Re: August 2025 stabilization week

Reply: Gleb Smirnoff : "heimdal -> MIT kdc migration Was: August 2025 stabilization week"
In reply to: Rick Macklem : "Re: August 2025 stabilization week"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Tue, 26 Aug 2025 15:13:26 UTC

On Tue, Aug 26, 2025 at 6:28 AM Rick Macklem <rick.macklem@gmail.com> wrote:
>
> On Tue, Aug 26, 2025 at 2:34 AM Alexander Leidinger
> <Alexander@leidinger.net> wrote:
> >
> > Am 2025-08-26 06:25, schrieb Rick Macklem:
> > > On Mon, Aug 25, 2025 at 1:27 PM Rick Macklem <rick.macklem@gmail.com>
> > > wrote:
> > >>
> > >> On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans <kevans@freebsd.org> wrote:
> >
> > >> >  There is no yet an official way to migrate kdc
> > >> > > from Heimdal to MIT.
> > >> Yea. One possibility is to install Heimdal-7.8 from ports/packages and
> > >> then
> > >> use it to dump the KDC's database in MIT format. (Although Cy seemed
> > >> to
> > >> find it didn't work, doing this with the "--decrypt" option might
> > >> retain the
> > >> passwords.)
> > >>
> > >> I'll give this a try and report back if it worked for me.
> > > Well, I'm not having any luck.
> > > Every time I try and use Heimdal-7.8 to load the database from
> > > Heimdal-1.5.2,
> > > "kadmin -l" throws this error and exits.
> > >
> > > kadmin: rc4 8: EVP_CipherInit_ex einit
> > >
> > > I need the Heimdal-7.8 kadmin to work to try and convert the database
> > > to
> > > MIT format.
> > >
> > > So, does anyone know the trick to fixing this? rick
> >
> > I migrated a while ago... don't remember if this year or last year. And
> > I don't have my notes about this anymore. But I exported everything from
> > base-heimdal and imported into MIT.
> > A quick google gave mit this:
> > https://serverfault.com/questions/1000332/migrating-from-heimdal-to-mit-kerberos
> > This can be done with the base-heimdal + ports-heimdal + mit-krb.
> Yes. That was basically what I am trying to do. However, I cannot get
> the ports-heimdal
> to work, due to that rc4 related problem. (I've tried 15 and 14. Maybe
> I'll try 13?)
Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", you get a
working Heimdal-7.8 in ports.

Now, I have another challenge. Fixing the master passwords.
I'll work on it later to-day.

rick

>
> Because there are several principals created when the MIT database is created,
> I think the last step might need "-update" ("kdb5_util load -update mit.dump").
>
> rick
>
> >
> > Bye,
> > Alexander.
> >
> > --
> > http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
> > http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF