Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 7 Mar 2014 22:48:44 GMT
From:      Benjamin Kaduk <bjk@freebsd.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/187358: security/pam_krb5 does not build against ports heimdal
Message-ID:  <201403072248.s27MmiQj064533@cgiserv.freebsd.org>
Resent-Message-ID: <201403072250.s27Mo0LS046695@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         187358
>Category:       ports
>Synopsis:       security/pam_krb5 does not build against ports heimdal
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 07 22:50:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Benjamin Kaduk
>Release:        9.2
>Organization:
MIT
>Environment:
[n/a; I am filing this report by proxy]
>Description:
security/pam_krb5 has logic to determine which krb5 implementation it will build against.  It can use either MIT krb5 or heimdal, but there is an added complication that heimdal can be found both in the base system and in ports (security/heimdal).  The heimdal in the base system in stable/8 and stable/9 is too old to support anonymous principals (for anonymous pkinit).  However, the configure logic for pam_krb5 does not handle this situation correctly, and attempts to build in FAST support that relies on anonymous principals, but pulls in the header files from the base system, which do not provide the necessary symbols for compilation.
A new upstream release of pam_krb5 would include a newer version of the rra-c-util m4 macros that would correctly handle this situation, but the current release of pam_krb5 has an old copy of rra-c-util without that functionality.
>How-To-Repeat:
Build security/pam_krb5 against security/heimdal on a 9.2 or older system.
>Fix:
I believe that it will be sufficient to pass in CONFIGURE_ARGS with CPPFLAGS=-I/usr/local/include and LDFLAGS=-L/usr/local/lib, but it is possible that further tweaks may be necessary.  Russ (the author of pam_krb5) tells me that it has logic to control whether to include <krb5.h> or <krb5/krb5.h>, and that may still result in broken behavior even with the CPPFLAGS forced.  In that case, config.h may need to be overridden. 

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403072248.s27MmiQj064533>