Re: August 2025 stabilization week

Reply: Rick Macklem : "Re: August 2025 stabilization week"
In reply to: Jan Bramkamp : "Re: August 2025 stabilization week"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Jan Bramkamp <crest_at_rlwinm.de>
Date: Tue, 26 Aug 2025 13:08:13 UTC
On 26.08.25 15:05, Jan Bramkamp wrote:
> On 26.08.25 06:25, Rick Macklem wrote:
>> On Mon, Aug 25, 2025 at 1:27 PM Rick Macklem <rick.macklem@gmail.com> 
>> wrote:
>>> On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans <kevans@freebsd.org> wrote:
>>>> CAUTION: This email originated from outside of the University of 
>>>> Guelph. Do not click links or open attachments unless you recognize 
>>>> the sender and know the content is safe. If in doubt, forward 
>>>> suspicious emails to IThelp@uoguelph.ca.
>>>>
>>>> On 8/25/25 07:53, Gleb Smirnoff wrote:
>>>>>     Hi,
>>>>>
>>>>> On Mon, Aug 25, 2025 at 01:00:07AM -0700, Gleb Smirnoff wrote:
>>>>> T> This is an automated email to inform you that the August 2025 
>>>>> stabilization week
>>>>> T> started with FreeBSD/main at main-n279838-6c45a5dad0a0, which 
>>>>> was tagged as
>>>>> T> main-stabweek-2025-Aug.
>>>>>
>>>>> This stabilization cycle is expected to be more bumpy than usually.
>>>>>
>>>>> 1) We got major upgrade - OpenSSL 3.5.1. One known issue is that 
>>>>> the legacy
>>>>> provider is broken.
>>> I believe that KTLS support isn't yet enabled for it?
>>> (If so, NFS over TLS wo't work.)
>>>
>>>>> 2) The default Kerberos now is MIT. We have already checked that a 
>>>>> Kerberized
>>>>> NFS client can migrate from Heimdal to MIT.  We did not check 
>>>>> Kerberized NFS
>>>>> server, but should be fine.
>>> I tested the server a couple of days ago and it was fine.
>>>
>>>>   There is no yet an official way to migrate kdc
>>>>> from Heimdal to MIT.
>>> Yea. One possibility is to install Heimdal-7.8 from ports/packages 
>>> and then
>>> use it to dump the KDC's database in MIT format. (Although Cy seemed to
>>> find it didn't work, doing this with the "--decrypt" option might 
>>> retain the
>>> passwords.)
>>>
>>> I'll give this a try and report back if it worked for me.
>> Well, I'm not having any luck.
>> Every time I try and use Heimdal-7.8 to load the database from 
>> Heimdal-1.5.2,
>> "kadmin -l" throws this error and exits.
>>
>> kadmin: rc4 8: EVP_CipherInit_ex einit
>>
>> I need the Heimdal-7.8 kadmin to work to try and convert the database to
>> MIT format.
>>
>> So, does anyone know the trick to fixing this? rick
>
> This looks very similar to a problem I had when upgrading to the first 
> FreeBSD release using OpenSSL 3.x.
>
> In that case the issues was that the cryptographically broken old RC4 
> ciphersuite is no longer supported at all.
>
> In Heimdal you could disable it in the configuration and so it 
> wouldn't even probe for the removed cipher.
>
>
Sorry I forgot to include the relevant /etc/krb5.conf lines:

[libdefaults]

         default_keys        = aes256-cts-hmac-sha1-96:pw-salt
         default_etypes      = aes256-cts-hmac-sha1-96

         default_etypes_des  =

[kadmin]
         default_keys    = aes256-cts-hmac-sha1-96:pw-salt