Re: heimdal -> MIT kdc migration

Reply: Gleb Smirnoff : "Re: heimdal -> MIT kdc migration"
Reply: Rick Macklem : "Re: heimdal -> MIT kdc migration"
In reply to: Rick Macklem : "Re: heimdal -> MIT kdc migration"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Wed, 03 Sep 2025 04:37:14 UTC
In message <CAM5tNy7aNgOyzaKvzRWFGPkpdaHsA_bhjNFjMDQVk0df0dBFjw@mail.gmail.c
om>
, Rick Macklem writes:
> On Sun, Aug 31, 2025 at 5:58=E2=80=AFPM Rick Macklem <rick.macklem@gmail.co=
> m> wrote:
> >
> > On Sun, Aug 31, 2025 at 5:41=E2=80=AFPM Rick Macklem <rick.macklem@gmail.=
> com> wrote:
> > >
> > > On Sat, Aug 30, 2025 at 9:47=E2=80=AFPM Rick Macklem <rick.macklem@gmai=
> l.com> wrote:
> > > >
> > > > On Sat, Aug 30, 2025 at 4:22=E2=80=AFPM Rick Macklem <rick.macklem@gm=
> ail.com> wrote:
> > > > >
> > > > > On Sat, Aug 30, 2025 at 8:56=E2=80=AFAM Rick Macklem <rick.macklem@=
> gmail.com> wrote:
> > > > > >
> > > > > > On Fri, Aug 29, 2025 at 1:05=E2=80=AFPM Rick Macklem <rick.mackle=
> m@gmail.com> wrote:
> > > > > > >
> > > > > > > On Fri, Aug 29, 2025 at 7:43=E2=80=AFAM Rick Macklem <rick.mack=
> lem@gmail.com> wrote:
> > > > > > > >
> > > > > > > > On Wed, Aug 27, 2025 at 8:39=E2=80=AFPM Rick Macklem <rick.ma=
> cklem@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > On Wed, Aug 27, 2025 at 7:43=E2=80=AFPM Rick Macklem <rick.=
> macklem@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > On Tue, Aug 26, 2025 at 9:35=E2=80=AFAM Gleb Smirnoff <gl=
> ebius@freebsd.org> wrote:
> > > > > > > > > > >
> > > > > > > > > > > On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff=
>  wrote:
> > > > > > > > > > > T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Mackl=
> em wrote:
> > > > > > > > > > > T> R> Ok. If you install FreeBSD-13.5 and then "pkg ins=
> tall heimdal", you get a
> > > > > > > > > > > T> R> working Heimdal-7.8 in ports.
> > > > > > > > > > > T> R>
> > > > > > > > > > > T> R> Now, I have another challenge. Fixing the master =
> passwords.
> > > > > > > > > > > T> R> I'll work on it later to-day.
> > > > > > > > > > > T>
> > > > > > > > > > > T> I have applied two commits from Heimdal from 2012 th=
> at add 'kadmin dump -f MIT'
> > > > > > > > > > > T> feature to our base heimdal and polished them to com=
> pile.  So far it doesn't
> > > > > > > > > > > T> work yet, either create an empty dump or create a co=
> re dump, instead of
> > > > > > > > > > > T> database dump :) I'll see how difficult it is going =
> to further resolve that to
> > > > > > > > > > > T> a working condition. If I succeed, then having 'dump=
>  -f MIT' in base without
> > > > > > > > > > > T> any ports would be the best solution.  Can also be m=
> erged to FreeBSD 14.4.
> > > > > > > > > > >
> > > > > > > > > > > Good news.  In the above paragraph I was testing my cha=
> nge incorrectly - threw
> > > > > > > > > > > the new binary on a system running unpatched libraries.=
>   When run correctly,
> > > > > > > > > > > it successfully produced something that looks like a co=
> rrect dump in MIT format.
> > > > > > > > > > > I haven't yet tried to load it into MIT kdc yet, though=
> .
> > > > > Well, would you like the not so bad news or the bad news??;-)
> > > > > Your patch works, in that it produces a dump that "kdb5_util load
> > > > > -update" can load.
> > > > > After loading, if the principal only has keys for the newer encrypt=
> ion types of
> > > > > aes256-cts-hmac-sha1-96
> > > > > aes128-cts-hmac-sha1-96
> > > > > then you can look at the principal via kadmin.local, but the passwo=
> rd must
> > > > > be changed before it works.
> > > > > --> This is the same behaviour as you get if you use Heimdal-7.8 to=
>  do the
> > > > >       dump conversion.
> > > > > So far, so good...
> > > > >
> > > > > Now, the not so good news. Once you update the Heimdal libraries
> > > > > (libhdb.so and libkadm5srv.so) "kadmin -l" is broken on the system
> > > > > running the old KDC. "kadmin -l dump" works, but something like:
> > > > > # kadmin -l
> > > > > kadmin> get rmacklem
> > > > > kadmin: get rmacklem: Service key not available
> > > > > - I have not yet looked in your patched sources to see where this
> > > > >   failure comes from?
> > > > >
> > > > > Now, more not so good news...
> > > > > My patch doesn't help.
> > > > > It does re-encrypt the key in the master key from the MIT KDC
> > > > > system, but that doesn't make the password work.
> > > > > When I compared the dump generated via kadmin with both
> > > > > your patch and mine, the key for aes256-cts-hmac-sha1-96
> > > > > is 34bytes long.
> > > > > After doing the change_password so that it works, a dump
> > > > > generated by "kdb5_util dump -r13" (the same dump format)
> > > > > has a key that is 62bytes long.
> > > > > --> So, there is more to converting the key than just re-ecrypting
> > > > >       it. (I'll try and find where the MIT code encrypts a key in a=
>  master
> > > > >       key to see why it ends up at 62bytes and whether that can be =
> done
> > > > >       in the old code.)
> > > > >
> > > > > So, if we are going to continue with this...
> > > > > - We need to figure out why your patch breaks "kadmin" for other
> > > > >   things and fix that.
> > > > > - I/we need to figure out how to convert the 34byte key to the MIT
> > > > >   62byte key (and then maybe the password won't need to be changed?=
> ).
> > > > >
> > > > > Or do we just say "When you convert the KDC database, all the passw=
> ords
> > > > > must be changed to get them to work?".
> > > > All I've got sofar is this patch...
> > > > https://people.freebsd.org/~rmacklem/print.patch
> > > >
> > > > It tweaks entry2mit_string_int() so that it skips over the keys for
> > > > old encryption types and fills in a fake "modified by" entry if none
> > > > exists.
> > > >
> > > > These changes at least make the MIT dump such that the records
> > > > don't end up "incomplete or corrupted" when you try to do something
> > > > like "get_principal <principal>" in kadmin.local.
> > > >
> > > > As noted, your patch makes "kadmin -l" break for most things,
> > > > reporting "Service key not available". The failures go away if
> > > > you revert back to the non-patched libraries.
> > > > I have not located the problem yet.
> > > >
> > > > As for the passwords...no luck yet, rick
> > > Finally..it works. (First off, apologies for all the posts, just ignore
> > > them.;-)
> > >
> > > The patch is at:
> > > https://people.freebsd.org/~rmacklem/kadmin.patch
> I just updated the patch with a fix for the case where the
> Heimdal principal does not have any keys for string encryption.
> (That is fixed now and I haven't found any other bugs, so I
> think I am done playing with it. Yippee!!)
>
> Please test when you can find the time, rick

I think the problem is with OpenSSL 3.5. With the legacy provider loaded in 
OpenSSL 3.5 I get,

test3# openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.5.1
    status: active
test3# 

Whereas in 3.0 I get,

bob# openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.16
    status: active
  legacy
    name: OpenSSL Legacy Provider
    version: 3.0.16
    status: active
bob# 

Some symbol must be missing.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e**(i*pi)+1=0