From nobody Wed Sep 03 05:10:06 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cGrKG02Ymz66QsB for ; Wed, 03 Sep 2025 05:10:25 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cGrKF4nTTz41x5; Wed, 03 Sep 2025 05:10:25 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-61cb9e039d9so12209573a12.1; Tue, 02 Sep 2025 22:10:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756876218; x=1757481018; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=fuiPjpvtL8eUqrWd9CxGmbnBNjtJ3+5l/dbEm1gvEvE=; b=AV+GT5BNxx3aaGzTFqMDP+L+ZxLSVUgibLEHC4eF9xxM/9atEGGkUurYt99sHR0dp6 6n4zNbJCl681XscmsTbPtBxATf4ASUZ4mBzLiHti8+EuoClyM01QBfxXytBFC8x8U72q TjFDLmh8MpVoKznuHFRvSVQ0LKE5ZGlR6LaSmFL+yZT5XXLbL3tJWPSRfqlV6U0pOJaq 34g2De3b2U8VTCoj66L8Cg402ULcYbp0JRmCX2dX3sxKU1D7VPWSFogegngLzgk2A76W ClmWWlxjS8mn6CswJ+XqLIYS114mEdzw9xi+tebdeXc2o9+V4WIj7lGP3L6TjnpnlND+ d+1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756876218; x=1757481018; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fuiPjpvtL8eUqrWd9CxGmbnBNjtJ3+5l/dbEm1gvEvE=; b=De25Ri3yL59R6Y4IFDado/vas93FXk0Jrw4ZaRmmEzM7iolO+vGycTNTP5jY6/SRaO gYx0/C8nwpYce6pY5YUoWJcWpf8EnWK3RsLMJKPD74m7L3J+jpW4HZ6rbK/2Pxp6DS6t vJJG2zxkRB+EzRHgchyqZdmXWIL3XlB+ipCEg/YVFxt7FN0nkAB3LxgT0pYkrsnFGY7/ dZ21TklfUQsgAlnZnZIYU/Cu4jBLA8I/511UrnrQgEaj6nt+dgtaIPHU2U+6ZxDAyBzO B1U8eI2aZugbXSsNAHlDcDcn7fkumpvXzLlhEUaufq7gHn/0cKU6eqLW0bY3sR46ebw4 Twhg== X-Forwarded-Encrypted: i=1; AJvYcCWsFUEk0Ly0xHbRdD8uB0UPeVk2Bjqv7MCGuyJ7QhZm/qDu81xkGHPqAd8OtNrBvFXwt9PjowrKmLq9YXtHPvE=@freebsd.org X-Gm-Message-State: AOJu0YxZ8k37DG7l5hvZnzve71dN503VbfSn/OdE49qYQ6UrlSeHgy0H /GTRQrB2dJ+hLvdwtbNfVi1beFw+QzBbV/U1zFHgy8TUjpVpEX3ZUrpBlCO668wxZXJHV4J8QXR BkNRMu4RPtQNx62BWdZJmKKoVhi5qmA== X-Gm-Gg: ASbGncsc1NfpSpRuKwf0ut9e0Pp8KB2A2hsmomwmRSCNVCvYbK4dhH0cSExxYinm6rj AzM3WXbYGyauKOubkOjVYLHzIXF/9Cl60hOUCt7GGOKbIxppmBp8Y8T5ceud7ZClRkmDy5iPSXK Vqg3IE/FM1e16Ho57hUHnD6yz7s0SMuxDJVC4bqELMbF1ydL+JZDEAqmLTwEdztCMQevwzDDSvk 8bYucqAtng2CsI3rGfGF9hMB17inDqC78EkCtgEFbGEcpeR8A== X-Google-Smtp-Source: AGHT+IHsU+k6/uI3sOeWvQ4dlsnCgExUOQ4V6olpQA7rEcXeaYydpWwBFJyMWpRPesB/P5t/gYoHiyvZ7alXj23PGOk= X-Received: by 2002:a05:6402:5216:b0:61d:2405:b4a9 with SMTP id 4fb4d7f45d1cf-61d26d9143dmr11560724a12.17.1756876218111; Tue, 02 Sep 2025 22:10:18 -0700 (PDT) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 References: <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <1578a4eac5402d0496d8989e5258bc78@Leidinger.net> <20250903043714.370F5311@slippy.cwsent.com> In-Reply-To: <20250903043714.370F5311@slippy.cwsent.com> From: Rick Macklem Date: Tue, 2 Sep 2025 22:10:06 -0700 X-Gm-Features: Ac12FXwRwS_a-XnEs0UxOTIMmb_kp7f57H5Szg-Gu6JU7eez6Q6u9RtQL8yGrWs Message-ID: Subject: Re: heimdal -> MIT kdc migration To: Cy Schubert Cc: Gleb Smirnoff , freebsd-current@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 4cGrKF4nTTz41x5 On Tue, Sep 2, 2025 at 9:37=E2=80=AFPM Cy Schubert wrote: > > In message om> > , Rick Macklem writes: > > On Sun, Aug 31, 2025 at 5:58=3DE2=3D80=3DAFPM Rick Macklem > m> wrote: > > > > > > On Sun, Aug 31, 2025 at 5:41=3DE2=3D80=3DAFPM Rick Macklem > com> wrote: > > > > > > > > On Sat, Aug 30, 2025 at 9:47=3DE2=3D80=3DAFPM Rick Macklem > l.com> wrote: > > > > > > > > > > On Sat, Aug 30, 2025 at 4:22=3DE2=3D80=3DAFPM Rick Macklem > ail.com> wrote: > > > > > > > > > > > > On Sat, Aug 30, 2025 at 8:56=3DE2=3D80=3DAFAM Rick Macklem > gmail.com> wrote: > > > > > > > > > > > > > > On Fri, Aug 29, 2025 at 1:05=3DE2=3D80=3DAFPM Rick Macklem > m@gmail.com> wrote: > > > > > > > > > > > > > > > > On Fri, Aug 29, 2025 at 7:43=3DE2=3D80=3DAFAM Rick Macklem = > lem@gmail.com> wrote: > > > > > > > > > > > > > > > > > > On Wed, Aug 27, 2025 at 8:39=3DE2=3D80=3DAFPM Rick Mackle= m > cklem@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > On Wed, Aug 27, 2025 at 7:43=3DE2=3D80=3DAFPM Rick Mack= lem > macklem@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > On Tue, Aug 26, 2025 at 9:35=3DE2=3D80=3DAFAM Gleb Sm= irnoff > ebius@freebsd.org> wrote: > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smir= noff=3D > > wrote: > > > > > > > > > > > > T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick M= ackl=3D > > em wrote: > > > > > > > > > > > > T> R> Ok. If you install FreeBSD-13.5 and then "pkg= ins=3D > > tall heimdal", you get a > > > > > > > > > > > > T> R> working Heimdal-7.8 in ports. > > > > > > > > > > > > T> R> > > > > > > > > > > > > T> R> Now, I have another challenge. Fixing the mas= ter =3D > > passwords. > > > > > > > > > > > > T> R> I'll work on it later to-day. > > > > > > > > > > > > T> > > > > > > > > > > > > T> I have applied two commits from Heimdal from 201= 2 th=3D > > at add 'kadmin dump -f MIT' > > > > > > > > > > > > T> feature to our base heimdal and polished them to= com=3D > > pile. So far it doesn't > > > > > > > > > > > > T> work yet, either create an empty dump or create = a co=3D > > re dump, instead of > > > > > > > > > > > > T> database dump :) I'll see how difficult it is go= ing =3D > > to further resolve that to > > > > > > > > > > > > T> a working condition. If I succeed, then having '= dump=3D > > -f MIT' in base without > > > > > > > > > > > > T> any ports would be the best solution. Can also = be m=3D > > erged to FreeBSD 14.4. > > > > > > > > > > > > > > > > > > > > > > > > Good news. In the above paragraph I was testing my= cha=3D > > nge incorrectly - threw > > > > > > > > > > > > the new binary on a system running unpatched librar= ies.=3D > > When run correctly, > > > > > > > > > > > > it successfully produced something that looks like = a co=3D > > rrect dump in MIT format. > > > > > > > > > > > > I haven't yet tried to load it into MIT kdc yet, th= ough=3D > > . > > > > > > Well, would you like the not so bad news or the bad news??;-) > > > > > > Your patch works, in that it produces a dump that "kdb5_util lo= ad > > > > > > -update" can load. > > > > > > After loading, if the principal only has keys for the newer enc= rypt=3D > > ion types of > > > > > > aes256-cts-hmac-sha1-96 > > > > > > aes128-cts-hmac-sha1-96 > > > > > > then you can look at the principal via kadmin.local, but the pa= sswo=3D > > rd must > > > > > > be changed before it works. > > > > > > --> This is the same behaviour as you get if you use Heimdal-7.= 8 to=3D > > do the > > > > > > dump conversion. > > > > > > So far, so good... > > > > > > > > > > > > Now, the not so good news. Once you update the Heimdal librarie= s > > > > > > (libhdb.so and libkadm5srv.so) "kadmin -l" is broken on the sys= tem > > > > > > running the old KDC. "kadmin -l dump" works, but something like= : > > > > > > # kadmin -l > > > > > > kadmin> get rmacklem > > > > > > kadmin: get rmacklem: Service key not available > > > > > > - I have not yet looked in your patched sources to see where th= is > > > > > > failure comes from? > > > > > > > > > > > > Now, more not so good news... > > > > > > My patch doesn't help. > > > > > > It does re-encrypt the key in the master key from the MIT KDC > > > > > > system, but that doesn't make the password work. > > > > > > When I compared the dump generated via kadmin with both > > > > > > your patch and mine, the key for aes256-cts-hmac-sha1-96 > > > > > > is 34bytes long. > > > > > > After doing the change_password so that it works, a dump > > > > > > generated by "kdb5_util dump -r13" (the same dump format) > > > > > > has a key that is 62bytes long. > > > > > > --> So, there is more to converting the key than just re-ecrypt= ing > > > > > > it. (I'll try and find where the MIT code encrypts a key = in a=3D > > master > > > > > > key to see why it ends up at 62bytes and whether that can= be =3D > > done > > > > > > in the old code.) > > > > > > > > > > > > So, if we are going to continue with this... > > > > > > - We need to figure out why your patch breaks "kadmin" for othe= r > > > > > > things and fix that. > > > > > > - I/we need to figure out how to convert the 34byte key to the = MIT > > > > > > 62byte key (and then maybe the password won't need to be chan= ged?=3D > > ). > > > > > > > > > > > > Or do we just say "When you convert the KDC database, all the p= assw=3D > > ords > > > > > > must be changed to get them to work?". > > > > > All I've got sofar is this patch... > > > > > https://people.freebsd.org/~rmacklem/print.patch > > > > > > > > > > It tweaks entry2mit_string_int() so that it skips over the keys f= or > > > > > old encryption types and fills in a fake "modified by" entry if n= one > > > > > exists. > > > > > > > > > > These changes at least make the MIT dump such that the records > > > > > don't end up "incomplete or corrupted" when you try to do somethi= ng > > > > > like "get_principal " in kadmin.local. > > > > > > > > > > As noted, your patch makes "kadmin -l" break for most things, > > > > > reporting "Service key not available". The failures go away if > > > > > you revert back to the non-patched libraries. > > > > > I have not located the problem yet. > > > > > > > > > > As for the passwords...no luck yet, rick > > > > Finally..it works. (First off, apologies for all the posts, just ig= nore > > > > them.;-) > > > > > > > > The patch is at: > > > > https://people.freebsd.org/~rmacklem/kadmin.patch > > I just updated the patch with a fix for the case where the > > Heimdal principal does not have any keys for string encryption. > > (That is fixed now and I haven't found any other bugs, so I > > think I am done playing with it. Yippee!!) > > > > Please test when you can find the time, rick > > I think the problem is with OpenSSL 3.5. With the legacy provider loaded = in > OpenSSL 3.5 I get, > > test3# openssl list -providers > Providers: > default > name: OpenSSL Default Provider > version: 3.5.1 > status: active > test3# > > Whereas in 3.0 I get, > > bob# openssl list -providers > Providers: > default > name: OpenSSL Default Provider > version: 3.0.16 > status: active > legacy > name: OpenSSL Legacy Provider > version: 3.0.16 > status: active > bob# > > Some symbol must be missing. Ok, I seem to have missed something here? Just in case it wasn't clear, I was referring to testing of the kadmin patches for the old Heimdal, so that the KDC database can be moved to an MIT KDC and still work. rick > > > -- > Cheers, > Cy Schubert > FreeBSD UNIX: Web: https://FreeBSD.org > NTP: Web: https://nwtime.org > > e**(i*pi)+1=3D0 > >