Re: heimdal -> MIT kdc migration

In reply to: Rick Macklem : "Re: heimdal -> MIT kdc migration"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Wed, 03 Sep 2025 05:19:51 UTC
In message <CAM5tNy6c=+qPc1eKW5oFFeWSeYNKg9C-XZ16U=AtuBWnceYLPw@mail.gmail.c
om>
, Rick Macklem writes:
> On Tue, Sep 2, 2025 at 9:37=E2=80=AFPM Cy Schubert <Cy.Schubert@cschubert.c=
> om> wrote:
> >
> > In message <CAM5tNy7aNgOyzaKvzRWFGPkpdaHsA_bhjNFjMDQVk0df0dBFjw@mail.gmai=
> l.c
> > om>
> > , Rick Macklem writes:
> > > On Sun, Aug 31, 2025 at 5:58=3DE2=3D80=3DAFPM Rick Macklem <rick.mackle=
> m@gmail.co=3D
> > > m> wrote:
> > > >
> > > > On Sun, Aug 31, 2025 at 5:41=3DE2=3D80=3DAFPM Rick Macklem <rick.mack=
> lem@gmail.=3D
> > > com> wrote:
> > > > >
> > > > > On Sat, Aug 30, 2025 at 9:47=3DE2=3D80=3DAFPM Rick Macklem <rick.ma=
> cklem@gmai=3D
> > > l.com> wrote:
> > > > > >
> > > > > > On Sat, Aug 30, 2025 at 4:22=3DE2=3D80=3DAFPM Rick Macklem <rick.=
> macklem@gm=3D
> > > ail.com> wrote:
> > > > > > >
> > > > > > > On Sat, Aug 30, 2025 at 8:56=3DE2=3D80=3DAFAM Rick Macklem <ric=
> k.macklem@=3D
> > > gmail.com> wrote:
> > > > > > > >
> > > > > > > > On Fri, Aug 29, 2025 at 1:05=3DE2=3D80=3DAFPM Rick Macklem <r=
> ick.mackle=3D
> > > m@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > On Fri, Aug 29, 2025 at 7:43=3DE2=3D80=3DAFAM Rick Macklem =
> <rick.mack=3D
> > > lem@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > On Wed, Aug 27, 2025 at 8:39=3DE2=3D80=3DAFPM Rick Mackle=
> m <rick.ma=3D
> > > cklem@gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Aug 27, 2025 at 7:43=3DE2=3D80=3DAFPM Rick Mack=
> lem <rick.=3D
> > > macklem@gmail.com> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > On Tue, Aug 26, 2025 at 9:35=3DE2=3D80=3DAFAM Gleb Sm=
> irnoff <gl=3D
> > > ebius@freebsd.org> wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smir=
> noff=3D
> > >  wrote:
> > > > > > > > > > > > > T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick M=
> ackl=3D
> > > em wrote:
> > > > > > > > > > > > > T> R> Ok. If you install FreeBSD-13.5 and then "pkg=
>  ins=3D
> > > tall heimdal", you get a
> > > > > > > > > > > > > T> R> working Heimdal-7.8 in ports.
> > > > > > > > > > > > > T> R>
> > > > > > > > > > > > > T> R> Now, I have another challenge. Fixing the mas=
> ter =3D
> > > passwords.
> > > > > > > > > > > > > T> R> I'll work on it later to-day.
> > > > > > > > > > > > > T>
> > > > > > > > > > > > > T> I have applied two commits from Heimdal from 201=
> 2 th=3D
> > > at add 'kadmin dump -f MIT'
> > > > > > > > > > > > > T> feature to our base heimdal and polished them to=
>  com=3D
> > > pile.  So far it doesn't
> > > > > > > > > > > > > T> work yet, either create an empty dump or create =
> a co=3D
> > > re dump, instead of
> > > > > > > > > > > > > T> database dump :) I'll see how difficult it is go=
> ing =3D
> > > to further resolve that to
> > > > > > > > > > > > > T> a working condition. If I succeed, then having '=
> dump=3D
> > >  -f MIT' in base without
> > > > > > > > > > > > > T> any ports would be the best solution.  Can also =
> be m=3D
> > > erged to FreeBSD 14.4.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Good news.  In the above paragraph I was testing my=
>  cha=3D
> > > nge incorrectly - threw
> > > > > > > > > > > > > the new binary on a system running unpatched librar=
> ies.=3D
> > >   When run correctly,
> > > > > > > > > > > > > it successfully produced something that looks like =
> a co=3D
> > > rrect dump in MIT format.
> > > > > > > > > > > > > I haven't yet tried to load it into MIT kdc yet, th=
> ough=3D
> > > .
> > > > > > > Well, would you like the not so bad news or the bad news??;-)
> > > > > > > Your patch works, in that it produces a dump that "kdb5_util lo=
> ad
> > > > > > > -update" can load.
> > > > > > > After loading, if the principal only has keys for the newer enc=
> rypt=3D
> > > ion types of
> > > > > > > aes256-cts-hmac-sha1-96
> > > > > > > aes128-cts-hmac-sha1-96
> > > > > > > then you can look at the principal via kadmin.local, but the pa=
> sswo=3D
> > > rd must
> > > > > > > be changed before it works.
> > > > > > > --> This is the same behaviour as you get if you use Heimdal-7.=
> 8 to=3D
> > >  do the
> > > > > > >       dump conversion.
> > > > > > > So far, so good...
> > > > > > >
> > > > > > > Now, the not so good news. Once you update the Heimdal librarie=
> s
> > > > > > > (libhdb.so and libkadm5srv.so) "kadmin -l" is broken on the sys=
> tem
> > > > > > > running the old KDC. "kadmin -l dump" works, but something like=
> :
> > > > > > > # kadmin -l
> > > > > > > kadmin> get rmacklem
> > > > > > > kadmin: get rmacklem: Service key not available
> > > > > > > - I have not yet looked in your patched sources to see where th=
> is
> > > > > > >   failure comes from?
> > > > > > >
> > > > > > > Now, more not so good news...
> > > > > > > My patch doesn't help.
> > > > > > > It does re-encrypt the key in the master key from the MIT KDC
> > > > > > > system, but that doesn't make the password work.
> > > > > > > When I compared the dump generated via kadmin with both
> > > > > > > your patch and mine, the key for aes256-cts-hmac-sha1-96
> > > > > > > is 34bytes long.
> > > > > > > After doing the change_password so that it works, a dump
> > > > > > > generated by "kdb5_util dump -r13" (the same dump format)
> > > > > > > has a key that is 62bytes long.
> > > > > > > --> So, there is more to converting the key than just re-ecrypt=
> ing
> > > > > > >       it. (I'll try and find where the MIT code encrypts a key =
> in a=3D
> > >  master
> > > > > > >       key to see why it ends up at 62bytes and whether that can=
>  be =3D
> > > done
> > > > > > >       in the old code.)
> > > > > > >
> > > > > > > So, if we are going to continue with this...
> > > > > > > - We need to figure out why your patch breaks "kadmin" for othe=
> r
> > > > > > >   things and fix that.
> > > > > > > - I/we need to figure out how to convert the 34byte key to the =
> MIT
> > > > > > >   62byte key (and then maybe the password won't need to be chan=
> ged?=3D
> > > ).
> > > > > > >
> > > > > > > Or do we just say "When you convert the KDC database, all the p=
> assw=3D
> > > ords
> > > > > > > must be changed to get them to work?".
> > > > > > All I've got sofar is this patch...
> > > > > > https://people.freebsd.org/~rmacklem/print.patch
> > > > > >
> > > > > > It tweaks entry2mit_string_int() so that it skips over the keys f=
> or
> > > > > > old encryption types and fills in a fake "modified by" entry if n=
> one
> > > > > > exists.
> > > > > >
> > > > > > These changes at least make the MIT dump such that the records
> > > > > > don't end up "incomplete or corrupted" when you try to do somethi=
> ng
> > > > > > like "get_principal <principal>" in kadmin.local.
> > > > > >
> > > > > > As noted, your patch makes "kadmin -l" break for most things,
> > > > > > reporting "Service key not available". The failures go away if
> > > > > > you revert back to the non-patched libraries.
> > > > > > I have not located the problem yet.
> > > > > >
> > > > > > As for the passwords...no luck yet, rick
> > > > > Finally..it works. (First off, apologies for all the posts, just ig=
> nore
> > > > > them.;-)
> > > > >
> > > > > The patch is at:
> > > > > https://people.freebsd.org/~rmacklem/kadmin.patch
> > > I just updated the patch with a fix for the case where the
> > > Heimdal principal does not have any keys for string encryption.
> > > (That is fixed now and I haven't found any other bugs, so I
> > > think I am done playing with it. Yippee!!)
> > >
> > > Please test when you can find the time, rick
> >
> > I think the problem is with OpenSSL 3.5. With the legacy provider loaded =
> in
> > OpenSSL 3.5 I get,
> >
> > test3# openssl list -providers
> > Providers:
> >   default
> >     name: OpenSSL Default Provider
> >     version: 3.5.1
> >     status: active
> > test3#
> >
> > Whereas in 3.0 I get,
> >
> > bob# openssl list -providers
> > Providers:
> >   default
> >     name: OpenSSL Default Provider
> >     version: 3.0.16
> >     status: active
> >   legacy
> >     name: OpenSSL Legacy Provider
> >     version: 3.0.16
> >     status: active
> > bob#
> >
> > Some symbol must be missing.
> Ok, I seem to have missed something here?
> Just in case it wasn't clear, I was referring to testing of the
> kadmin patches for the old Heimdal, so that the KDC database
> can be moved to an MIT KDC and still work.

I'm back at the keyboard and catching up.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e**(i*pi)+1=0