Re: MIT KRB5 in 15-CURRENT

In reply to: Minsoo Choo : "Re: MIT KRB5 in 15-CURRENT"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Mon, 16 Jun 2025 05:01:56 UTC
In message <B9dYbVelBxymjeSLSXKQit3RdzeG3R8OLdfQ9co9Nts-ZFwv55O5YTUpAkZgrpyO
OYk
AX4ro5IaZH6Y4W_mrBW3v3oiGvEVjFVuEZWD7jUE=@proton.me>, Minsoo Choo writes:
> On Sunday, June 15th, 2025 at 11:43 PM, Cy Schubert <Cy.Schubert@cschubert.=
> com> wrote:
>
> > Hi freebsd-current@,
> >=20
> > MIT KRB5 has been imported. It is disabled by default. To build and insta=
> ll
> > MIT KRB5 in 15-CURRENT,
> >=20
> > 1. Add WITH_MITKRB5=3Dyes in src.conf.
> >=20
> > 2. Do a buildworld and buildkernel.
> >=20
> > 3. Then installworld, run etcupdate to update files in /etc.
> >=20
> > 4. make delete-old and delete-old-libs. This is important. Skip this step
> > and your
> > resulting install will contain both MIT and Heimdal Kerberos. This will
> > not work.
> >=20
> > Avoid using MIT KRB5 (for now) if you are running a Heimdal 1.5.2 KDC on
> > FreeBSD. There is a
> > procedure to convert the Heimdal HDB to an MIT KRB5 KDB. I am still worki=
> ng
> > on documenting the procedure. The process is not straightforward as our
> > Heimdal 1.5.2 is very old and does not support the feature found later
> > versions of Heimdal needed to migrate the HDB to KDB. In a nutshell: one
> > must export the HDB, import it into the latest version of Heimdal (using
> > ports/security/heimdal), then export an MIT KRB5 export, and finally impo=
> rt
> > it into a new MIT KRB5 KDB.
> >=20
> > If you use FreeBSD as part of an Active Directory domain, MIT KRB5 will
> > simplify integration into a Microsoft network. You will still need to use
> > winbind from samba or sssd, as Active Directory uses MIT KRB5 and LDAP fo=
> r
> > authentication.
> >=20
> > A ports exp-run will be needed to list any ports that may fail to build
> > with MIT KRB5 in base. If any are found they will be fixed before we swit=
> ch
> > the default from Heimdal 1.5.2 to MIT KRB5 1.21.3.
> >=20
> > A decision to remove Heimdal from the source tree will come sometime afte=
> r
> > the default has been switched from Heimdal to MIT KRB5.
> >=20
> > I also expect some ports plumbing changes, especially in Mk/Uses/gssapi.m=
> k
> > in order to support MIT KRB5 in base. Any required changes should be
> > identified with an exp-run.
> >=20
> >=20
> > --
> > Cheers,
> > Cy Schubert Cy.Schubert@cschubert.com
> >=20
> > FreeBSD UNIX: cy@FreeBSD.org Web: https://FreeBSD.org
> >=20
> > NTP: cy@nwtime.org Web: https://nwtime.org
> >=20
> >=20
> > e**(i*pi)+1=3D0
> >=20
> >=20
>
> Thank you for your great work. I will close D43625 and D43624 as the adopti=
> on of MIT krb5 makes them obsolete.
>
> I have a few questions regarding to MIT krb5 replacing heimdal:
> 1. In which FreeBSD version will MIT krb5 be default?

15-RELEASE.

> 2. In which FreeBSD version will heimdal be removed?

Hopefully 15-RELEASE though 16-RELEASE could be likely.

>
> Regards,
> Minsoo


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e**(i*pi)+1=0