[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 20 Dec 2022 23:27:44 UTC

--- Comment #38 from Cy Schubert <cy@FreeBSD.org> ---
(In reply to amendlik from comment #37)

The former.

You don't have the means or ability to apply a patch -- the vast majority of
people don't and I (with 45 years of IT experience I seem to forget this
sometimes). My comments were a reset to square one, to use the binary tools at
our disposal. It's a "let's use this to test the hypothesis."

My sandbox at $JOB is a 13.1p3 machine with no /usr/src and no /usr/ports. I
understand not having the means to do anything but pkg install.

The hypothesis is that Heimdal in base is way out of date. That won't change
anytime soon as upgrading it isn't simple. It regressed authentication
significantly because much code added to other parts of FreeBSD to work with
it. Upgrading Heimdal to 7.8.0 breaks all the code that depends on 1.5.0.

To test this theory would be to try something that is linked with MIT KRB5
1.20.1 instead of the ancient Heimdal. If that works we have a) a workaround
until Heimdal can be updated in FreeBSD and b) something that can be pointed to
in order to possibly replace Heimdal with MIT (which some have opposed because
the kadmin protocols between the two are incompatible, causing existing users

Heimdal and MIT use the same protocol for authentication (KDC) but use
different protocols for administration (kadmin).

I'm also  not sure if FreeIPA is using the Red Hat KRB5. Red Hat has applied
patches to their KRB5 that are not applied to MIT's version (or what we use in
FreeBSD ports). This is because they backport patches from MIT to their ancient
MIT KRB5. Red Hat does this for all software in order to maintain their ten
year guarantee. (Heard it was five years now.)

Long story short, I don't know if this is caused by an ancient Heimdal in
FreeBSD or a divergent MIT in Red Hat's KRB5, or if this was caused by some
patch applied to FreeIPA's KRB5. My strategy is to isolate the problem using
whatever tools at our disposal. If we can't isolate the problem we're left with
reviewing source code in FreeBSD Heimdal and FreeIPA KRB5 and this is time

BTW, I don't get paid for this. This is a volunteer effort. I have a fulltime
day job as a sysadmin at a small datacentre with approximately 10k servers
(actually two datacentres in two cities).

You are receiving this mail because:
You are the assignee for the bug.