cred_store extension not supported on macOS #347
Comments
|
The default behaviour on macOS is to favour the GSS Framework which is Apple's fork of Heimdal that ships with the OS. It's an OS provided lib which is why some of those paths don't actually exist but Apple's loader is able to handle them properly. There are a few hardcoded things in
You've probably noticed already but we do ship a wheel for macOS, so if you are installing from pip you'll have to favour the sdist and build it locally. |
|
Thanks very much for getting back to me! After setting all three of the environment variables as described above, I was able to get the latest gssapi code to install on macOS using the Kerberos 5 library from MacPorts without any changes to setup.py. The version I built this way supports the cred-store extension I was looking to use.
Yeah - I originally tried installing from pip directly from PyPI, but that appears to be using Apple's version of gssapi, which doesn't support the cred-store extension I needed. |
|
I do see a bug in that the wrap_iov calls will not be present, I'll try and submit a PR to fix that soon. |
Today, the python-gssapi software builds against macOS' built-in GSSAPI/Kerberos Frameworks. This adds a variant to build against MacPorts' MIT Kerberos package, `kerberos5`. kerberos5 is added as a variant because, if someone already has the package installed, we don't want to suddenly switch them to MIT Kerberos during an upgrade. Instead of patching `setup.py`, we build python-gssapi by setting environment variables, as instructed in pythongssapi/python-gssapi#347. The long description is also updated to reflect which GSSAPI/Kerberos installation is being used. Finally, a change is made to the options available on Mac OS X below 10.9: The kerberos5 variant is made the default; if the user attempts to remove this variant, their install errors out.
Today, the python-gssapi software builds against macOS' built-in GSSAPI/Kerberos Frameworks. This adds a variant to build against MacPorts' MIT Kerberos package, `kerberos5`. kerberos5 is added as a variant because, if someone already has the package installed, we don't want to suddenly switch them to MIT Kerberos during an upgrade. Instead of patching `setup.py`, we build python-gssapi by setting environment variables, as instructed in pythongssapi/python-gssapi#347. The long description is also updated to reflect which GSSAPI/Kerberos installation is being used. Finally, a change is made to the options available on Mac OS X below 10.9: The kerberos5 variant is made the default; if the user attempts to remove this variant, their install errors out.
Today, the python-gssapi software builds against macOS' built-in GSSAPI/Kerberos Frameworks. This adds a variant to build against MacPorts' MIT Kerberos package, `kerberos5`. kerberos5 is added as a variant because, if someone already has the package installed, we don't want to suddenly switch them to MIT Kerberos during an upgrade. Instead of patching `setup.py`, we build python-gssapi by setting environment variables, as instructed in pythongssapi/python-gssapi#347. The long description is also updated to reflect which GSSAPI/Kerberos installation is being used. Finally, a change is made to the options available on Mac OS X below 10.9: The kerberos5 variant is made the default; if the user attempts to remove this variant, their install errors out.
What went wrong?
I'm trying to use python-gssapi on macOS 14.6 and trying to take advantage of the cred store extension. However, when I build python-gssapi, I get back:
Skipping the cred_store extension because it is not supported by your GSSAPI implementation...
How do we reproduce?
Create a gssapi.Credentials object with the 'store' argument, such as:
(Remember to use fenced code blocks and consider placing in a gist if large)
Component versions (python-gssapi, Kerberos, OS / distro, etc.)
MIT Kerberos 5 version 1.21.3, from MacPorts 2.10.1
python-gssapi 1.8.3 from PyPI running on Python 3.12.5
I also tried getting the latest python-gssapi from Git (1.8.4) and installing that, but I ran into the same result.
The problem seems to be in the "support detection" in setup.py, but from what I can tell the version of Kerberos I have installed does have the symbol (gss_store_cred_into) that setup.py is looking for:
I think it might be finding the wrong library -- when I printed what it found, it reported:
/System/Library/Frameworks/GSS.framework/GSS
However, on my system that's a broken symlink to /System/Library/Frameworks/GSS.framework/Versions/Current/GSS, which points at /System/Library/Frameworks/GSS.framework/Versions/A/GSS, which doesn't seem to exist:
I then tried setting GSSAPI_MAIN_LIB=/opt/local/lib/libgssapi_krb5.dylib and running "setup.py build" rather than building with pip, but for this to work I needed to comment out a bit of setup.py:
This basically made sure the osx_has_gss_framework remained false, and avoided code later which tried to point at the OS X framework.
With the above change and specifying the path the library manually via GSSAPI_MAIN_LIB, I was able to get the credential store extension to build, and was able to use it successfully.
The text was updated successfully, but these errors were encountered: