From nobody Sat Aug 30 15:56:21 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cDfrp4jLwz65hhv for ; Sat, 30 Aug 2025 15:56:42 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cDfrn6Y7Gz3dM7; Sat, 30 Aug 2025 15:56:41 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=XpwnmHin; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of rick.macklem@gmail.com designates 2a00:1450:4864:20::529 as permitted sender) smtp.mailfrom=rick.macklem@gmail.com Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-6188b72b7caso3098407a12.2; Sat, 30 Aug 2025 08:56:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756569394; x=1757174194; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=bRhVvPDV32S0bvrblriQ2wAmOwey7y/+pjjxsZIylbg=; b=XpwnmHinliJkSgSg8XYhSB3YXvSjkkmee5vMfHEScOZMp6ppORjsNrLtSL3Q95CstM KH+ku7UlyBJASqClDIrMixiZrI0I82BTCKEeaJToIP5eTxb0kxP7VXrpXGQcs8A2jvvj XgJ6dlGfRrzCRKLL8CVvpw+yX9v0skMUQVspFW3qpGUtm1P19w4syyJMKpftbKSTMBx+ nlbeMVKqfaw4m6g7L+swuksp49S0VhuL2sQ+IMycCOsDHy7pZ/mZIfmjd6LIbiOg2ex1 CceKAXAFNM9T4+iN8wzsiKzVU2eg6Ltxbilp7ZFRyfKE5j/IVkL/bBzNZPIvSxn/vtwC Ae/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756569394; x=1757174194; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bRhVvPDV32S0bvrblriQ2wAmOwey7y/+pjjxsZIylbg=; b=YwPJaW8annDJnIs3lY21Q+kTNqqbMo3w6lZA4OuIjhzCqQKWTUngLGeZzLXRitWaZg oFPuzH2195KqtmR1fPMcU98c1L3QpO3PsfcSLqVfR6rD49989vhln1S7k8hBCLhNOWPR 5/pygT6YqDxZGn2+kzbqRMVhWzNyKJuD2afiGNQKMnjwvm9qxBiqxRmp6Tv0k7Y8tCh+ lG7Wg6Nz0/rjqgRP2iVJCnBjMtPVxJYfsYSf2kILDqu8ZJPA1x5rEvwSBdGUKenc7NHI NUV9ZSRuYb4QU8gIuaTqWKNi4m8suVLjJHqKApHb+4dKYLGXB/jwAXuuEKw7PQy95h9Y DHhA== X-Forwarded-Encrypted: i=1; AJvYcCUrwf48aKIlXZQHjKv4RpVGTk3TMAys+Isf7JQVaja+fvNWA1xjiOGKo75tVn0UerAkikmcDIV8ntZSedCHeeM=@freebsd.org X-Gm-Message-State: AOJu0Ywx27X2857Kl9ppd1sMpt9qrRZFycM5xlPIDo0CR3SwJJUrAvT4 +GWdUN+2GDkgK4ArugufFo9hsIcR/E9UFA8ffn3c0GIwPmhC+5mhfW1tpWiNE29tncHNvPyt+QX oWqSqO0Z/IYf5oXa15xl8hejhvDCvv4nJ X-Gm-Gg: ASbGncvUOsAf0lIjfKUEtsTK1EuAuPpr3iL/iJfWO0c8WhursJ+6DZY8ekiXWESeLlo ByNsvZ2IGmc0lhnk9Z/tqLuq97zJWmJ3FsaOQ79AEZQTTkffjGfHxNxnDsyfBmqoA1Ttem+R5MK 6MCtk6I/5PXZ4kJ6emWWQLwctrEtcx7JiZ7AfDDLlydgSRi73hvr8D1jXQ2W4EDM6sojmPa8A4j 5wkQEvUVRlOoRagIdxEj4BaRLK/WnyDDrZG1k0h8boQsqQfCQ== X-Google-Smtp-Source: AGHT+IGX2k5N2nBu0+9do8iZX4wfiF/NqE1pQAD64disoZBnTe7ri9U+blJ2xRjjseZGCts6BUQcrCtjSwQ3BE27xCU= X-Received: by 2002:a05:6402:52cb:b0:61d:1a83:8744 with SMTP id 4fb4d7f45d1cf-61d269a1259mr2042254a12.10.1756569393604; Sat, 30 Aug 2025 08:56:33 -0700 (PDT) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 References: <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <1578a4eac5402d0496d8989e5258bc78@Leidinger.net> In-Reply-To: From: Rick Macklem Date: Sat, 30 Aug 2025 08:56:21 -0700 X-Gm-Features: Ac12FXxqj-2rqXruukYi94Yjj_bzHJBL4oPJVDLlDamfGhV7pm31L3ee3b4cwKU Message-ID: Subject: Re: heimdal -> MIT kdc migration To: Gleb Smirnoff Cc: Cy Schubert , freebsd-current@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.62 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_SHORT(-0.62)[-0.621]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; TAGGED_FROM(0.00)[]; TO_DN_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; MISSING_XM_UA(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::529:from]; FREEMAIL_ENVFROM(0.00)[gmail.com] X-Rspamd-Queue-Id: 4cDfrn6Y7Gz3dM7 On Fri, Aug 29, 2025 at 1:05=E2=80=AFPM Rick Macklem wrote: > > On Fri, Aug 29, 2025 at 7:43=E2=80=AFAM Rick Macklem wrote: > > > > On Wed, Aug 27, 2025 at 8:39=E2=80=AFPM Rick Macklem wrote: > > > > > > On Wed, Aug 27, 2025 at 7:43=E2=80=AFPM Rick Macklem wrote: > > > > > > > > On Tue, Aug 26, 2025 at 9:35=E2=80=AFAM Gleb Smirnoff wrote: > > > > > > > > > > On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote: > > > > > T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote: > > > > > T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimd= al", you get a > > > > > T> R> working Heimdal-7.8 in ports. > > > > > T> R> > > > > > T> R> Now, I have another challenge. Fixing the master passwords. > > > > > T> R> I'll work on it later to-day. > > > > > T> > > > > > T> I have applied two commits from Heimdal from 2012 that add 'ka= dmin dump -f MIT' > > > > > T> feature to our base heimdal and polished them to compile. So = far it doesn't > > > > > T> work yet, either create an empty dump or create a core dump, i= nstead of > > > > > T> database dump :) I'll see how difficult it is going to further= resolve that to > > > > > T> a working condition. If I succeed, then having 'dump -f MIT' i= n base without > > > > > T> any ports would be the best solution. Can also be merged to F= reeBSD 14.4. > > > > > > > > > > Good news. In the above paragraph I was testing my change incorr= ectly - threw > > > > > the new binary on a system running unpatched libraries. When run= correctly, > > > > > it successfully produced something that looks like a correct dump= in MIT format. > > > > > I haven't yet tried to load it into MIT kdc yet, though. > > > Oh, and one more thing... > > > - If there are keys for old encryption types like des.. or arcfour.. > > > in the MIT dump, > > > those will screw up the load. (You can check and delete them in the > > > Heimdal-1.5.2 > > > kdc system via.. > > > # kadmin -l > > > get > > > - if old keys are listed in Keytypes: > > > del_enctype > > > exit > > > > > > Ideally the conversion code would skip over these and not put them i= n the dump. > > > > > > rick > > > ps: If you don't do this, when you "get_principal" in kadmin.local on > > > the MIT KDC > > > system, it will give you a "Database record is incomplete or co= rrupted..". > > > > > > > > > > > > > I will finalize the branch promptly and share it. The above expe= rience also > > > > > indicated that I need to do a library version bump. > > > > I don't know if you are enthusiastic about pursuing this, but hopef= ully this > > > > works and gets the principals in (although I doubt the passwords wi= ll > > > > work without changing them). > > > > > > > > To get the passwords to work, I think the following *might* do it: > > > > - If you look in the Heimdal sources, when "--decrypt" is specified= , > > > > I think it finds its way down into a function called hdb_unseal_k= ey_mkey() > > > > which decrypts the key using the master key by calling _hdb_mkey_= decrypt(). > > > > To get the passwords to work, I think the call to _hdb_mkey_decry= pt() would > > > > need to be followed by a call to _hdb_mkey_encrypt() with the "ke= y" > > > > argument being the master key for the MIT database. (It it a keyt= ab > > > > entry called /var/db/krb5kdc/.k5.YOUR.REALM created when you do a > > > > "kdb5_util create -s" on the system that will be the MIT KDC.) > > > > - Just to make it even more fun, there is a flag called HDB_KU_MK= EY > > > > which is set to the Heimdal way and not for the MIT way (whatev= er > > > > that really means?). > > > > - There is also some stuff about padding in hdb_unseal_key_mkey()= , > > > > but hopefully that won't be a problem? > > > > > > > > I think hdb_read_master_key() can be used to read in the MIT master > > > > key from the file you provide as an argument to it. > > > > > > > > This all is just a hunch, based on what I've seen so far. > > > > > > > > I'll admit since the hardware I have takes forever to "make buildwo= rld" > > > > and I don't know a quick way to build/test these changes, I'm not > > > > inspired to try it. > > Although not inspired, I have taken a stab at it. > > I am still trying to figure out how to build/test it, but I have forked > > glebius@'s github and added some code to... > > - Not dump the weak encryption keys (they just cause MIT's kadmin.local > > to complain that the principal's database entry is corrupted. > > - If the argument to "kadmin -l dump" is "-f " ins= tead > > of "-f MIT" it re-encrypts the keys in MIT's master key. (I hope that= will > > make the passwords work. > > (Basically, someone will "kdb5_util create -s" on the MIT KDC system > > and then copy the /var/db/krbkdc/.k5.YOUR.REALM file over to the > > Heimdal KDC system and do "kadmin -l dump -f <.k5-filename> mit.dump= " > > then copy "mit.dump" over to the MIT KDC system and > > "kdb5_util load -update mit.dump". Then, hopefully, the principals w= ill > > work??) > > > > Anyhow, it is currently sitting here: > > github.com/rmacklem/FreeBSD in the kadmin-dump-MIT branch. > > (I'm as unconversant with git and github as anyone, so if you have > > trouble finding it, just let me know.) > Actually, it hasn't made it there yet. For some reason (I think it is > glebius@s large # of branches) it takes a very long time to "git push" > a patch involving 4 files. It failed after over an hour with an unexpecte= d > TCP disconnect. I am running it again. > > I will stick the patch here, in case the push fails again. > (It needs to be applied on top of glebius@'s kadmin-dump-MIT branch. The patch is here. (For some reason, I couldn't push so I deleted the github fork.) https://people.freebsd.org/~rmacklem/kadmin.patch I haven't yet been able to test it, but will be able to do so later to-day,= rick > > Meanwhile I've given up trying to build it on a universe system and > an now trying the "make buildworld" locally. This will take days, > so I guess I'll go do something else.;-) > > rick > > > > > I'll keep updating this github fork as I get to test it, but if others > > know how to build it, feel free to test, rick > > > > > > > > > > rick > > > > > > > > > > > > > > -- > > > > > Gleb Smirnoff