Re: heimdal -> MIT kdc migration

Reply: Cy Schubert : "Re: heimdal -> MIT kdc migration"
In reply to: Rick Macklem : "Re: heimdal -> MIT kdc migration"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Mon, 08 Sep 2025 20:08:16 UTC
On Wed, Sep 3, 2025 at 8:28 AM Rick Macklem <rick.macklem@gmail.com> wrote:
>
> On Tue, Sep 2, 2025 at 10:10 PM Rick Macklem <rick.macklem@gmail.com> wrote:
> >
> > On Tue, Sep 2, 2025 at 9:37 PM Cy Schubert <Cy.Schubert@cschubert.com> wrote:
> > >
> > > In message <CAM5tNy7aNgOyzaKvzRWFGPkpdaHsA_bhjNFjMDQVk0df0dBFjw@mail.gmail.c
> > > om>
> > > , Rick Macklem writes:
> > > > On Sun, Aug 31, 2025 at 5:58=E2=80=AFPM Rick Macklem <rick.macklem@gmail.co=
> > > > m> wrote:
> > > > >
> > > > > On Sun, Aug 31, 2025 at 5:41=E2=80=AFPM Rick Macklem <rick.macklem@gmail.=
> > > > com> wrote:
> > > > > >
> > > > > > On Sat, Aug 30, 2025 at 9:47=E2=80=AFPM Rick Macklem <rick.macklem@gmai=
> > > > l.com> wrote:
> > > > > > >
> > > > > > > On Sat, Aug 30, 2025 at 4:22=E2=80=AFPM Rick Macklem <rick.macklem@gm=
> > > > ail.com> wrote:
> > > > > > > >
> > > > > > > > On Sat, Aug 30, 2025 at 8:56=E2=80=AFAM Rick Macklem <rick.macklem@=
> > > > gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > On Fri, Aug 29, 2025 at 1:05=E2=80=AFPM Rick Macklem <rick.mackle=
> > > > m@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > On Fri, Aug 29, 2025 at 7:43=E2=80=AFAM Rick Macklem <rick.mack=
> > > > lem@gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Aug 27, 2025 at 8:39=E2=80=AFPM Rick Macklem <rick.ma=
> > > > cklem@gmail.com> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > On Wed, Aug 27, 2025 at 7:43=E2=80=AFPM Rick Macklem <rick.=
> > > > macklem@gmail.com> wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Tue, Aug 26, 2025 at 9:35=E2=80=AFAM Gleb Smirnoff <gl=
> > > > ebius@freebsd.org> wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff=
> > > >  wrote:
> > > > > > > > > > > > > > T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Mackl=
> > > > em wrote:
> > > > > > > > > > > > > > T> R> Ok. If you install FreeBSD-13.5 and then "pkg ins=
> > > > tall heimdal", you get a
> > > > > > > > > > > > > > T> R> working Heimdal-7.8 in ports.
> > > > > > > > > > > > > > T> R>
> > > > > > > > > > > > > > T> R> Now, I have another challenge. Fixing the master =
> > > > passwords.
> > > > > > > > > > > > > > T> R> I'll work on it later to-day.
> > > > > > > > > > > > > > T>
> > > > > > > > > > > > > > T> I have applied two commits from Heimdal from 2012 th=
> > > > at add 'kadmin dump -f MIT'
> > > > > > > > > > > > > > T> feature to our base heimdal and polished them to com=
> > > > pile.  So far it doesn't
> > > > > > > > > > > > > > T> work yet, either create an empty dump or create a co=
> > > > re dump, instead of
> > > > > > > > > > > > > > T> database dump :) I'll see how difficult it is going =
> > > > to further resolve that to
> > > > > > > > > > > > > > T> a working condition. If I succeed, then having 'dump=
> > > >  -f MIT' in base without
> > > > > > > > > > > > > > T> any ports would be the best solution.  Can also be m=
> > > > erged to FreeBSD 14.4.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Good news.  In the above paragraph I was testing my cha=
> > > > nge incorrectly - threw
> > > > > > > > > > > > > > the new binary on a system running unpatched libraries.=
> > > >   When run correctly,
> > > > > > > > > > > > > > it successfully produced something that looks like a co=
> > > > rrect dump in MIT format.
> > > > > > > > > > > > > > I haven't yet tried to load it into MIT kdc yet, though=
> > > > .
> > > > > > > > Well, would you like the not so bad news or the bad news??;-)
> > > > > > > > Your patch works, in that it produces a dump that "kdb5_util load
> > > > > > > > -update" can load.
> > > > > > > > After loading, if the principal only has keys for the newer encrypt=
> > > > ion types of
> > > > > > > > aes256-cts-hmac-sha1-96
> > > > > > > > aes128-cts-hmac-sha1-96
> > > > > > > > then you can look at the principal via kadmin.local, but the passwo=
> > > > rd must
> > > > > > > > be changed before it works.
> > > > > > > > --> This is the same behaviour as you get if you use Heimdal-7.8 to=
> > > >  do the
> > > > > > > >       dump conversion.
> > > > > > > > So far, so good...
> > > > > > > >
> > > > > > > > Now, the not so good news. Once you update the Heimdal libraries
> > > > > > > > (libhdb.so and libkadm5srv.so) "kadmin -l" is broken on the system
> > > > > > > > running the old KDC. "kadmin -l dump" works, but something like:
> > > > > > > > # kadmin -l
> > > > > > > > kadmin> get rmacklem
> > > > > > > > kadmin: get rmacklem: Service key not available
> > > > > > > > - I have not yet looked in your patched sources to see where this
> > > > > > > >   failure comes from?
> > > > > > > >
> > > > > > > > Now, more not so good news...
> > > > > > > > My patch doesn't help.
> > > > > > > > It does re-encrypt the key in the master key from the MIT KDC
> > > > > > > > system, but that doesn't make the password work.
> > > > > > > > When I compared the dump generated via kadmin with both
> > > > > > > > your patch and mine, the key for aes256-cts-hmac-sha1-96
> > > > > > > > is 34bytes long.
> > > > > > > > After doing the change_password so that it works, a dump
> > > > > > > > generated by "kdb5_util dump -r13" (the same dump format)
> > > > > > > > has a key that is 62bytes long.
> > > > > > > > --> So, there is more to converting the key than just re-ecrypting
> > > > > > > >       it. (I'll try and find where the MIT code encrypts a key in a=
> > > >  master
> > > > > > > >       key to see why it ends up at 62bytes and whether that can be =
> > > > done
> > > > > > > >       in the old code.)
> > > > > > > >
> > > > > > > > So, if we are going to continue with this...
> > > > > > > > - We need to figure out why your patch breaks "kadmin" for other
> > > > > > > >   things and fix that.
> > > > > > > > - I/we need to figure out how to convert the 34byte key to the MIT
> > > > > > > >   62byte key (and then maybe the password won't need to be changed?=
> > > > ).
> > > > > > > >
> > > > > > > > Or do we just say "When you convert the KDC database, all the passw=
> > > > ords
> > > > > > > > must be changed to get them to work?".
> > > > > > > All I've got sofar is this patch...
> > > > > > > https://people.freebsd.org/~rmacklem/print.patch
> > > > > > >
> > > > > > > It tweaks entry2mit_string_int() so that it skips over the keys for
> > > > > > > old encryption types and fills in a fake "modified by" entry if none
> > > > > > > exists.
> > > > > > >
> > > > > > > These changes at least make the MIT dump such that the records
> > > > > > > don't end up "incomplete or corrupted" when you try to do something
> > > > > > > like "get_principal <principal>" in kadmin.local.
> > > > > > >
> > > > > > > As noted, your patch makes "kadmin -l" break for most things,
> > > > > > > reporting "Service key not available". The failures go away if
> > > > > > > you revert back to the non-patched libraries.
> > > > > > > I have not located the problem yet.
> > > > > > >
> > > > > > > As for the passwords...no luck yet, rick
> > > > > > Finally..it works. (First off, apologies for all the posts, just ignore
> > > > > > them.;-)
> > > > > >
> > > > > > The patch is at:
> > > > > > https://people.freebsd.org/~rmacklem/kadmin.patch
> > > > I just updated the patch with a fix for the case where the
> > > > Heimdal principal does not have any keys for string encryption.
> > > > (That is fixed now and I haven't found any other bugs, so I
> > > > think I am done playing with it. Yippee!!)
> > > >
> > > > Please test when you can find the time, rick
> Outstanding issue/question w.r.t. converting the KDC database
> from Heimdal 1.5.2->MIT.
>
> Right now, the patch I have drops the weak encryption type keys
> (des3.. and arcfour..).
> If the principal in the Heimdal KDC does not have keys for either
> of:
> aes256-cts-hmac-sha1-96
> aes128-cts-hmac-sha1-96
> the patch generates a "fake" one. As a result, a change_password
> for the principal is needed for this case.
>
> The alternative to doing this would be an option that converts
> the weak keys, but...
> - The MIT KDC will find the principal "incomplete or corrupted"
>   for at least the "out-of-the-box" configuration.
>   - It might accept them if "accept_weak_ecntypes" is set in
>     the kdc.conf.
>     This leads to a couple of questions:
>     - Does anyone know if MIT 1.22 still allows
>       "accept_weak_enctypes?
>     If it does not allow them, I don't think there is much use
>     for this option?
>
> Given the release schedule, it would be nice to get this
> resolved soon.
Since no one reported whether or not they saw the
"Service key not available" errors from the patched kadmin
for commands like "get", I poked at it and found it was caused
by some code the cherry-pick from the newer Heimdal added,
related to historical keys (which are not supported by Heimdal 1.5.2.)

Commenting out one new function the cherry-pick added along
with the two calls to it seems to have fixed the problem.

I've updated my patch at:
https://people.freebsd.org/~rmacklem/kadmin.patch
to include these changes.

So, can you guys test this and get it into main?
(You are welcome to include my patch in the commit,
That is probably faster than doing it as a separate one.)
At this point, it works for everything I have tested and, yes,
the passwords do work after the dump is loaded into the
MIT KDC!

rick
ps: I cannot test it more than I have already done until it
      is in a snapshot that I can install for further testing.

> Also, someone needs to document this.
> The Handbook section does a nice job of explaining
> the setup of a Heimdal KDC, but has nothing w.r.t.
> setting up an MIT KDC nor converting the KDC database
> over to it.
>
> rick
>
> > >
> > > I think the problem is with OpenSSL 3.5. With the legacy provider loaded in
> > > OpenSSL 3.5 I get,
> > >
> > > test3# openssl list -providers
> > > Providers:
> > >   default
> > >     name: OpenSSL Default Provider
> > >     version: 3.5.1
> > >     status: active
> > > test3#
> > >
> > > Whereas in 3.0 I get,
> > >
> > > bob# openssl list -providers
> > > Providers:
> > >   default
> > >     name: OpenSSL Default Provider
> > >     version: 3.0.16
> > >     status: active
> > >   legacy
> > >     name: OpenSSL Legacy Provider
> > >     version: 3.0.16
> > >     status: active
> > > bob#
> > >
> > > Some symbol must be missing.
> > Ok, I seem to have missed something here?
> > Just in case it wasn't clear, I was referring to testing of the
> > kadmin patches for the old Heimdal, so that the KDC database
> > can be moved to an MIT KDC and still work.
> >
> > rick
> >
> > >
> > >
> > > --
> > > Cheers,
> > > Cy Schubert <Cy.Schubert@cschubert.com>
> > > FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
> > > NTP:           <cy@nwtime.org>    Web:  https://nwtime.org
> > >
> > >                         e**(i*pi)+1=0
> > >
> > >