From nobody Wed Aug 27 08:17:48 2025
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cBcq56F0kz65wC4
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Wed, 27 Aug 2025 08:18:09 +0000 (UTC)
	(envelope-from Alexander@Leidinger.net)
Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature ECDSA (prime256v1) client-digest SHA256)
	(Client CN "mailgate.leidinger.net", Issuer "E5" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cBcq40M9dz3Csj;
	Wed, 27 Aug 2025 08:18:08 +0000 (UTC)
	(envelope-from Alexander@Leidinger.net)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=MCNZ9Kqi;
	dmarc=pass (policy=quarantine) header.from=leidinger.net;
	spf=pass (mx1.freebsd.org: domain of Alexander@Leidinger.net designates 89.238.82.207 as permitted sender) smtp.mailfrom=Alexander@Leidinger.net
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@FreeBSD.org
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net;
	s=outgoing-alex; t=1756282686;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=2mvnwGYHReimW0nzWcDs1eXROrjh0ZBZeE4w+idNtTY=;
	b=MCNZ9KqibilkUYDh1Npc3jgbuXQrxg8I55gfkf30tinx2KtU3H8lmxSRHIlYUA/zsAPOj8
	SMUjBjm738lwXCbnNBWZTYsnJ/qPOrECyx0FMnm9VoBU9Vn60dgNdC3hecrAb6Bg5Ui1i8
	B9vOnAJLgBfgFIOTnmSYYvEiqzn4ZKiPNsqzyvVuPyZechjohJrpscXkQFtZn2Y8rJjWrf
	T86VVwoKmPKQiay42Jx86Si3bhBVTmkTB9pGnwaFbZ75PTT3KLvPakIcGErIj2pcnQ0eD0
	+r5iBdAdQZdEYMfL5FFD2MWcl8koY/iC8TSjR0MzBcHTiu1TtxvQuVoo4KqHaw==
Date: Wed, 27 Aug 2025 10:17:48 +0200
From: Alexander Leidinger <Alexander@Leidinger.net>
To: Rick Macklem <rick.macklem@gmail.com>
Cc: Gleb Smirnoff <glebius@freebsd.org>, Cy Schubert
 <Cy.Schubert@cschubert.com>, freebsd-current@freebsd.org
Subject: Re: heimdal -> MIT kdc migration
In-Reply-To: <CAM5tNy5ra8y76FSHvi31JgoJDXRtGKUd5wzy8N9nf+tVYhjvJQ@mail.gmail.com>
References: <aKwYB4d6l4ze-yXA@cell.glebi.us>
 <aKxcwqKqW3ZpA3Po@cell.glebi.us>
 <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org>
 <CAM5tNy5sNv8z0zW2ZFt+9=ytUpjGVudsYbcSC2mQSudi3iWSfQ@mail.gmail.com>
 <CAM5tNy73KwR-DBqc28bqRPKqW7UqXN7RXYB=p-Za5Lsoy9jFcw@mail.gmail.com>
 <1578a4eac5402d0496d8989e5258bc78@Leidinger.net>
 <CAM5tNy42Xvj8M+q4qDO35T31wWLO-2pC9H0_V0rVM2uZmSL2RA@mail.gmail.com>
 <CAM5tNy5m8tEaivQdC4G-=VNpf3ng6JcdpeJKvxA8oM==OdbMUw@mail.gmail.com>
 <aK3TQbWXkr_r24sW@cell.glebi.us> <aK3iW189fZ2_xSyB@cell.glebi.us>
 <CAM5tNy5ra8y76FSHvi31JgoJDXRtGKUd5wzy8N9nf+tVYhjvJQ@mail.gmail.com>
Message-ID: <dd10e5ee3d0b9bb79fe7857385095022@Leidinger.net>
Organization: No organization, this is a private message.
Content-Type: multipart/signed;
 protocol="application/pgp-signature";
 boundary="=_9e7e285fbde4539ce8569cad53f2957e";
 micalg=pgp-sha256
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.44 / 15.00];
	SIGNED_PGP(-2.00)[];
	SUSPICIOUS_RECIPS(1.50)[];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-0.998];
	NEURAL_HAM_SHORT(-0.94)[-0.940];
	DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine];
	R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex];
	MIME_GOOD(-0.20)[multipart/signed,text/plain];
	R_SPF_ALLOW(-0.20)[+mx];
	ONCE_RECEIVED(0.10)[];
	HAS_ATTACHMENT(0.00)[];
	DKIM_TRACE(0.00)[leidinger.net:+];
	FROM_HAS_DN(0.00)[];
	ARC_NA(0.00)[];
	FREEMAIL_TO(0.00)[gmail.com];
	HAS_ORG_HEADER(0.00)[];
	RCPT_COUNT_THREE(0.00)[4];
	ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	MISSING_XM_UA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org];
	RCVD_COUNT_ZERO(0.00)[0];
	MID_RHS_MATCH_FROM(0.00)[];
	TAGGED_RCPT(0.00)[];
	TO_DN_SOME(0.00)[]
X-Rspamd-Queue-Id: 4cBcq40M9dz3Csj

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

--=_9e7e285fbde4539ce8569cad53f2957e
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8;
 format=flowed

Am 2025-08-26 19:21, schrieb Rick Macklem:
> On Tue, Aug 26, 2025 at 9:35 AM Gleb Smirnoff <glebius@freebsd.org> 
> wrote:
>> 
>> On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote:
>> T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote:
>> T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", 
>> you get a
>> T> R> working Heimdal-7.8 in ports.
>> T> R>
>> T> R> Now, I have another challenge. Fixing the master passwords.
>> T> R> I'll work on it later to-day.
>> T>
>> T> I have applied two commits from Heimdal from 2012 that add 'kadmin 
>> dump -f MIT'
>> T> feature to our base heimdal and polished them to compile.  So far 
>> it doesn't
>> T> work yet, either create an empty dump or create a core dump, 
>> instead of
>> T> database dump :) I'll see how difficult it is going to further 
>> resolve that to
>> T> a working condition. If I succeed, then having 'dump -f MIT' in 
>> base without
>> T> any ports would be the best solution.  Can also be merged to 
>> FreeBSD 14.4.
>> 
>> Good news.  In the above paragraph I was testing my change incorrectly 
>> - threw
>> the new binary on a system running unpatched libraries.  When run 
>> correctly,
>> it successfully produced something that looks like a correct dump in 
>> MIT format.
>> I haven't yet tried to load it into MIT kdc yet, though.
> You might have better luck than me, but if I just loaded it,
> "kadmin.local" wouldn't
> work.
> To get it loaded, I had to:
> - edit the mit.dump and remove the entries for
>   K/M, kadmin/admin, kadmin/changepw and krbtgt/REALM.
> Then I...
> # kdb5_util create -s
> and
> # kdb5_util load -update mit.dump
> -after that, kadmin.local would find the prinicipals, but
>  a "kinit" wouldn't work until I did a "change_password" on it.

Have you tried "kadmin -l dump --decrypt --format=MIT"?

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF

--=_9e7e285fbde4539ce8569cad53f2957e
Content-Type: application/pgp-signature;
 name=signature.asc
Content-Disposition: attachment;
 filename=signature.asc;
 size=833
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmiuvzoACgkQEg2wmwP4
2Ia8xxAAhSdMopmOlkNjggHy/q+FVL6okWQu/CCfBaWfQ6m7pAH12IZMcyKf78Jg
hQXBI3i2CXThU+RrQUWLy2bWHnC13ztP/3EubnpS1V/WoRcsytXFn2HdJLR3Y53D
Y/B+sLEqbGIKu0EP9+2ake32OzlEarwxWRRN8IbAJBapKHqfsISVv+rDEtTJnFzh
8DnigaxiamKlgyU9RoEJaw8r1lwFOJZ+R0WR/43kFAgufaWcLPsRc3vqsqFq8Xck
Oq2teR5FbwrlEVLvM93+FzRF+IKQc+4l+ztX/QVRR606gg4+MQ9VRFDvY8iy8FH2
tDrZnTx2LUyjWjmIxD65zPb8StRckaEskm0ZeNu7sE8V56RJ8LytxZ61VmTAUV//
LnfX1+ikBegnv9ntdQs1TKcI0NgjRKCOE6y+sZVz5pPSmNA5W+V4RFcjbzPkp4Nv
Vm0etWVgi3U1ZvLcGBUaWkKnA6VSBUb4UVl4puWU3Rzi2oxpLMRffo1iaJhyFAsJ
CDTnuCoicjqCWIUo0YkFK2ciUJuRA6MzhhDhVp5vEAl3dGEgIpJKW4d3iWJAG4Xa
f+l744e3UGSrzAt5kHytvsxnmvy/rJimJ+/2T4u5whZQ/yhxdMPWbxUKa4D2hMwY
r+W3x11FGZaWJGBUB7/pK4yuz380Q5tboz39A8smm8UrdfEKIMw=
=i27b
-----END PGP SIGNATURE-----

--=_9e7e285fbde4539ce8569cad53f2957e--