Re: heimdal -> MIT kdc migration

Reply: Rick Macklem : "Re: heimdal -> MIT kdc migration"
In reply to: Rick Macklem : "Re: heimdal -> MIT kdc migration"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Thu, 28 Aug 2025 03:39:53 UTC
On Wed, Aug 27, 2025 at 7:43 PM Rick Macklem <rick.macklem@gmail.com> wrote:
>
> On Tue, Aug 26, 2025 at 9:35 AM Gleb Smirnoff <glebius@freebsd.org> wrote:
> >
> > On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote:
> > T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote:
> > T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", you get a
> > T> R> working Heimdal-7.8 in ports.
> > T> R>
> > T> R> Now, I have another challenge. Fixing the master passwords.
> > T> R> I'll work on it later to-day.
> > T>
> > T> I have applied two commits from Heimdal from 2012 that add 'kadmin dump -f MIT'
> > T> feature to our base heimdal and polished them to compile.  So far it doesn't
> > T> work yet, either create an empty dump or create a core dump, instead of
> > T> database dump :) I'll see how difficult it is going to further resolve that to
> > T> a working condition. If I succeed, then having 'dump -f MIT' in base without
> > T> any ports would be the best solution.  Can also be merged to FreeBSD 14.4.
> >
> > Good news.  In the above paragraph I was testing my change incorrectly - threw
> > the new binary on a system running unpatched libraries.  When run correctly,
> > it successfully produced something that looks like a correct dump in MIT format.
> > I haven't yet tried to load it into MIT kdc yet, though.
Oh, and one more thing...
- If there are keys for old encryption types like des.. or arcfour..
in the MIT dump,
  those will screw up the load. (You can check and delete them in the
Heimdal-1.5.2
  kdc system via..
  # kadmin -l
  get <principal>
  - if old keys are listed in Keytypes:
  del_enctype <principal> <enctypes>
 exit

 Ideally the conversion code would skip over these and not put them in the dump.

rick
ps: If you don't do this, when you "get_principal" in kadmin.local on
the MIT KDC
      system, it will give you a "Database record is incomplete or corrupted..".

> >
> > I will finalize the branch promptly and share it.  The above experience also
> > indicated that I need to do a library version bump.
> I don't know if you are enthusiastic about pursuing this, but hopefully this
> works and gets the principals in (although I doubt the passwords will
> work without changing them).
>
> To get the passwords to work, I think the following *might* do it:
> - If you look in the Heimdal sources, when "--decrypt" is specified,
>   I think it finds its way down into a function called hdb_unseal_key_mkey()
>   which decrypts the key using the master key by calling _hdb_mkey_decrypt().
>   To get the passwords to work, I think the call to _hdb_mkey_decrypt() would
>   need to be followed by a call to _hdb_mkey_encrypt() with the "key"
>   argument being the master key for the MIT database. (It it a keytab
>   entry called /var/db/krb5kdc/.k5.YOUR.REALM created when you do a
>   "kdb5_util create -s" on the system that will be the MIT KDC.)
>   - Just to make it even more fun, there is a flag called HDB_KU_MKEY
>     which is set to the Heimdal way and not for the MIT way (whatever
>     that really means?).
>   - There is also some stuff about padding in hdb_unseal_key_mkey(),
>     but hopefully that won't be a problem?
>
> I think hdb_read_master_key() can be used to read in the MIT master
> key from the file you provide as an argument to it.
>
> This all is just a hunch, based on what I've seen so far.
>
> I'll admit since the hardware I have takes forever to "make buildworld"
> and I don't know a quick way to build/test these changes, I'm not
> inspired to try it.
>
> rick
>
> >
> > --
> > Gleb Smirnoff