From nobody Wed Aug 27 18:52:06 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cBtty4m1sz65TBD for ; Wed, 27 Aug 2025 18:52:26 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cBtty1nPsz40mQ; Wed, 27 Aug 2025 18:52:26 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-61c4f73cf20so271801a12.0; Wed, 27 Aug 2025 11:52:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756320740; x=1756925540; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=YAGYI64roA+9S72Cog6B3bzCVXD1cbJzeCspuaYoJ3E=; b=OGmtL5hhUlM+XQq9utvMKLWi6ZCNUsdxnYREfaJRE85V49ag76ZJEq217/5bruLjEW fGFZEjW/HTBoYuCKq27dq8JK/v1bRbjBVSF8BPWtyqxA4+MNKdLtFkyQI3mR1Yg1xBfu pdbp0lNFdJ1Ff/NtxgoLWRBqxRonhLoIavkASVIJF/T98yxXFrCfpxhDaIcQr60s6fkD 1RX0Ybsz8Bo/vzd908+BniXlRqB+1hC9n7nncUUe7b4IdCSbqSGK1Y4oyZffqFUIjIwR DKIMvAXcbqHfOaAXl4neSJ5qmTfIr/W8ZwEQ5gzxjoEKWVMRWEP5OoPcFy9v8l0pzuCp Hb3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756320740; x=1756925540; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YAGYI64roA+9S72Cog6B3bzCVXD1cbJzeCspuaYoJ3E=; b=tsNaTZzkaOYaVC+ih1r85yfZMevWHfCQoGsX1rMsofLKJtvL4d9O69atzeXmohxVm5 vabK6T/A9Tqn0ucaJcUN9MCqCm42RFh2EvMGgBLZ75uqu/ZF+dZnttgyNJBgUfGH/446 PRimnEawC1LYUXniPFNpXjr6N3/q8K6Fw2KO3PwXATp8RxxW4L8RoY4dyrjvFdbF8v7e BJGMtrK/HcHH/bz/IkNZa6xDF6uuxYnwSSI99qgtA/+lAeLPmrhA1qGmjKWlOX1xdT9z 8R+IAjibZUoAnK4XZkRe7bGFcKmalZbu4LGPsePq14Zidl2ox2Y9MF5Zui9kjQeAi6Kk mvlg== X-Forwarded-Encrypted: i=1; AJvYcCWtbGZPERuE4DhonWVS/8lJwYEN3G5RJcH4v6J6MVh4PtnAymRp30KPHZjWj+rJoft13rPqdBpyRtw/SHpTXLs=@freebsd.org X-Gm-Message-State: AOJu0YwhocJFmWESc3dMcrSeCVT4sgv/0/XjTbN1ikldurFXztTc/EZB hiBS/K8LdaNxCxOgg30dYdqH6oDKMyj34k//tKWCu1ccOMB2X1xBeA0RDi8MiYtuG476sTKKqZe IMPOmVYA5F1g45DadIcWsX1A+tt1Qdg== X-Gm-Gg: ASbGncvPm9TCYYMjBQelkJZvrtY6NPsuaunaea9K9/uMh/EzDniaudnXmXesCKLr73S cMkkdnDuODQCZUraMdTF3OAVobn4ZmD6Tdi8laK9+P9n/oUHgI+Ak3PRtDl+56Riaek9uSEQDke Ahv4BYf2W7t5UsMwfkKct/F4Er/3X0QLe08kGlrWt0onqiOIsQYwSDjobD1K1GeAUE7p8h7zfg7 JtwmS0ubPXOZ8GqSlAyPDp0viDtuSEOFuvw5kWbKSfaRz3LMQ== X-Google-Smtp-Source: AGHT+IGk00PdGoiB1LyGYLW2LGoXAFY5YNRfbc6tcW/NkgHbqjoeT1NUKmRi7AoQPtqzxZ7GHocyXOqC3ZJs7BCbKwU= X-Received: by 2002:a05:6402:13c9:b0:61c:8d3e:b0b1 with SMTP id 4fb4d7f45d1cf-61c8d3eb3a2mr6704181a12.3.1756320739461; Wed, 27 Aug 2025 11:52:19 -0700 (PDT) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 References: <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <1578a4eac5402d0496d8989e5258bc78@Leidinger.net> In-Reply-To: From: Rick Macklem Date: Wed, 27 Aug 2025 11:52:06 -0700 X-Gm-Features: Ac12FXzNuAqr2vfFqWyGQ8Wf0ey8MWvNPUvG8TKh6cfTN4BWYLvDd2-d2q0_IGY Message-ID: Subject: Re: heimdal -> MIT kdc migration To: Alexander Leidinger Cc: Gleb Smirnoff , Cy Schubert , freebsd-current@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 4cBtty1nPsz40mQ On Wed, Aug 27, 2025 at 1:18=E2=80=AFAM Alexander Leidinger wrote: > > Am 2025-08-26 19:21, schrieb Rick Macklem: > > On Tue, Aug 26, 2025 at 9:35=E2=80=AFAM Gleb Smirnoff > > wrote: > >> > >> On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote: > >> T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote: > >> T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", > >> you get a > >> T> R> working Heimdal-7.8 in ports. > >> T> R> > >> T> R> Now, I have another challenge. Fixing the master passwords. > >> T> R> I'll work on it later to-day. > >> T> > >> T> I have applied two commits from Heimdal from 2012 that add 'kadmin > >> dump -f MIT' > >> T> feature to our base heimdal and polished them to compile. So far > >> it doesn't > >> T> work yet, either create an empty dump or create a core dump, > >> instead of > >> T> database dump :) I'll see how difficult it is going to further > >> resolve that to > >> T> a working condition. If I succeed, then having 'dump -f MIT' in > >> base without > >> T> any ports would be the best solution. Can also be merged to > >> FreeBSD 14.4. > >> > >> Good news. In the above paragraph I was testing my change incorrectly > >> - threw > >> the new binary on a system running unpatched libraries. When run > >> correctly, > >> it successfully produced something that looks like a correct dump in > >> MIT format. > >> I haven't yet tried to load it into MIT kdc yet, though. > > You might have better luck than me, but if I just loaded it, > > "kadmin.local" wouldn't > > work. > > To get it loaded, I had to: > > - edit the mit.dump and remove the entries for > > K/M, kadmin/admin, kadmin/changepw and krbtgt/REALM. > > Then I... > > # kdb5_util create -s > > and > > # kdb5_util load -update mit.dump > > -after that, kadmin.local would find the prinicipals, but > > a "kinit" wouldn't work until I did a "change_password" on it. > > Have you tried "kadmin -l dump --decrypt --format=3DMIT"? As I noted in the last post, this does not work. I think the problem is that the current MIT KDC requires keys to be encrypted in the master key. If the old Heimdal-1.5.2 KDC was configured with a master key of type aes256-cts-hmac-sha1-96, then it might be possible to put that master key on the MIT KDC and make things work. --> Since the Heimdal default for the master key is des3-cbc-sha1, almost all Heimdal-1.5.2 KDCs will have used that. If you "kadmin -l dump --decrypt old.dump" on the Heimdal-1.5.2 KDC, that file will load and work in the Heimdal-7.8 KDC. However, the next stage of "kadmin -l dump --decrypt -f MIT mit.dump" results in a file that, after loading into the MIT KDC via "kdb5_util load mit.dump" is reported as corrupt/incomplete by kadmin.local, etc. I think what would be needed is a command that both writes out a dump in MIT format and converts the encrypted keys to the new master key (kdb5_util can do this, but the database has to be loaded first) instead of just --decrypt'ng them. The only thing I have not yet tried is getting the MIT KDC to use the old des3-cbc-sha1 master key from the Heimdal-1.5.2 KDC, but I doubt it will allow it? rick > > Bye, > Alexander. > > -- > http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF > http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF