freebsd9: support both WAF MIT krb5 build and autoconf build against MIT krb5

Andrew Bartlett abartlet at samba.org
Mon May 28 15:55:58 MDT 2012 

On Mon, 2012-05-28 at 23:41 +0200, Alexander Bokovoy wrote:
> The branch, master has been updated
>        via  27503ce freebsd9: support both WAF MIT krb5 build and autoconf build against MIT krb5
>       from  e4c59a6 s4:ntvfs/ipc: fix protocol specific processing of pipe names
> 
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> 
> 
> - Log -----------------------------------------------------------------
> commit 27503cea09f207be23679162e9570ef40ee7fe61
> Author: Alexander Bokovoy <ab at samba.org>
> Date:   Mon May 28 19:03:00 2012 +0300
> 
>     freebsd9: support both WAF MIT krb5 build and autoconf build against MIT krb5
>     
>     System-provided Heimdal Kerberos in FreeBSD 9 lacks proper support for parsing MS PAC.
>     This leaves us with MIT krb5 package from ports or embedded Heimdal in source4.
>     MIT krb5 from ports is 1.9.2, it supports all needed features for AD support in smbd,
>     as well as WAF MIT krb5 build. In order to use it, one needs to install 'krb5' package.
>     
>     Autoconf build:
>       --with-krb5=/usr/local
>     
>     WAF build:
>       --with-system-mitkrb5 /usr/local
>     
>     or otherwise krb5-config from system Heimdal will overtake and break the detection, leaving
>     you with a mixture of Kerberos libraries from different locations.
>     
>     WAF build accepts multiple paths as sub-arguments of the --with-system-mitkrb5 and searches
>     through them for krb5-config, i.e. /usr/local /usr/kerberos ...
>     
>     Autobuild-User: Alexander Bokovoy <ab at samba.org>
>     Autobuild-Date: Mon May 28 23:40:30 CEST 2012 on sn-devel-104

Alexander,

Thanks for doing this, this will be very useful in a number of
situations.  

However, I've also been thinking about this, and I think there may be
something more to it, as the Heimdal PAC parsing and verification has
been around since well before 1.0.  The trouble is that it is done
'under the hood' and so it is hard to prove that it is done at compile
time.  The check I added (gsskrb5_extract_authz_data_from_sec_context)
to 'detect' it might be subtly wrong somehow. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list