Page MenuHomeFreeBSD

gssd.c: Add support for new lucid upcalls for MIT Kerberos
ClosedPublic

Authored by rmacklem on Aug 5 2025, 12:22 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Oct 12, 3:42 PM
Unknown Object (File)
Thu, Oct 9, 8:06 PM
Unknown Object (File)
Thu, Oct 9, 5:22 PM
Unknown Object (File)
Thu, Oct 9, 3:23 PM
Unknown Object (File)
Tue, Oct 7, 5:46 AM
Unknown Object (File)
Sun, Oct 5, 10:28 PM
Unknown Object (File)
Thu, Oct 2, 12:01 PM
Unknown Object (File)
Wed, Oct 1, 10:13 AM
Subscribers

Details

Summary

The kgssapi used detailed internal knowledge of
the Heimdal (up to vers 1.5) kerberos context.
This would not work for MIT Kerberos.

D51731 patches the kgssapi so that it acquires
the information needed to establish a RPCSEC_GSS
context via new upcalls to the gssd daemon.
This avoids needing internal knowledge of MIT's
Kerberos, by using the gss_krb5_export_lucid_sec_context()
library function to acquire the needed information.

This patch adds these upcalls.

I left the old upcalls intact, although they should
be removed once the old Heimdal 1.5 code is
removed from /usr/src.

Test Plan

Tested (mounts in both directions) against a pre-MIT
FreeBSD system, a post-MIT FreeBSD system and a
Debian system using a Linux 6.12 kernel.
(With D51731 applied to the kernel.)

To make it work correctly, I needed to link the gssd
code to libraries installed under /usr/local via
"pkg install krb5" for my test system, which is
a July 24 snapshot.
--> Linking to the libraries in /usr/lib on this

snapshot makes the gss_krb5_export_lucid_sec_context()
call fail in a weird way.
It returns GSS_S_COMPLETE, but with a NULL structure.

I am hoping that whatever the problem is with the
libraries in /usr/lib will get fixed once the location/names
of the .h files, etc, are resolved.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

This works here.

usr.sbin/gssd/Makefile
15

How do we include MIT's gssapi.h instead of the one provided by /usr/src/include which is installed in /usr/include? All builds (here) with this patch fail unless D51661 is applied or if additional CFLAGS are added to include specific MIT headers.

Update: 73ed0c7992fd broke ports depending on base gssapi. The above is no longer true.

This revision is now accepted and ready to land.Aug 5 2025, 6:26 AM