Page MenuHomeFreeBSD

Remove MK_GSSAPI
ClosedPublic

Authored by ivy on Aug 11 2025, 1:15 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 10, 1:12 PM
Unknown Object (File)
Fri, Oct 10, 1:12 PM
Unknown Object (File)
Fri, Oct 10, 1:12 PM
Unknown Object (File)
Fri, Oct 10, 12:34 AM
Unknown Object (File)
Thu, Oct 9, 8:26 PM
Unknown Object (File)
Thu, Oct 2, 11:37 PM
Unknown Object (File)
Thu, Oct 2, 6:57 PM
Unknown Object (File)
Sep 15 2025, 11:30 AM

Details

Summary

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the same way.

While here, change Heimdal's libcom_err to be selected by MK_KERBEROS,
not MK_KERBEROS_SUPPORT, since this is part of Kerberos and third-party
users might need it even if Kerberos support is disabled in the base
system. This means MK_KERBEROS_SUPPORT installs the same files with
both MIT and Heimdal.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 66165
Build 63048: arc lint + arc unit

Event Timeline

ivy requested review of this revision.Aug 11 2025, 1:15 PM

i intend to follow this with a revamp to OptionalObsoleteFiles for Kerberos that will be much simpler and also more correct. not having to deal with GSSAPI or KERBEROS_SUPPORT makes this a lot easier, both now and in the future.

also switch compile_et from KERBEROS_SUPPORT to KERBEROS in the Heimdal case

Please add an UPDATING entry.

add UPDATING entry

also, i'll add a RELNOTES entry if this lands

This needs broader discussion on FreeBSD-arch@. Can you open discussion, please? Coming out of that we would know whether to remove MK_GSSAPI or alter the MIT GSSAPI to that end.

I conditionally accept this revision. I don't think MK_GSSAPI makes no sense anymore since we're using the MIT KRB5 GSSAPI as our primary GSSAPI. lib/libgssapi was separate from Heimdal GSSAPI. This allowed us to install GSSAPI for use with other GSS providers not Kerberos. I don't think this holds true today. I'm willing to be convinced otherwise though.

This revision is now accepted and ready to land.Aug 11 2025, 2:50 PM
In D51859#1185120, @cy wrote:

I conditionally accept this revision. I don't think MK_GSSAPI makes no sense anymore since we're using the MIT KRB5 GSSAPI as our primary GSSAPI. lib/libgssapi was separate from Heimdal GSSAPI. This allowed us to install GSSAPI for use with other GSS providers not Kerberos. I don't think this holds true today. I'm willing to be convinced otherwise though.

this was my reasoning as well, but i've posted to arch@ just in case: https://lists.freebsd.org/archives/freebsd-arch/2025-August/000984.html

no one on arch@ has objected to this, so i'd like to move forward if possible - ideally we can land this for 15.0 as part of the MIT Kerberos switch.