Re: August 2025 stabilization week

In reply to: Jan Bramkamp : "Re: August 2025 stabilization week"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Tue, 26 Aug 2025 13:40:09 UTC
On Tue, Aug 26, 2025 at 6:08 AM Jan Bramkamp <crest@rlwinm.de> wrote:
>
>
> On 26.08.25 15:05, Jan Bramkamp wrote:
> > On 26.08.25 06:25, Rick Macklem wrote:
> >> On Mon, Aug 25, 2025 at 1:27 PM Rick Macklem <rick.macklem@gmail.com>
> >> wrote:
> >>> On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans <kevans@freebsd.org> wrote:
> >>>> CAUTION: This email originated from outside of the University of
> >>>> Guelph. Do not click links or open attachments unless you recognize
> >>>> the sender and know the content is safe. If in doubt, forward
> >>>> suspicious emails to IThelp@uoguelph.ca.
> >>>>
> >>>> On 8/25/25 07:53, Gleb Smirnoff wrote:
> >>>>>     Hi,
> >>>>>
> >>>>> On Mon, Aug 25, 2025 at 01:00:07AM -0700, Gleb Smirnoff wrote:
> >>>>> T> This is an automated email to inform you that the August 2025
> >>>>> stabilization week
> >>>>> T> started with FreeBSD/main at main-n279838-6c45a5dad0a0, which
> >>>>> was tagged as
> >>>>> T> main-stabweek-2025-Aug.
> >>>>>
> >>>>> This stabilization cycle is expected to be more bumpy than usually.
> >>>>>
> >>>>> 1) We got major upgrade - OpenSSL 3.5.1. One known issue is that
> >>>>> the legacy
> >>>>> provider is broken.
> >>> I believe that KTLS support isn't yet enabled for it?
> >>> (If so, NFS over TLS wo't work.)
> >>>
> >>>>> 2) The default Kerberos now is MIT. We have already checked that a
> >>>>> Kerberized
> >>>>> NFS client can migrate from Heimdal to MIT.  We did not check
> >>>>> Kerberized NFS
> >>>>> server, but should be fine.
> >>> I tested the server a couple of days ago and it was fine.
> >>>
> >>>>   There is no yet an official way to migrate kdc
> >>>>> from Heimdal to MIT.
> >>> Yea. One possibility is to install Heimdal-7.8 from ports/packages
> >>> and then
> >>> use it to dump the KDC's database in MIT format. (Although Cy seemed to
> >>> find it didn't work, doing this with the "--decrypt" option might
> >>> retain the
> >>> passwords.)
> >>>
> >>> I'll give this a try and report back if it worked for me.
> >> Well, I'm not having any luck.
> >> Every time I try and use Heimdal-7.8 to load the database from
> >> Heimdal-1.5.2,
> >> "kadmin -l" throws this error and exits.
> >>
> >> kadmin: rc4 8: EVP_CipherInit_ex einit
> >>
> >> I need the Heimdal-7.8 kadmin to work to try and convert the database to
> >> MIT format.
> >>
> >> So, does anyone know the trick to fixing this? rick
> >
> > This looks very similar to a problem I had when upgrading to the first
> > FreeBSD release using OpenSSL 3.x.
> >
> > In that case the issues was that the cryptographically broken old RC4
> > ciphersuite is no longer supported at all.
> >
> > In Heimdal you could disable it in the configuration and so it
> > wouldn't even probe for the removed cipher.
> >
> >
> Sorry I forgot to include the relevant /etc/krb5.conf lines:
>
> [libdefaults]
>
>          default_keys        = aes256-cts-hmac-sha1-96:pw-salt
>          default_etypes      = aes256-cts-hmac-sha1-96
>
>          default_etypes_des  =
>
> [kadmin]
>          default_keys    = aes256-cts-hmac-sha1-96:pw-salt
>
>
Thanks for the suggestion, but adding the above to /etc/krb5.conf
didn't help (I had tried a couple of variants of the above already).

I think I'll try a FreeBSD-13 next.

Thanks, rick