Remove MK_GSSAPI

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of Kerberos and is always built if MK_KERBEROS is enabled. Backport this behaviour to Heimdal so it works the same way. While here, change Heimdal's libcom_err and compile_et to be selected by MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos and third-party users might need it even if Kerberos support is disabled in the base system. This means MK_KERBEROS_SUPPORT installs the same files with both MIT and Heimdal. Reviewed by: cy Differential Revision: https://reviews.freebsd.org/D51859
2026-01-11 19:57:22 +00:00 · 2025-08-20 19:42:20 +01:00 · 2025-08-20 19:42:20 +01:00 · dc5ba6b8b4
commit dc5ba6b8b4
parent ba487345f8
20 changed files with 33 additions and 46 deletions
--- a/Makefile.inc1
+++ b/Makefile.inc1
@ -3387,7 +3387,7 @@ secure/lib/libssh__L: lib/libz__L secure/lib/libcrypto__L lib/libcrypt__L
 secure/lib/libssh__L: lib/libldns__L
 .endif

-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
 .if ${MK_MITKRB5} != "no"
 secure/lib/libssh__L: krb5/lib/gssapi__L krb5/lib/krb5__L \
     krb5/lib/crypto__L krb5/util/et__L lib/libmd__L krb5/util/support__L
@ -3446,11 +3446,9 @@ kerberos5/lib/libheimipcc__L: kerberos5/lib/libroken__L kerberos5/lib/libheimbas

 lib/libsqlite3__L: lib/libthr__L

-.if ${MK_GSSAPI} != "no"
-.if ${MK_MITKRB5} == "no"
+.if ${MK_KERBEROS} != "no" && ${MK_MITKRB5} == "no"
 _lib_libgssapi=	lib/libgssapi
 .endif
-.endif

 .if ${MK_KERBEROS} != "no"
 .if ${MK_MITKRB5} != "no"
--- a/9
+++ b/9
@ -27,6 +27,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 15.x IS SLOW:
 	world, or to merely disable the most expensive debugging functionality
 	at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)

+20250820:
+	The WITHOUT_GSSAPI src.conf knob has been removed.  This was already
+	a no-op for MIT Kerberos, so this only affects builds which set
+	WITHOUT_MITKRB5=1, in which case you now always get libgssapi.
+
+	Also, Heimdal's compile_et and libcom_err are now controlled by
+	WITHOUT_KERBEROS, not WITHOUT_KERBEROS_SUPPORT.  This matches
+	the behaviour of the MIT Kerberos versions.
+
 20250820:
 	Commits 08c7dd2fbe4f and a4197ea47777 have changed the ABI between
 	libvmmapi and the vmm device. If using a custom kernel configuration,
--- a/include/Makefile
+++ b/include/Makefile
@ -293,7 +293,7 @@ LSUBSUBDIRS+=	netgraph/bluetooth/include
 LSUBDIRS+=	fs/cuse
 .endif

-.if ${MK_GSSAPI} != "no" && ${MK_MITKRB5} == "no"
+.if ${MK_KERBEROS} != "no" && ${MK_MITKRB5} == "no"
 SUBDIR+=	gssapi
 INCS+=		gssapi.h
 .endif
--- a/kerberos5/Makefile.inc
+++ b/kerberos5/Makefile.inc
@ -29,9 +29,7 @@ ETSRCS=	\
 	${KRB5DIR}/lib/wind/wind_err.et \
 	${KRB5DIR}/lib/ntlm/ntlm_err.et

-.if ${MK_GSSAPI} != "no"
 ETSRCS+=	${KRB5DIR}/lib/gssapi/krb5/gkrb5_err.et
-.endif

 .for ET in ${ETSRCS}
 .for _ET in ${ET:T:R}
--- a/kerberos5/lib/Makefile
+++ b/kerberos5/lib/Makefile
@ -7,10 +7,8 @@ SUBDIR=	libasn1 libhdb \
 SUBDIR+= libkafs5  # requires krb_err.h from libkrb5
 SUBDIR_DEPEND_libkafs5=	libkrb5

-.if ${MK_GSSAPI} != "no"
 SUBDIR+=	libgssapi_krb5
 SUBDIR+=	libgssapi_ntlm
 SUBDIR+=	libgssapi_spnego
-.endif

 .include <bsd.subdir.mk>
--- a/kerberos5/libexec/Makefile
+++ b/kerberos5/libexec/Makefile
@ -4,8 +4,6 @@ SUBDIR=	digest-service ipropd-master ipropd-slave hprop hpropd kdc \
 	kdigest kfd kimpersonate kpasswdd kcm
 SUBDIR_PARALLEL=

-.if ${MK_GSSAPI} != "no"
 SUBDIR+=	kadmind
-.endif

 .include <bsd.subdir.mk>
--- a/lib/Makefile
+++ b/lib/Makefile
@ -179,12 +179,12 @@ SUBDIR.${MK_FDT}+=	libfdt
 SUBDIR.${MK_FILE}+=	libmagic
 SUBDIR.${MK_GPIO}+=	libgpio
 .if ${MK_MITKRB5} == "no"
-SUBDIR.${MK_GSSAPI}+=	libgssapi
+SUBDIR.${MK_KERBEROS}+=	libgssapi
 .endif
-SUBDIR.${MK_GSSAPI}+=	librpcsec_gss
+SUBDIR.${MK_KERBEROS}+=	librpcsec_gss
 SUBDIR.${MK_ICONV}+=	libiconv_modules
 .if ${MK_MITKRB5} == "no"
-SUBDIR.${MK_KERBEROS_SUPPORT}+=	libcom_err
+SUBDIR.${MK_KERBEROS}+=	libcom_err
 .endif
 SUBDIR.${MK_LDNS}+=	libldns
 SUBDIR.${MK_STATS}+=	libstats
--- a/libexec/rc/rc.d/Makefile
+++ b/libexec/rc/rc.d/Makefile
@ -215,7 +215,7 @@ FTPD=		ftpd
 FTPDPACKAGE=	ftpd
 .endif

-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
 CONFGROUPS+=	GSSD
 GSSD=		gssd
 GSSDPACKAGE=	gssd
--- a/secure/libexec/sshd-session/Makefile
+++ b/secure/libexec/sshd-session/Makefile
@ -38,7 +38,7 @@ LIBADD+= blacklist
 LDFLAGS+=-L${LIBBLACKLISTDIR}
 .endif

-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
 .if ${MK_MITKRB5} != "no"
 LIBADD+=	gssapi_krb5 krb5
 .include "../../krb5/Makefile.inc"
--- a/secure/ssh.mk
+++ b/secure/ssh.mk
@ -9,12 +9,11 @@ SKSRCS=	ssh-sk-client.c

 CFLAGS+= -I${SSHDIR} -include ssh_namespace.h

-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
 CFLAGS+= -include krb5_config.h
 .if ${MK_MITKRB5} == "no"
 CFLAGS+= -DHEIMDAL=1
 .endif
-
 .endif

 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE:U/usr/local}/bin/xauth\"
--- a/secure/usr.bin/ssh/Makefile
+++ b/secure/usr.bin/ssh/Makefile
@ -17,7 +17,7 @@ SRCS+=	gss-genr.c

 LIBADD=	ssh

-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
 .if ${MK_MITKRB5} == "no"
 LIBADD+=	gssapi
 .else
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@ -18,7 +18,7 @@ moduli: .MADE

 LIBADD=	ssh util

-.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no"
+.if ${MK_KERBEROS_SUPPORT} != "no"
 .if ${MK_MITKRB5} == "no"
 LIBADD+=	gssapi_krb5 gssapi krb5
 .else
--- a/share/man/man5/src.conf.5
+++ b/share/man/man5/src.conf.5
@ -1,5 +1,5 @@
 .\" DO NOT EDIT-- this file is @generated by tools/build/options/makeman.
-.Dd August 19, 2025
+.Dd August 20, 2025
 .Dt SRC.CONF 5
 .Os
 .Sh NAME
@ -452,8 +452,6 @@ When set, it enforces these options:
 .It
 .Va WITHOUT_KERBEROS
 .It
-.Va WITHOUT_KERBEROS_SUPPORT
-.It
 .Va WITHOUT_LDNS
 .It
 .Va WITHOUT_LDNS_UTILS
@ -480,9 +478,9 @@ When set, it enforces these options:
 When set, these options are also in effect:
 .Pp
 .Bl -inset -compact
-.It Va WITHOUT_GSSAPI
+.It Va WITHOUT_KERBEROS_SUPPORT
 (unless
-.Va WITH_GSSAPI
+.Va WITH_KERBEROS_SUPPORT
 is set explicitly)
 .El
 .It Va WITH_CTF
@ -739,8 +737,6 @@ and dependent tests.
 Do not build
 .Xr gpioctl 8
 as part of the base system.
-.It Va WITHOUT_GSSAPI
-Do not build libgssapi.
 .It Va WITHOUT_HAST
 Do not build
 .Xr hastd 8
@ -840,14 +836,10 @@ Do not build
 and
 .Xr truss 1 .
 .It Va WITHOUT_KERBEROS
-Set this to not build Kerberos 5 (KTH Heimdal).
+Set this to not build Kerberos.
 When set, these options are also in effect:
 .Pp
 .Bl -inset -compact
-.It Va WITHOUT_GSSAPI
-(unless
-.Va WITH_GSSAPI
-is set explicitly)
 .It Va WITHOUT_KERBEROS_SUPPORT
 (unless
 .Va WITH_KERBEROS_SUPPORT
@ -1433,8 +1425,6 @@ When set, it enforces these options:
 .It
 .Va WITHOUT_KERBEROS
 .It
-.Va WITHOUT_KERBEROS_SUPPORT
-.It
 .Va WITHOUT_LDNS
 .It
 .Va WITHOUT_LDNS_UTILS
@ -1459,9 +1449,9 @@ When set, it enforces these options:
 When set, these options are also in effect:
 .Pp
 .Bl -inset -compact
-.It Va WITHOUT_GSSAPI
+.It Va WITHOUT_KERBEROS_SUPPORT
 (unless
-.Va WITH_GSSAPI
+.Va WITH_KERBEROS_SUPPORT
 is set explicitly)
 .El
 .It Va WITHOUT_OPENSSL_KTLS
--- a/share/mk/local.dirdeps.mk
+++ b/share/mk/local.dirdeps.mk
@ -185,7 +185,7 @@ C_DIRDEPS= \

 # libgcc is needed as well but is added later.

-.if ${MK_GSSAPI} != "no"
+.if ${MK_KERBEROS} != "no" && ${MK_MITKRB5} == "no"
 C_DIRDEPS+=  include/gssapi
 .endif

--- a/share/mk/src.opts.mk
+++ b/share/mk/src.opts.mk
@ -508,7 +508,7 @@ MK_LOADER_VERIEXEC_PASS_MANIFEST := no
 # MK_* options whose default value depends on another option.
 #
 .for vv in \
-    GSSAPI/KERBEROS \
+    KERBEROS_SUPPORT/KERBEROS \
    MAN_UTILS/MAN
 .if defined(WITH_${vv:H})
 MK_${vv:H}:=	yes
--- a/tools/build/mk/OptionalObsoleteFiles.inc
+++ b/tools/build/mk/OptionalObsoleteFiles.inc
@ -2262,13 +2262,13 @@ OLD_FILES+=usr/share/man/man3/gpio_pin_tristate.3.gz
 OLD_FILES+=usr/share/man/man8/gpioctl.8.gz
 .endif

-.if ${MK_GSSAPI} == "no" || ${MK_KERBEROS_SUPPORT} == "no"
+.if ${MK_KERBEROS_SUPPORT} == "no"
 OLD_FILES+=etc/rc.d/gssd
 OLD_FILES+=usr/sbin/gssd
 OLD_FILES+=usr/share/man/man8/gssd.8.gz
 .endif

-.if ${MK_GSSAPI} == no
+.if ${MK_KERBEROS} == no
 OLD_FILES+=usr/include/gssapi/gssapi.h
 OLD_DIRS+=usr/include/gssapi
 OLD_FILES+=usr/include/gssapi.h
--- a/tools/build/options/WITHOUT_GSSAPI
+++ b/tools/build/options/WITHOUT_GSSAPI
@ -1 +0,0 @@
-Do not build libgssapi.
--- a/tools/build/options/WITHOUT_KERBEROS
+++ b/tools/build/options/WITHOUT_KERBEROS
@ -1 +1 @@
-Set this to not build Kerberos 5 (KTH Heimdal).
+Set this to not build Kerberos.
--- a/usr.bin/Makefile
+++ b/usr.bin/Makefile
@ -219,7 +219,7 @@ SUBDIR.${MK_ISCSI}+=	iscsictl
 SUBDIR.${MK_KDUMP}+=	kdump
 SUBDIR.${MK_KDUMP}+=	truss
 .if ${MK_MITKRB5} == "no"
-SUBDIR.${MK_KERBEROS_SUPPORT}+=	compile_et
+SUBDIR.${MK_KERBEROS}+=	compile_et
 .endif
 SUBDIR.${MK_LDNS_UTILS}+=	drill
 SUBDIR.${MK_LDNS_UTILS}+=	host
--- a/usr.sbin/Makefile
+++ b/usr.sbin/Makefile
@ -139,9 +139,7 @@ SUBDIR.${MK_FLOPPY}+=	fdformat
 SUBDIR.${MK_FLOPPY}+=	fdread
 SUBDIR.${MK_FLOPPY}+=	fdwrite
 SUBDIR.${MK_FREEBSD_UPDATE}+=	freebsd-update
-.if ${MK_KERBEROS_SUPPORT} != "no"
-SUBDIR.${MK_GSSAPI}+=	gssd
-.endif
+SUBDIR.${MK_KERBEROS_SUPPORT}+=	gssd
 SUBDIR.${MK_GPIO}+=	gpioctl
 SUBDIR.${MK_HYPERV}+=	hyperv
 SUBDIR.${MK_INET6}+=	ip6addrctl