From nobody Tue Aug 26 17:21:16 2025
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cBDwf01tXz65rd6
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Tue, 26 Aug 2025 17:21:38 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cBDwd33Rzz3xw9;
	Tue, 26 Aug 2025 17:21:37 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-61c4f73cf20so5813321a12.0;
        Tue, 26 Aug 2025 10:21:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1756228891; x=1756833691; darn=freebsd.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=m2DOcNKI5j+ZBfqAIjwICepTOkd2gQG+wbVSO9ZYxh0=;
        b=AGmoI+sDBs2IDLS6Dw8UbvuAq+/1/W45B0UYAJ77qtEDDyIoZ1JWD9Oc7HmynAHc3n
         nV1OaxceXEXoXa3zbNrunHJ/bkZz/viI6pte/SfM26PYmwUCUY5PXNugF3lN0U/LSPgh
         LPYU8JMpFfcMPPItccLx1ZHIzdxG/eYHqn48vDtUq3LkDXKTpI2dWFqjF4bSf0aRJowA
         iPh98VCYPtclryduztKyiBfZvbFe3mG0IOIqH9lKQphBnFPPEIwp2CX2/fblJ6wLZ54+
         z8829ch10Orf5DwM0fBPx0SdJ4/HoMvdi7ItAq6Nc/JAxGN8NdNogh7m8MnIGm33MFiW
         dfng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1756228891; x=1756833691;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=m2DOcNKI5j+ZBfqAIjwICepTOkd2gQG+wbVSO9ZYxh0=;
        b=LEo3lQzHFElkWDGBs5gHbMOldyMDV6FI8l1MxsMqruCtzDMxdlT+aCNc52PZRHMs8m
         z16IZjH//RctUlrmIfMmYMeoKDr1VqCdcCahF2HYr+cSmba9XjqyKNeZNaiObm5dnUOo
         Hp19CSdJ5CG3IF6OrRQJGM4nZoYry5+IlyoaTIIxPRqbFyp3dXdc75N9xvEKGZWaVTXV
         GY9XBCTH35jP6uUKAtYJ1DdDYm04QaYVzJA1yDCiZcMACbUGNFkGmcSbRQXTti7xmvcV
         ONHemVrLujo/t0QbCmemPRptbuPi+ak3KB0XqKtNl1ruH4JYDLmprXtcrathnEBxSjqH
         fHdQ==
X-Forwarded-Encrypted: i=1; AJvYcCWrzl6/yZhH+4PNsbN8uaqHSp6KaSRjOse1p1RI4cXoDnNK53eu55Dh/A8guUqZI2IN5Utt13cbE9uj0yRKM6s=@freebsd.org
X-Gm-Message-State: AOJu0YxlMGmTzoUFMydElQ756LngyXb3yUQuPIw1/L4c0qc0JXKP1bI1
	yMhd2ihFQR0N5VXUz4RCZZQiTooa729gNc0OdC4oE/vSx8xeZOQsW7KQ215HUe+8YPazdLLm+Wd
	NZn81ZMSCLU8/UYC6GlQGdoHOpcp02a+K
X-Gm-Gg: ASbGncufeeWzRlnW735exd4Ztx0C5bz4jdTvdAErTrK2Vipgbh5dY8PZa2PRyMdOsD2
	Siki7OYvYpBb+n1bKq8aoCct9Ke/G5IlxoWO8qR8JGRr08AmhJZqdktGT5Xx5dMaw26+Epj9kJK
	Hd1REDWpDhKdisNPRuW2lJBwQ/yp++CWl5tsJ0cd/WY3rbM3F5VtjiKdOKuHqIqIVIS4Gk3U5+V
	SZ2YIAqY6SCZa9jdlIcLRqwyrh+nWjqC85UBpcN7CZX+3A+BrQfoTGMZbgr
X-Google-Smtp-Source: AGHT+IGYX1vzzrWrAoiJAKQV+fXOw9IJNtpJeLkz+obUkqifcX5lAIg8bO4q4IDfJbh/ebqSN/bJMKTY0GJekA2L7Zo=
X-Received: by 2002:a05:6402:35c3:b0:61c:61bb:e836 with SMTP id
 4fb4d7f45d1cf-61c61bbec87mr6574001a12.11.1756228890217; Tue, 26 Aug 2025
 10:21:30 -0700 (PDT)
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@FreeBSD.org
MIME-Version: 1.0
References: <aKwYB4d6l4ze-yXA@cell.glebi.us> <aKxcwqKqW3ZpA3Po@cell.glebi.us>
 <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <CAM5tNy5sNv8z0zW2ZFt+9=ytUpjGVudsYbcSC2mQSudi3iWSfQ@mail.gmail.com>
 <CAM5tNy73KwR-DBqc28bqRPKqW7UqXN7RXYB=p-Za5Lsoy9jFcw@mail.gmail.com>
 <1578a4eac5402d0496d8989e5258bc78@Leidinger.net> <CAM5tNy42Xvj8M+q4qDO35T31wWLO-2pC9H0_V0rVM2uZmSL2RA@mail.gmail.com>
 <CAM5tNy5m8tEaivQdC4G-=VNpf3ng6JcdpeJKvxA8oM==OdbMUw@mail.gmail.com>
 <aK3TQbWXkr_r24sW@cell.glebi.us> <aK3iW189fZ2_xSyB@cell.glebi.us>
In-Reply-To: <aK3iW189fZ2_xSyB@cell.glebi.us>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Tue, 26 Aug 2025 10:21:16 -0700
X-Gm-Features: Ac12FXyJZw0w_mlUeJ3xzryqSrzM_Rf9RqP6dK2qnS9llHOpLhD8FY6r0BRZZLw
Message-ID: <CAM5tNy5ra8y76FSHvi31JgoJDXRtGKUd5wzy8N9nf+tVYhjvJQ@mail.gmail.com>
Subject: Re: heimdal -> MIT kdc migration
To: Gleb Smirnoff <glebius@freebsd.org>
Cc: Cy Schubert <Cy.Schubert@cschubert.com>, freebsd-current@freebsd.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	TAGGED_FROM(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Rspamd-Queue-Id: 4cBDwd33Rzz3xw9

On Tue, Aug 26, 2025 at 9:35=E2=80=AFAM Gleb Smirnoff <glebius@freebsd.org>=
 wrote:
>
> On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote:
> T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote:
> T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", you=
 get a
> T> R> working Heimdal-7.8 in ports.
> T> R>
> T> R> Now, I have another challenge. Fixing the master passwords.
> T> R> I'll work on it later to-day.
> T>
> T> I have applied two commits from Heimdal from 2012 that add 'kadmin dum=
p -f MIT'
> T> feature to our base heimdal and polished them to compile.  So far it d=
oesn't
> T> work yet, either create an empty dump or create a core dump, instead o=
f
> T> database dump :) I'll see how difficult it is going to further resolve=
 that to
> T> a working condition. If I succeed, then having 'dump -f MIT' in base w=
ithout
> T> any ports would be the best solution.  Can also be merged to FreeBSD 1=
4.4.
>
> Good news.  In the above paragraph I was testing my change incorrectly - =
threw
> the new binary on a system running unpatched libraries.  When run correct=
ly,
> it successfully produced something that looks like a correct dump in MIT =
format.
> I haven't yet tried to load it into MIT kdc yet, though.
You might have better luck than me, but if I just loaded it,
"kadmin.local" wouldn't
work.
To get it loaded, I had to:
- edit the mit.dump and remove the entries for
  K/M, kadmin/admin, kadmin/changepw and krbtgt/REALM.
Then I...
# kdb5_util create -s
and
# kdb5_util load -update mit.dump
-after that, kadmin.local would find the prinicipals, but
 a "kinit" wouldn't work until I did a "change_password" on it.
 --> The MIT kinit would fail before prompting for a password,
       so there was something sketchy about the TGT. (kvno or ??)

I'll probably piss around with it again tomorrow, rick
ps: I'm using the Heimdal-7.8 I installed in 13.5. Good luck with
      patching the older one. As you might have noticed, there are
      now newer versions of the MIT dump format. Hopefully that
      isn't needed to get the passwords to work?

>
> I will finalize the branch promptly and share it.  The above experience a=
lso
> indicated that I need to do a library version bump.
>
> --
> Gleb Smirnoff