Re: heimdal -> MIT kdc migration

Am 2025-08-26 19:21, schrieb Rick Macklem:
> On Tue, Aug 26, 2025 at 9:35 AM Gleb Smirnoff <glebius@freebsd.org> 
> wrote:
>> 
>> On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote:
>> T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote:
>> T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", 
>> you get a
>> T> R> working Heimdal-7.8 in ports.
>> T> R>
>> T> R> Now, I have another challenge. Fixing the master passwords.
>> T> R> I'll work on it later to-day.
>> T>
>> T> I have applied two commits from Heimdal from 2012 that add 'kadmin 
>> dump -f MIT'
>> T> feature to our base heimdal and polished them to compile.  So far 
>> it doesn't
>> T> work yet, either create an empty dump or create a core dump, 
>> instead of
>> T> database dump :) I'll see how difficult it is going to further 
>> resolve that to
>> T> a working condition. If I succeed, then having 'dump -f MIT' in 
>> base without
>> T> any ports would be the best solution.  Can also be merged to 
>> FreeBSD 14.4.
>> 
>> Good news.  In the above paragraph I was testing my change incorrectly 
>> - threw
>> the new binary on a system running unpatched libraries.  When run 
>> correctly,
>> it successfully produced something that looks like a correct dump in 
>> MIT format.
>> I haven't yet tried to load it into MIT kdc yet, though.
> You might have better luck than me, but if I just loaded it,
> "kadmin.local" wouldn't
> work.
> To get it loaded, I had to:
> - edit the mit.dump and remove the entries for
>   K/M, kadmin/admin, kadmin/changepw and krbtgt/REALM.
> Then I...
> # kdb5_util create -s
> and
> # kdb5_util load -update mit.dump
> -after that, kadmin.local would find the prinicipals, but
>  a "kinit" wouldn't work until I did a "change_password" on it.

Have you tried "kadmin -l dump --decrypt --format=MIT"?

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF