MIT KRB5 Import Replacing Heimdal

Reply: Gleb Popov : "Re: MIT KRB5 Import Replacing Heimdal"
Reply: Rick Macklem : "Re: MIT KRB5 Import Replacing Heimdal"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Mon, 26 May 2025 18:09:29 UTC
Hi,

A little bit of background first, how I/we got here.

About a year ago some people reached out to me about replacing our
ancient Heimdal 1.5.2 with MIT KRB5.

Backing up about six months, I had updated Heimdal 1.5.2 to Heimdal
7.5.0 locally -- buildworld passed but not tested. 7.7.0 was released. 
Unfortunately my work was all for naught. A major restructuring of the 
Heimdal base required rewriting the Makefiles, again.

Then, a number of Heimdal CVEs were announced, necessitating the update 
(locally) to Heimdal 7.8.0. Again the upstream sources and source tree
had changed significantly enough that my 7.7.0 work was an almost
throw-away. I was at the time considering approaching folks here on
arch@ about the possibility of replacing Heimdal with MIT KRB5. This
was about the time I received the last email.

What does this mean for FreeBSD?

The Kerberos authentication protocol is 100% the same. User apps will
not know the difference. Though some of the admin commands are slightly 
different.

The major differences between Heimdal and MIT KRB5 are the kadmin
protocol and the KDC database format.

The KDC database format can be converted from Heimdal format to MIT
KRB5. During the last year a developer/sysadmin from ntp.org/nwtime.org
had converted their KDC DB to MIT from Heimdal.

Why are we replacing Heimdal with MIT KRB5?

MIT KRB5 is the industry standard. Having received emails from a member
of the enterprise group, and having worked in the enterprise
space for the majority of my 50 year career, interoperability with
other Kerberos servers such as Red Hat Identity Management (based on
FreeIPA) or Microsoft's Active Directory (with MIT KRB5 embedded) is
most likely the reason the they have shown interest in MIT KRB5. MIT
KRB5 brings us in line with other services in the enterprise data
centre.

My experience with MIT KRB5 is since the mid 1990s.

And of course my Heimdal updating experience from 7.5.0 --> 7.7.0 --> 
abandoned 7.8.0.

This is not the first time MIT KRB5 brought up either. The first time I 
recall was by pfg@ a number of years ago.

The paramount reason for this is the request by the enterprise working 
group which, professionally, I cannot argue with. I've worked in this
space for the majority of my career.

What about implementation?

My implementation adds a new knob WITH_MITKRB5. If enabled buildworld
will build MIT KRB5 instead of Heimdal 1.5.2. Without it buildworld
will default to Heimdal 1.5.2. After a period of time, to be determined
by the FreeBSD community, the default will switch to MIT KRB5, with
optional Heimdal build. The proposal is to enable MIT KRB5 when
15.0-RELEASE is cut (or later). And Heimdal 1.5.2 be removed from the
source tree for 16.0-RELEASE (or later).


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0