From nobody Tue Dec 20 23:27:44 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NcCRN1ZJ7z1HLXG for ; Tue, 20 Dec 2022 23:27:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NcCRM6KlGz3Qvt for ; Tue, 20 Dec 2022 23:27:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1671578863; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yeB9dUKcrhfvzdQe5Ocw1IRcAAwYCywXb7qQY1cqsm8=; b=qM+INg+qgwIUkXZx/90jJ6s5d79B3jJT6R2SsINWXWvOuD6fOY9rq2R3I2pCMQjD+cXirv 672YmKkpawqY8KBW2a2XFtMQqKz4sHIcMN1RliG4DZFuqKQE40qfsF5pveSIZmu4eNzdcc SvELqBZjpca0VRioinPb6GjOwmce3UwIRYuXguaMFUFPdroKFYGKIWWGKhMbQBfVwsJQ2q Drpll3LMdtLq5/vt+iCuhf6BvLMTmkXmlCvZOnyWwLv/x5+sMT25dssc+pFy6Ssyc+EGat lUiYKbkIrxKbm/PGuLap9kQuYibUlqvEngZL6zaRDypgoYWXT8EPnUjRGT9eqg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1671578863; a=rsa-sha256; cv=none; b=dwVgA4LFzkNJDX1WCOk57VlyPSMLrHKeljFqOUb82z2APZ1+R3opkKRxkw2uLn6DJWtlBe rrhYnsk13gvfQJPCGF3T67Txijz25+1+Mr7HPnwLRpeRCuYexp1GXVS0ngghqeAKqRyW2V 9d+jyny5gZB3yqEkRjG5+3aPyLl1efkBn1pIpH+jIsa8jsf4ZyPwGmD+h6WTqsVXXog7Ly xf0reKt0q+EDBtW5GOmYirf2vfzH4RKN0iJH5Kyzm85nrllspjCKJUyaAegzdsDLp1gkNg SkpCH6iB1yXVUazAIRvMQPCF48a73lGtr4uOV+56NHfmnmMAaa2xT1nAKJ2qDg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NcCRM5R63ztXm for ; Tue, 20 Dec 2022 23:27:43 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2BKNRhZi062270 for ; Tue, 20 Dec 2022 23:27:43 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2BKNRhjV062269 for bugs@FreeBSD.org; Tue, 20 Dec 2022 23:27:43 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC Date: Tue, 20 Dec 2022 23:27:44 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: cy@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268186 --- Comment #38 from Cy Schubert --- (In reply to amendlik from comment #37) The former. You don't have the means or ability to apply a patch -- the vast majority of people don't and I (with 45 years of IT experience I seem to forget this sometimes). My comments were a reset to square one, to use the binary tools= at our disposal. It's a "let's use this to test the hypothesis." My sandbox at $JOB is a 13.1p3 machine with no /usr/src and no /usr/ports. I understand not having the means to do anything but pkg install. The hypothesis is that Heimdal in base is way out of date. That won't change anytime soon as upgrading it isn't simple. It regressed authentication significantly because much code added to other parts of FreeBSD to work with it. Upgrading Heimdal to 7.8.0 breaks all the code that depends on 1.5.0. To test this theory would be to try something that is linked with MIT KRB5 1.20.1 instead of the ancient Heimdal. If that works we have a) a workaround until Heimdal can be updated in FreeBSD and b) something that can be pointe= d to in order to possibly replace Heimdal with MIT (which some have opposed beca= use the kadmin protocols between the two are incompatible, causing existing use= rs POLA). Heimdal and MIT use the same protocol for authentication (KDC) but use different protocols for administration (kadmin). I'm also not sure if FreeIPA is using the Red Hat KRB5. Red Hat has applied patches to their KRB5 that are not applied to MIT's version (or what we use= in FreeBSD ports). This is because they backport patches from MIT to their anc= ient MIT KRB5. Red Hat does this for all software in order to maintain their ten year guarantee. (Heard it was five years now.) Long story short, I don't know if this is caused by an ancient Heimdal in FreeBSD or a divergent MIT in Red Hat's KRB5, or if this was caused by some patch applied to FreeIPA's KRB5. My strategy is to isolate the problem using whatever tools at our disposal. If we can't isolate the problem we're left = with reviewing source code in FreeBSD Heimdal and FreeIPA KRB5 and this is time consuming. BTW, I don't get paid for this. This is a volunteer effort. I have a fullti= me day job as a sysadmin at a small datacentre with approximately 10k servers (actually two datacentres in two cities). --=20 You are receiving this mail because: You are the assignee for the bug.=