Re: heimdal -> MIT kdc migration

Reply: Alexander Leidinger : "Re: heimdal -> MIT kdc migration"
In reply to: Gleb Smirnoff : "Re: heimdal -> MIT kdc migration"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Tue, 26 Aug 2025 17:21:16 UTC

On Tue, Aug 26, 2025 at 9:35 AM Gleb Smirnoff <glebius@freebsd.org> wrote:
>
> On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote:
> T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote:
> T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", you get a
> T> R> working Heimdal-7.8 in ports.
> T> R>
> T> R> Now, I have another challenge. Fixing the master passwords.
> T> R> I'll work on it later to-day.
> T>
> T> I have applied two commits from Heimdal from 2012 that add 'kadmin dump -f MIT'
> T> feature to our base heimdal and polished them to compile.  So far it doesn't
> T> work yet, either create an empty dump or create a core dump, instead of
> T> database dump :) I'll see how difficult it is going to further resolve that to
> T> a working condition. If I succeed, then having 'dump -f MIT' in base without
> T> any ports would be the best solution.  Can also be merged to FreeBSD 14.4.
>
> Good news.  In the above paragraph I was testing my change incorrectly - threw
> the new binary on a system running unpatched libraries.  When run correctly,
> it successfully produced something that looks like a correct dump in MIT format.
> I haven't yet tried to load it into MIT kdc yet, though.
You might have better luck than me, but if I just loaded it,
"kadmin.local" wouldn't
work.
To get it loaded, I had to:
- edit the mit.dump and remove the entries for
  K/M, kadmin/admin, kadmin/changepw and krbtgt/REALM.
Then I...
# kdb5_util create -s
and
# kdb5_util load -update mit.dump
-after that, kadmin.local would find the prinicipals, but
 a "kinit" wouldn't work until I did a "change_password" on it.
 --> The MIT kinit would fail before prompting for a password,
       so there was something sketchy about the TGT. (kvno or ??)

I'll probably piss around with it again tomorrow, rick
ps: I'm using the Heimdal-7.8 I installed in 13.5. Good luck with
      patching the older one. As you might have noticed, there are
      now newer versions of the MIT dump format. Hopefully that
      isn't needed to get the passwords to work?

>
> I will finalize the branch promptly and share it.  The above experience also
> indicated that I need to do a library version bump.
>
> --
> Gleb Smirnoff