via
"pkg install krb5" for my test system, which is
a July 24 snapshot.
--> Linking to the libraries in /usr/lib on this

snapshot makes the gss_krb5_export_lucid_sec_context()
call fail in a weird way.
It returns GSS_S_COMPLETE, but with a NULL structure.

I am hoping that whatever the problem is with the
libraries in /usr/lib will get fixed once the location/names
of the .h files, etc, are resolved.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

rmacklem created this revision.Aug 5 2025, 12:22 AM
Herald added a subscriber: imp. · View Herald TranscriptAug 5 2025, 12:22 AM
rmacklem requested review of this revision.Aug 5 2025, 12:22 AM
cy accepted this revision.Aug 5 2025, 6:26 AM

This works here.

usr.sbin/gssd/Makefile
15

How do we include MIT's gssapi.h instead of the one provided by /usr/src/include which is installed in /usr/include? All builds (here) with this patch fail unless D51661 is applied or if additional CFLAGS are added to include specific MIT headers.

Update: 73ed0c7992fd broke ports depending on base gssapi. The above is no longer true.

This revision is now accepted and ready to land.Aug 5 2025, 6:26 AM
cy added a comment.Aug 5 2025, 6:26 AM

This works here with D51661.

rmacklem mentioned this in rG554651ebf1c1: kgssapi: Fix the kgssapi so that it can use MIT Kerberos.Aug 6 2025, 10:42 PM
rmacklem closed this revision.Aug 6 2025, 10:48 PM

Closed by commit 554651ebf1c1.

rmacklem mentioned this in rGe3ac01e18eb3: kgssapi: Fix the kgssapi so that it can use MIT Kerberos.Aug 7 2025, 9:06 PM

Revision Contents
Changeset List

PathSize
usr.sbin/
Makefile
Makefile.sav
2 lines
gssd/
Makefile
Makefile.sav
9 lines
gssd.c
gssd.c.sav
506 lines

Diff 159736

View Options

usr.sbin/Makefile

Loading...
View Options

usr.sbin/gssd/Makefile

Loading...
View Options

usr.sbin/gssd/gssd.c

Loading...