# GSSAPI preventing build of ports



## jonfr (Dec 2, 2016)

This effects more than one port that I'm trying to upgrade. The problem is connected to Samba 4.4 (latest version) and security/p5-GSSAPI.

I've tested several thing in a attempt to resolve this issue, but I haven't had any luck in resolving this.

The error is this and it prevents the build from happening. I'm running this FreeBSD version at the moment.


```
uname -a
FreeBSD saturn.net303.net 10.3-RELEASE-p11 FreeBSD 10.3-RELEASE-p11 #0: Mon Oct 24 18:49:24 UTC 2016     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
```


```
===>>> Returning to dependency check for security/p5-GSSAPI
===>>> Dependency check complete for security/p5-GSSAPI

===>>> p5-GSSAPI-0.28_1 1/5

===>  Cleaning for p5-GSSAPI-0.28_1
===>  p5-GSSAPI-0.28_1 You are using OpenSSL from ports and have selected
GSSAPI from base, please select another GSSAPI value.
*** Error code 1

Stop.
make: stopped in /usr/ports/security/p5-GSSAPI
```

I currently have this in make.conf in accordance with information that I found.


```
WITH_OPENSSL_PORT=YES
OPENSSL_PORT=security/libressl
OPTIONS_UNSET= GSSAPI_BASE
OPTIONS_SET=   GSSAPI_MIT
```

For samba I get this error.


```
===>  samba44-4.4.5_1 cannot install: unknown OpenLDAP version: Shared object
"libssl.so.38" not found, required by "ldapwhoami".
*** Error code 1
```

Any solution or a workaround is welcomed. I don't know why this error happened since it should not have happened. Thanks for the help.


----------



## SirDice (Dec 2, 2016)

You need to select HEIMDAL or MIT in security/p5-GSSAPI. The default is BASE and this cannot be used in combination with OpenSSL or LibreSSL from ports.


```
WITH_OPENSSL_PORT=YES
OPENSSL_PORT=security/libressl
```
This is wrong now. If you want LibreSSL this is the correct way to set it:

```
DEFAULT_VERSIONS+= ssl=libressl
```

This is bad too:

```
OPTIONS_UNSET= GSSAPI_BASE
OPTIONS_SET=   GSSAPI_MIT
```
This will unset any previously set options. This is better:

```
OPTIONS_UNSET+= GSSAPI_BASE
OPTIONS_SET+=   GSSAPI_MIT
```

When you change the SSL options it's best to rebuild everything in order to get the dependencies straightened out. I highly recommend ports-mgmt/poudriere or ports-mgmt/synth if you're in a habit of changing options.


----------



## jonfr (Dec 2, 2016)

I think I have solved this issue. After some minor digging I found the issue was in net/openldap24-client. The solution is to disable everything with `make config` and do a reinstall. Samba is currently installing without the earlier error message. I guess other packages are going to install properly now (I hope).


----------



## SirDice (Dec 2, 2016)

The problem was probably caused by switching from OpenSSL to LibreSSL. The OpenLDAP client probably depended on OpenSSL, installing LibreSSL would remove the OpenSSL libraries. This is why I recommended to rebuild everything.


----------



## jonfr (Dec 2, 2016)

SirDice - Thanks. I've commented out the older options and updated make.conf to the newest version. I don't update this server often since I like to keep things stable, but updates are required once in a while due to security issues for a networked computer. At the moment everything is compiling as it should (see earlier post). I think this is mostly resolved, unless there are some command or package that needs updating or replacing. I don't know what is the ssl default (OpenSSL or LibreSSL) on FreeBSD now.


----------



## SirDice (Dec 2, 2016)

The default setting uses OpenSSL from the base. If you switched afterwards to LibreSSL you may still have a few ports depending on the wrong SSL libraries.


----------



## jonfr (Dec 2, 2016)

SirDice said:


> The default setting uses OpenSSL from the base. If you switched afterwards to LibreSSL you may still have a few ports depending on the wrong SSL libraries.



Then I will just switch back to OpenSSL and revert the builds as I go along. The command for that should be (if I remember correctly) is `portmaster -r openssl`, once I have updated make.conf to the new defaults. I switched because at some point the default was libressl (or something along that line). I don't know why that happened.


----------



## SirDice (Dec 2, 2016)

Note that there are two versions of OpenSSL (three if you include the development version), there's one included with the base OS and one in the ports tree. The portmaster(8) command only deals with the port OpenSSL.

If you have a couple of servers to maintain I highly recommend setting up your own repository. That way you can more easily change the defaults but still benefit from using packages. Even if you only have one server to maintain it can be advantageous. By keeping everything neatly in your own repository it'll be easy to update or reinstall things. You also will have more control over when and what to update.


----------



## jonfr (Dec 2, 2016)

I have just one server to maintain at the moment. But the GSSAPI error has returned among several other errors connected to the switch back to OpenSSL.


----------



## kpa (Dec 2, 2016)

jonfr said:


> I have just one server to maintain at the moment. But the GSSAPI error has returned among several other errors connected to the switch back to OpenSSL.



Even so you're much better off building your own packages with a package builder, portmaster is very bad at handling large scale changes such as replacing OpenSSL with LibreSSL for every port and vice versa.


----------



## jonfr (Dec 2, 2016)

I found the final problem (as was told above, but I didn't notice). security/p5-GSSAPI has been set at GSSAPI_HEIMDAL. I've also updated my make.conf to this setting to avoid conflicts in the system.


----------



## jonfr (Dec 2, 2016)

kpa said:


> Even so you're much better off building your own packages with a package builder, portmaster is very bad at handling large scale changes such as replacing OpenSSL with LibreSSL for every port and vice versa.


This set-up is not that complicated and it just runs a few things. If I run into problems (happens every update) I just solve them or work around them. I'm way to lazy to set-up my own binary builds for this server.


----------



## chrbr (Dec 2, 2016)

jonfr said:


> I'm way to lazy to set-up my own binary builds for this server.


This is less complicated than the work arounds. Thread 38859 and the handbook are enough for the setup of ports-mgmt/poudriere. From the discussions in this forum ports-mgmt/synth is easy to configure, too.


----------



## Remington (Dec 2, 2016)

Add this to your /etc/make.conf


```
DEFAULT_VERSIONS          += ssl=libressl

# LibreSSL doesn't work with GSSAPI_BASE
security_p5-GSSAPI_SET     = GSSAPI_MIT
OPTIONS_UNSET             += GSSAPI_BASE
OPTIONS_SET               += GSSAPI_NONE
```


----------



## jonfr (Dec 2, 2016)

My system has far deeper errors and failures than just this problem, so I'm doing a complete re-install of it. I don't know what happened, but something clearly did resulting in this mess (not just this port, but a lot of other ports that are no longer working properly).


----------



## Remington (Dec 2, 2016)

I would suggest you to start using ports-mgmt/poudriere or ports-mgmt/synth so you can build clean packages with the options above.  I don't use the official package repository anymore instead I build all the required packages for my servers.  That will save you a lot of headaches.  Also it has better mechanisms for detecting problems during build unlike portmaster.

You can delete all the installed packages and re-install with your own built packages.  Config files won't be deleted.


----------



## jonfr (Dec 4, 2016)

After two tries to make this work. I continue to get this error when I try to compile net/samba44. I know this is connected to this bug in the Samba code. I have disabled gssapi with make.conf and this is a completely clean install that I'm running at the moment (I started from scratch again in a attempt to resolve this problem). Since I know this error also effects net/samba43, I'm going to try net/samba42, since using net/samba36 is no longer a option. Any ideas on how to work around this problem are welcomed. Thanks.


```
[ 675/3806] Compiling lib/addns/dnsrecord.c
runner cc -O2 -pipe -fno-omit-frame-pointer -DLIBICONV_PLUG -fno-color-diagnostics -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing -fPIC -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DSTATIC_addns_MODULES=NULL -DSTATIC_addns_MODULES_PROTO=extern void __addns_dummy_module_proto(void) -MD -I/usr/local/include -DLIBICONV_PLUG -Idefault/lib/addns -I../lib/addns -Idefault/include/public -I../include/public -Idefault/source4 -I../source4 -Idefault/lib -I../lib -Idefault/source4/lib -I../source4/lib -Idefault/source4/include -I../source4/include -Idefault/include -I../include -Idefault/lib/replace -I../lib/replace -Idefault -I.. -Idefault/source4/heimdal/lib/krb5 -I../source4/heimdal/lib/krb5 -Idefault/source4/heimdal/lib/asn1 -I../source4/heimdal/lib/asn1 -Idefault/source4/heimdal/include -I../source4/heimdal/include -Idefault/source4/heimdal_build -I../source4/heimdal_build -Idefault/source4/heimdal/lib/gssapi -I../source4/heimdal/lib/gssapi -Idefault/lib/util/charset -I../lib/util/charset -Idefault/source4/heimdal/lib/roken -I../source4/heimdal/lib/roken -Idefault/source4/heimdal/lib/wind -I../source4/heimdal/lib/wind -Idefault/source4/heimdal/lib/hcrypto/libtommath -I../source4/heimdal/lib/hcrypto/libtommath -Idefault/source4/heimdal/lib/gssapi/gssapi -I../source4/heimdal/lib/gssapi/gssapi -Idefault/source4/heimdal/lib/gssapi/spnego -I../source4/heimdal/lib/gssapi/spnego -Idefault/source4/heimdal/lib/gssapi/krb5 -I../source4/heimdal/lib/gssapi/krb5 -Idefault/source4/heimdal/lib/gssapi/mech -I../source4/heimdal/lib/gssapi/mech -Idefault/libcli/util -I../libcli/util -Idefault/source4/heimdal/base -I../source4/heimdal/base -Idefault/source4/heimdal/lib/hx509 -I../source4/heimdal/lib/hx509 -Idefault/source3 -I../source3 -Idefault/source3/include -I../source3/include -Idefault/source3/lib -I../source3/lib -Idefault/source4/heimdal/lib/com_err -I../source4/heimdal/lib/com_err -Idefault/bin/default/source4/heimdal/lib/asn1 -Idefault/source4/heimdal/lib/asn1 -Idefault/source4/heimdal/lib/hcrypto -I../source4/heimdal/lib/hcrypto -Idefault/source4/heimdal/lib -I../source4/heimdal/lib -Idefault/librpc -I../librpc -Idefault/lib/crypto -I../lib/crypto -Idefault/dynconfig -I../dynconfig -I/usr/local/include -D_SAMBA_BUILD_=4 -DHAVE_CONFIG_H=1 -D_GNU_SOURCE=1 -D_XOPEN_SOURCE_EXTENDED=1 ../lib/addns/dnsrecord.c -c -o default/lib/addns/dnsrecord_1.o
In file included from ../lib/addns/dnsrecord.c:24:
In file included from ../lib/addns/dns.h:31:
In file included from ../lib/replace/system/gssapi.h:47:
../source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h:41:1: error: unknown type name 'GSSAPI_CPP_START'
GSSAPI_CPP_START
^
../source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h:49:1: error: expected identifier or '('
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_spnego_mechanism_oid_desc;
^
../source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h:53:1: error: unknown type name 'GSSAPI_CPP_END'
GSSAPI_CPP_END
^
In file included from ../lib/addns/dnsrecord.c:24:
In file included from ../lib/addns/dns.h:41:
/usr/include/fcntl.h:271:1: error: expected identifier or '('
struct flock {
^
4[ 676/3806] Compiling lib/addns/dnsutils.c
 errors generated.
runner cc -O2 -pipe -fno-omit-frame-pointer -DLIBICONV_PLUG -fno-color-diagnostics -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing -fPIC -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DSTATIC_addns_MODULES=NULL -DSTATIC_addns_MODULES_PROTO=extern void __addns_dummy_module_proto(void) -MD -I/usr/local/include -DLIBICONV_PLUG -Idefault/lib/addns -I../lib/addns -Idefault/include/public -I../include/public -Idefault/source4 -I../source4 -Idefault/lib -I../lib -Idefault/source4/lib -I../source4/lib -Idefault/source4/include -I../source4/include -Idefault/include -I../include -Idefault/lib/replace -I../lib/replace -Idefault -I.. -Idefault/source4/heimdal/lib/krb5 -I../source4/heimdal/lib/krb5 -Idefault/source4/heimdal/lib/asn1 -I../source4/heimdal/lib/asn1 -Idefault/source4/heimdal/include -I../source4/heimdal/include -Idefault/source4/heimdal_build -I../source4/heimdal_build -Idefault/source4/heimdal/lib/gssapi -I../source4/heimdal/lib/gssapi -Idefault/lib/util/charset -I../lib/util/charset -Idefault/source4/heimdal/lib/roken -I../source4/heimdal/lib/roken -Idefault/source4/heimdal/lib/wind -I../source4/heimdal/lib/wind -Idefault/source4/heimdal/lib/hcrypto/libtommath -I../source4/heimdal/lib/hcrypto/libtommath -Idefault/source4/heimdal/lib/gssapi/gssapi -I../source4/heimdal/lib/gssapi/gssapi -Idefault/source4/heimdal/lib/gssapi/spnego -I../source4/heimdal/lib/gssapi/spnego -Idefault/source4/heimdal/lib/gssapi/krb5 -I../source4/heimdal/lib/gssapi/krb5 -Idefault/source4/heimdal/lib/gssapi/mech -I../source4/heimdal/lib/gssapi/mech -Idefault/libcli/util -I../libcli/util -Idefault/source4/heimdal/base -I../source4/heimdal/base -Idefault/source4/heimdal/lib/hx509 -I../source4/heimdal/lib/hx509 -Idefault/source3 -I../source3 -Idefault/source3/include -I../source3/include -Idefault/source3/lib -I../source3/lib -Idefault/source4/heimdal/lib/com_err -I../source4/heimdal/lib/com_err -Idefault/bin/default/source4/heimdal/lib/asn1 -Idefault/source4/heimdal/lib/asn1 -Idefault/source4/heimdal/lib/hcrypto -I../source4/heimdal/lib/hcrypto -Idefault/source4/heimdal/lib -I../source4/heimdal/lib -Idefault/librpc -I../librpc -Idefault/lib/crypto -I../lib/crypto -Idefault/dynconfig -I../dynconfig -I/usr/local/include -D_SAMBA_BUILD_=4 -DHAVE_CONFIG_H=1 -D_GNU_SOURCE=1 -D_XOPEN_SOURCE_EXTENDED=1 ../lib/addns/dnsutils.c -c -o default/lib/addns/dnsutils_1.o
In file included from ../lib/addns/dnsutils.c:29:
In file included from ../lib/addns/dns.h:31:
In file included from ../lib/replace/system/gssapi.h:47:
../source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h:41:1: error: unknown type name 'GSSAPI_CPP_START'
GSSAPI_CPP_START
^
../source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h:49:1: error: expected identifier or '('
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_spnego_mechanism_oid_desc;
^
../source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h:53:1: error: unknown type name 'GSSAPI_CPP_END'
GSSAPI_CPP_END
^
In file included from ../lib/addns/dnsutils.c:29:
In file included from ../lib/addns/dns.h:41:
/usr/include/fcntl.h:271:1: error: expected identifier or '('
struct flock {
^
4 errors generated.
Waf: Leaving directory `/usr/ports/net/samba44/work/samba-4.4.5/bin'
Build failed:
 -> task failed (err #1):
        {task: cc dnsrecord.c -> dnsrecord_1.o}
 -> task failed (err #1):
        {task: cc dnsutils.c -> dnsutils_1.o}
===> Compilation failed unexpectedly.
Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
the maintainer.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/net/samba44
*** Error code 1
```


----------



## Remington (Dec 4, 2016)

jonfr said:


> After two tries to make this work. I continue to get this error when I try to compile net/samba44. I know this is connected to this bug in the Samba code. I have disabled gssapi with make.conf and this is a completely clean install that I'm running at the moment (I started from scratch again in a attempt to resolve this problem). Since I know this error also effects net/samba43, I'm going to try net/samba42, since using net/samba36 is no longer a option. Any ideas on how to work around this problem are welcomed. Thanks.



I did the build using poudriere and it failed.  Probably need to wait for a workaround or fixed upstream.


----------



## Remington (Dec 4, 2016)

The error I am getting seemed to be unrelated as poudriere said dependency failed because samba was looking for py27-dnspython which I am only using Python 3.5.  I have no plans to install multiple versions of Python on my servers.  IMHO Python 2.7 should be discontinued rather than extended to 2020 but developers are too slow to update their software to use Python 3.x.  Samba team really need to fix this.


```
===>   samba44-4.4.5_1 depends on package: p5-Parse-Pidl>=4.3.1 - found
===>   Returning to build of samba44-4.4.5_1
===>   samba44-4.4.5_1 depends on package: py27-dnspython>=1.9.4 - not found
===>   Installing existing package /packages/All/py35-dnspython-1.15.0.txz
[freebsd_10-3x64-HEAD-job-01] Installing py35-dnspython-1.15.0...
[freebsd_10-3x64-HEAD-job-01] `-- Installing py35-setuptools35-28.1.0...
[freebsd_10-3x64-HEAD-job-01] |   `-- Installing python35-3.5.2...
[freebsd_10-3x64-HEAD-job-01] |   | `-- Installing libffi-3.2.1...
[freebsd_10-3x64-HEAD-job-01] |   |   `-- Installing indexinfo-0.2.6...
[freebsd_10-3x64-HEAD-job-01] |   |   `-- Extracting indexinfo-0.2.6: .... done
[freebsd_10-3x64-HEAD-job-01] |   | `-- Extracting libffi-3.2.1: .......... done
[freebsd_10-3x64-HEAD-job-01] |   | `-- Installing gettext-runtime-0.19.8.1...
[freebsd_10-3x64-HEAD-job-01] |   | `-- Extracting gettext-runtime-0.19.8.1: .......... done
[freebsd_10-3x64-HEAD-job-01] |   `-- Extracting python35-3.5.2: .......... done
[freebsd_10-3x64-HEAD-job-01] `-- Extracting py35-setuptools35-28.1.0: .......... done
[freebsd_10-3x64-HEAD-job-01] Extracting py35-dnspython-1.15.0: .......... done
Message from python35-3.5.2:
===========================================================================

Note that some standard Python modules are provided as separate ports
as they require additional dependencies. They are available as:

py35-gdbm       databases/py35-gdbm
py35-sqlite3    databases/py35-sqlite3
py35-tkinter    x11-toolkits/py35-tkinter

===========================================================================
===>   samba44-4.4.5_1 depends on package: py27-dnspython>=1.9.4 - not found
*** Error code 1

Stop.
make: stopped in /usr/ports/net/samba44
====>> Cleaning up wrkdir
===>  Cleaning for samba44-4.4.5_1
build of net/samba44 ended at Sun Dec  4 06:36:20 EST 2016
build time: 00:01:03
!!! build failure encountered !!!
```


----------



## jonfr (Dec 4, 2016)

Remington said:


> I did the build using poudriere and it failed.  Probably need to wait for a workaround or fixed upstream.


The fix has been implemented in net/samba45 (according to the bug report on this error). But that version is not yet in ports. I've not seen this python error you got before, since I allow the system to get the packages it needs to work properly.


----------



## Remington (Dec 4, 2016)

jonfr said:


> The fix has been implemented in net/samba45 (according to the bug report on this error). But that version is not yet in ports. I've not seen this python error you got before, since I allow the system to get the packages it needs to work properly.



You're right that net/samba45 hasn't been added to the ports yet.  Hopefully it'll be added soon.


----------

