Re: MIT KRB5 in 15-CURRENT
- Reply: Cy Schubert : "Re: MIT KRB5 in 15-CURRENT"
- In reply to: Cy Schubert : "MIT KRB5 in 15-CURRENT"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 16 Jun 2025 04:28:49 UTC
On Sunday, June 15th, 2025 at 11:43 PM, Cy Schubert <Cy.Schubert@cschubert.com> wrote: > Hi freebsd-current@, > > MIT KRB5 has been imported. It is disabled by default. To build and install > MIT KRB5 in 15-CURRENT, > > 1. Add WITH_MITKRB5=yes in src.conf. > > 2. Do a buildworld and buildkernel. > > 3. Then installworld, run etcupdate to update files in /etc. > > 4. make delete-old and delete-old-libs. This is important. Skip this step > and your > resulting install will contain both MIT and Heimdal Kerberos. This will > not work. > > Avoid using MIT KRB5 (for now) if you are running a Heimdal 1.5.2 KDC on > FreeBSD. There is a > procedure to convert the Heimdal HDB to an MIT KRB5 KDB. I am still working > on documenting the procedure. The process is not straightforward as our > Heimdal 1.5.2 is very old and does not support the feature found later > versions of Heimdal needed to migrate the HDB to KDB. In a nutshell: one > must export the HDB, import it into the latest version of Heimdal (using > ports/security/heimdal), then export an MIT KRB5 export, and finally import > it into a new MIT KRB5 KDB. > > If you use FreeBSD as part of an Active Directory domain, MIT KRB5 will > simplify integration into a Microsoft network. You will still need to use > winbind from samba or sssd, as Active Directory uses MIT KRB5 and LDAP for > authentication. > > A ports exp-run will be needed to list any ports that may fail to build > with MIT KRB5 in base. If any are found they will be fixed before we switch > the default from Heimdal 1.5.2 to MIT KRB5 1.21.3. > > A decision to remove Heimdal from the source tree will come sometime after > the default has been switched from Heimdal to MIT KRB5. > > I also expect some ports plumbing changes, especially in Mk/Uses/gssapi.mk > in order to support MIT KRB5 in base. Any required changes should be > identified with an exp-run. > > > -- > Cheers, > Cy Schubert Cy.Schubert@cschubert.com > > FreeBSD UNIX: cy@FreeBSD.org Web: https://FreeBSD.org > > NTP: cy@nwtime.org Web: https://nwtime.org > > > e**(i*pi)+1=0 > > Thank you for your great work. I will close D43625 and D43624 as the adoption of MIT krb5 makes them obsolete. I have a few questions regarding to MIT krb5 replacing heimdal: 1. In which FreeBSD version will MIT krb5 be default? 2. In which FreeBSD version will heimdal be removed? Regards, Minsoo