From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Mar 7 22:50:00 2014 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 84CAD288 for ; Fri, 7 Mar 2014 22:50:00 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 61463908 for ; Fri, 7 Mar 2014 22:50:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s27Mo0xI046696 for ; Fri, 7 Mar 2014 22:50:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s27Mo0LS046695; Fri, 7 Mar 2014 22:50:00 GMT (envelope-from gnats) Resent-Date: Fri, 7 Mar 2014 22:50:00 GMT Resent-Message-Id: <201403072250.s27Mo0LS046695@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Benjamin Kaduk Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EA947265 for ; Fri, 7 Mar 2014 22:48:44 +0000 (UTC) Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D71188F8 for ; Fri, 7 Mar 2014 22:48:44 +0000 (UTC) Received: from cgiserv.freebsd.org ([127.0.1.6]) by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s27MmiED064534 for ; Fri, 7 Mar 2014 22:48:44 GMT (envelope-from nobody@cgiserv.freebsd.org) Received: (from nobody@localhost) by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s27MmiQj064533; Fri, 7 Mar 2014 22:48:44 GMT (envelope-from nobody) Message-Id: <201403072248.s27MmiQj064533@cgiserv.freebsd.org> Date: Fri, 7 Mar 2014 22:48:44 GMT From: Benjamin Kaduk To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: ports/187358: security/pam_krb5 does not build against ports heimdal X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2014 22:50:00 -0000 >Number: 187358 >Category: ports >Synopsis: security/pam_krb5 does not build against ports heimdal >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Mar 07 22:50:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Benjamin Kaduk >Release: 9.2 >Organization: MIT >Environment: [n/a; I am filing this report by proxy] >Description: security/pam_krb5 has logic to determine which krb5 implementation it will build against. It can use either MIT krb5 or heimdal, but there is an added complication that heimdal can be found both in the base system and in ports (security/heimdal). The heimdal in the base system in stable/8 and stable/9 is too old to support anonymous principals (for anonymous pkinit). However, the configure logic for pam_krb5 does not handle this situation correctly, and attempts to build in FAST support that relies on anonymous principals, but pulls in the header files from the base system, which do not provide the necessary symbols for compilation. A new upstream release of pam_krb5 would include a newer version of the rra-c-util m4 macros that would correctly handle this situation, but the current release of pam_krb5 has an old copy of rra-c-util without that functionality. >How-To-Repeat: Build security/pam_krb5 against security/heimdal on a 9.2 or older system. >Fix: I believe that it will be sufficient to pass in CONFIGURE_ARGS with CPPFLAGS=-I/usr/local/include and LDFLAGS=-L/usr/local/lib, but it is possible that further tweaks may be necessary. Russ (the author of pam_krb5) tells me that it has logic to control whether to include or , and that may still result in broken behavior even with the CPPFLAGS forced. In that case, config.h may need to be overridden. >Release-Note: >Audit-Trail: >Unformatted: