| Message ID | 1364317202.2660.132.camel@willson.li.ssimo.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Simo Sorce <simo@...> writes: > > Libgssglue is not really useful anymore, it is a sort of middleman that > wraps the actual GSSAPI that is already pluggable/extensible via shared > modules. > > In particular libgssglue interferes with the workings of gss-proxy in my > case. > > The attached patch makes building against libgssglue optional and > defaults to not build against libgssglue and instead builds directly > against the native GSSAPI. > I have tried your patch with my Heimdal setup and it would not build properly with it. I can augment my patch to make use of your changes. Would you be willing to consider it? -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
CC-ing Simo since he is not on this mailing list... On 27/03/13 10:43, Alex Dubov wrote: > Simo Sorce <simo@...> writes: > >> >> Libgssglue is not really useful anymore, it is a sort of middleman that >> wraps the actual GSSAPI that is already pluggable/extensible via shared >> modules. >> >> In particular libgssglue interferes with the workings of gss-proxy in my >> case. >> >> The attached patch makes building against libgssglue optional and >> defaults to not build against libgssglue and instead builds directly >> against the native GSSAPI. >> > > I have tried your patch with my Heimdal setup and it would not build properly > with it. > > I can augment my patch to make use of your changes. Would you be willing to > consider it? > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 26/03/13 13:00, Simo Sorce wrote: > Libgssglue is not really useful anymore, it is a sort of middleman that > wraps the actual GSSAPI that is already pluggable/extensible via shared > modules. > > In particular libgssglue interferes with the workings of gss-proxy in my > case. > > The attached patch makes building against libgssglue optional and > defaults to not build against libgssglue and instead builds directly > against the native GSSAPI. > > ./configure --enable-gss > will now build against GSSAPI > > ./configure --enable-gss --with-gssglue > will keep building against libgssglue in case someone still needs it for > whatever reason. Committed... steved. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 27/03/13 10:43, Alex Dubov wrote: > Simo Sorce <simo@...> writes: > >> >> Libgssglue is not really useful anymore, it is a sort of middleman that >> wraps the actual GSSAPI that is already pluggable/extensible via shared >> modules. >> >> In particular libgssglue interferes with the workings of gss-proxy in my >> case. >> >> The attached patch makes building against libgssglue optional and >> defaults to not build against libgssglue and instead builds directly >> against the native GSSAPI. >> > > I have tried your patch with my Heimdal setup and it would not build properly > with it. > > I can augment my patch to make use of your changes. Would you be willing to > consider it? I when ahead and took Simo's patches but I would like to continue to work with on get your Heimdal build working again... What exactly broke? steved. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi, >> >> I can augment my patch to make use of your changes. Would you be willing to >> consider it? > I when ahead and took Simo's patches but I would like to continue to work > with on get your Heimdal build working again... What exactly broke? > I thought you were CCed of follow up messages as well. Basically, Simo's patches fix most of the problems with building on Heimdal (these problems came from libgssglue direction). Only 3 problems remained, which I addressed in the follow-up patch: > 1. On some systems, only libroken.so is available (small fix to kerberos5.m4) > > 2. krb5_util.c:check_for_target - Heimdal variant constructs a "pattern" > principal and uses krb5_cc_retrieve_cred to get a matching credential. > This should work on mit-krb5, so old method of iterating over every > credential in cache may possibly be dropped outright and "#$if" guard > omitted. > For the sake of the above I reformatted the old approach to make it a bit > more clear what's going on there. > > 3. krb5_util.c:gssd_k5_err_msg - krb5_get_err_text is marked as deprecated, > at least on Heimdal. If krb5_get_error_message is available, it should not > be reached at all, thus "#elif" guard. Per issue 2, Simo told me he's going to look at it himself, with a view to remove "#if" branching altogether (present code at that location is mit-krb5 implementation specific). Issue 3 is somewhat not clear to me: should krb5_get_err_text stay at all? It's deprecated on Heimdal and apparently is not supported on mit-krb5 at all. Which other kerberos libraries may need to be supported by the code? -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From 34ce971b090b50b0f6a18754f106ad8d2e90e9e2 Mon Sep 17 00:00:00 2001 From: Simo Sorce <simo@redhat.com> Date: Tue, 26 Mar 2013 11:11:41 -0400 Subject: [PATCH 3/3] Switch to use standard GSSAPI by default Make libgssglue configurable still but disabled by default. There is no reason to use libgssglue anymore, and modern gssapi supports all needed features for nfs-utils. Signed-off-by: Simo Sorce <simo@redhat.com> --- aclocal/kerberos5.m4 | 4 ++++ aclocal/rpcsec_vers.m4 | 7 ++++++- configure.ac | 9 +++++++++ utils/gssd/Makefile.am | 12 ++++++------ 4 files changed, 25 insertions(+), 7 deletions(-) diff --git a/aclocal/kerberos5.m4 b/aclocal/kerberos5.m4 index ef37e28a11cad7552074b99a7805cd16b227cec8..0bf35d3fddb57a0b977a87f90063cf4500ce377d 100644 --- a/aclocal/kerberos5.m4 +++ b/aclocal/kerberos5.m4 @@ -32,6 +32,8 @@ AC_DEFUN([AC_KERBEROS_V5],[ if test "$K5CONFIG" != ""; then KRBCFLAGS=`$K5CONFIG --cflags` KRBLIBS=`$K5CONFIG --libs` + GSSKRB_CFLAGS=`$K5CONFIG --cflags gssapi` + GSSKRB_LIBS=`$K5CONFIG --libs gssapi` K5VERS=`$K5CONFIG --version | head -n 1 | awk '{split($(4),v,"."); if (v@<:@"3"@:>@ == "") v@<:@"3"@:>@ = "0"; print v@<:@"1"@:>@v@<:@"2"@:>@v@<:@"3"@:>@ }'` AC_DEFINE_UNQUOTED(KRB5_VERSION, $K5VERS, [Define this as the Kerberos version number]) if test -f $dir/include/gssapi/gssapi_krb5.h -a \ @@ -113,5 +115,7 @@ AC_DEFUN([AC_KERBEROS_V5],[ AC_SUBST([KRBCFLAGS]) AC_SUBST([KRBLDFLAGS]) AC_SUBST([K5VERS]) + AC_SUBST([GSSKRB_CFLAGS]) + AC_SUBST([GSSKRB_LIBS]) ]) diff --git a/aclocal/rpcsec_vers.m4 b/aclocal/rpcsec_vers.m4 index 8218372ceaeef3591a064c5bd906fffade0cd578..11d2f18cb241c51c31c5921a342e5ec935e7de84 100644 --- a/aclocal/rpcsec_vers.m4 +++ b/aclocal/rpcsec_vers.m4 @@ -1,7 +1,12 @@ dnl Checks librpcsec version AC_DEFUN([AC_RPCSEC_VERSION], [ - PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.3]) + AC_ARG_WITH([gssglue], + [AC_HELP_STRING([--with-gssglue], [Use libgssglue for GSS support])]) + if test x"$with_gssglue" = x"yes"; then + PKG_CHECK_MODULES([GSSGLUE], [libgssglue >= 0.3]) + AC_CHECK_LIB([gssglue], [gss_set_allowable_enctypes]) + fi dnl TI-RPC replaces librpcsecgss if test "$enable_tirpc" = no; then diff --git a/configure.ac b/configure.ac index cc7f3b4b4933c218d2e4cab7369ba5c1afc4e4d7..3d7ab0a2669d33c3cece1844b7eb53f2c1e3f68a 100644 --- a/configure.ac +++ b/configure.ac @@ -344,6 +344,15 @@ if test "$enable_gss" = yes; then dnl but we need to make sure we get the right version if test "$enable_gss" = yes; then AC_RPCSEC_VERSION + if test x"$GSSGLUE_LIBS" != x""; then + GSSAPI_CFLAGS=$GSSGLUE_CFLAGS + GSSAPI_LIBS=$GSSGLUE_LIBS + else + GSSAPI_CFLAGS=$GSSKRB_CFLAGS + GSSAPI_LIBS=$GSSKRB_LIBS + fi + AC_SUBST([GSSAPI_CFLAGS]) + AC_SUBST([GSSAPI_LIBS]) fi fi diff --git a/utils/gssd/Makefile.am b/utils/gssd/Makefile.am index 2365704c5db9b15d17f42b75adcb17f07f7e216f..a300da2b042baf9b14b77899d6419461a2e615d5 100644 --- a/utils/gssd/Makefile.am +++ b/utils/gssd/Makefile.am @@ -38,11 +38,11 @@ gssd_SOURCES = \ write_bytes.h gssd_LDADD = ../../support/nfs/libnfs.a \ - $(RPCSECGSS_LIBS) $(GSSGLUE_LIBS) $(KRBLIBS) + $(RPCSECGSS_LIBS) $(KRBLIBS) $(GSSAPI_LIBS) gssd_LDFLAGS = $(KRBLDFLAGS) $(LIBTIRPC) gssd_CFLAGS = $(AM_CFLAGS) $(CFLAGS) \ - $(RPCSECGSS_CFLAGS) $(GSSGLUE_CFLAGS) $(KRBCFLAGS) + $(RPCSECGSS_CFLAGS) $(KRBCFLAGS) $(GSSAPI_CFLAGS) svcgssd_SOURCES = \ $(COMMON_SRCS) \ @@ -57,18 +57,18 @@ svcgssd_SOURCES = \ svcgssd_LDADD = \ ../../support/nfs/libnfs.a \ - $(RPCSECGSS_LIBS) $(GSSGLUE_LIBS) $(LIBNFSIDMAP) \ - $(KRBLIBS) $(LIBTIRPC) + $(RPCSECGSS_LIBS) $(LIBNFSIDMAP) \ + $(KRBLIBS) $(GSSAPI_LIBS) $(LIBTIRPC) svcgssd_LDFLAGS = $(KRBLDFLAGS) svcgssd_CFLAGS = $(AM_CFLAGS) $(CFLAGS) \ - $(RPCSECGSS_CFLAGS) $(GSSGLUE_CFLAGS) $(KRBCFLAGS) + $(RPCSECGSS_CFLAGS) $(KRBCFLAGS) $(GSSAPI_CFLAGS) gss_clnt_send_err_SOURCES = gss_clnt_send_err.c gss_clnt_send_err_CFLAGS = $(AM_CFLAGS) $(CFLAGS) \ - $(RPCSECGSS_CFLAGS) $(GSSGLUE_CFLAGS) $(KRBCFLAGS) + $(RPCSECGSS_CFLAGS) $(KRBCFLAGS) $(GSSAPI_CFLAGS) MAINTAINERCLEANFILES = Makefile.in -- 1.8.1.4