Return-Path: linux-nfs-owner@vger.kernel.org Received: from userp1040.oracle.com ([156.151.31.81]:32274 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932311Ab3LDSPR convert rfc822-to-8bit (ORCPT ); Wed, 4 Dec 2013 13:15:17 -0500 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Subject: Re: librpcsecgss: FTBFS on GNU/kFreeBSD From: Chuck Lever In-Reply-To: <1021B36D-17B9-477F-A8AE-86D6A7750B80@gmail.com> Date: Wed, 4 Dec 2013 13:14:47 -0500 Cc: Christoph Hellwig , Jim Rees , Linux NFS Mailing List Message-Id: <09856BCA-A255-4975-8144-D38775DC44A8@oracle.com> References: <20090703133142.14887.33854.reportbug@localhost.localdomain> <20131124051904.GA16651@master.debian.org> <20131124090924.GA29659@infradead.org> <20131124130753.GA15178@umich.edu> <20131204131317.GA7776@infradead.org> <108D7BCB-5869-45BB-A287-C6593257F193@oracle.com> <1021B36D-17B9-477F-A8AE-86D6A7750B80@gmail.com> To: Trond Myklebust Sender: linux-nfs-owner@vger.kernel.org List-ID: On Dec 4, 2013, at 12:53 PM, Trond Myklebust wrote: > > On Dec 4, 2013, at 12:14, Chuck Lever wrote: > >> >> On Dec 4, 2013, at 8:13 AM, Christoph Hellwig wrote: >> >>> Btw, looks like librpcsecgss is indeed pretty much unmaintained. The >>> last upstream release is a tarball drop from CITI in 2009 and there >>> doesn't appear to be a source repository of any kind. >>> >>> I think the best idea would be to merge it into the libtirpc repo, >>> as both the heritage and usage of the codebases is the same. >> >> Comparing what's packaged in nfs-utils-lib and what's in libtirpc: it appears libtirpc already has librpcsecgss. > > It does? AFAICS a freshly cloned copy of libtirpc only contains the prehistoric krb4/DES implementation. I see no GSS library. I pulled from: git://git.infradead.org/~steved/libtirpc.git Yes, there's AUTH_DES support in libtirpc, and who knows if our implementation works. But I'm looking at tirpc/rpc/auth_gss.h. Both libraries provide roughly the same API. And I'm able to build a working GSS-enabled version of rpc.fedfsd and clients. "git log" tells me src/auth_gss.c and tirpc/rpc/auth_gss.h have been in libtirpc since at least 0.1.7. libtirpc applications currently have to link explicitly with libgssapi_krb5 (provided by MIT Kerberos), AFAICT, to get GSS support. I'd like to add support in libtirpc for dynamically loading libgssapi_krb5 when it is needed. Then applications would need only invoke rpc_gss_*() (or the legacy authgss_*() equivalent) to get RPCSECGSS, if libgssapi_krb5 is already installed on their system. > I thought the reason why we deprecated librpcsecgss was that the MIT Kerberos libraries now have the equivalent hooks. My understanding: MIT Kerberos provides libgssapi_krb5. libtirpc provides the RPCSEC APIs based on the Kerberos v5 mechanism provided in libgssapi_krb5. librpcsecgss provides RPCSEC APIs based on the GSSAPI Kerberos v5 mechanism provided in libgssglue, which is deprecated. -- Chuck Lever chuck[dot]lever[at]oracle[dot]com