Re: RFC: Heimdal FreeBSD KDC users

Reply: vermaden : "Re: RFC: Heimdal FreeBSD KDC users"
In reply to: vermaden : "Re: RFC: Heimdal FreeBSD KDC users"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Sun, 05 Oct 2025 21:33:30 UTC
On Sun, Oct 5, 2025 at 2:05 PM vermaden <vermaden@interia.pl> wrote:
>
> Hi,
>
> I am in an opposite camp.
>
> I tried to make NFSv4 server on FreeBSD to auth users against Red Hat IDM (or FreeIPA) but failed to do so over multiple tries.
Well, I a involved in testing events (one starting tomorrow) where the
infrastructure is done by Redhat and the Kerberos stuff works (and did
work with the Heimdal stuff as well).

I don't know, but I suspect your problems are related to the way they
do ldap or dns and that won't change w.r.t. the MIT transition.

Yes, getting Kerberos working can be tricky. Just yesterday I struggled
until I found that the client machine's reverse DNS got the wrong answer.

A few useful tricks to help diagnose it:
- Run the gssd with -v and then look at what is in /var/log/daemon.log.
  (If you get an error with a large negative number, you can find those
  in /usr/include/krb5_err.h. This file goes away for MIT, so you might
  want to keep a copy around.)
- Look in the KDC's log if you have access to it.
- Capture packets and look at them in wireshark. It can decode all
  the unencrypted stuff and that can give you a hint.
- Try hard to always use fqdn names (put the fqdn first in the line
  in /etc/hosts if you use one of those).

Good luck with it, but I doubt the transition to MIT will help? rick

>
> After I heard that Heimdal will be exchanged into MIT I was more then happy.
>
> I currently wait till all that Heimdal -> MIT Kerberos change finish - so I can try again.
>
> Hope that helps.
>
> Regards,
> vermaden
>
>
>
> Temat: RFC: Heimdal FreeBSD KDC users
> Data: 2025-10-05 22:58
> Nadawca: "Rick Macklem" <rick.macklem@gmail.com>
> Adresat: "FreeBSD-STABLE Mailing List" <freebsd-stable@freebsd.org>; "Gleb Smirnoff" <glebius@freebsd.org>; "Cy Schubert" <cy@freebsd.org>;
>
> > Hi,
> >
> > I am posting to try and find out how many users
> > are currently using the old Heimdal 1.5 KDC in
> > FreeBSD 14.n and are interested in using the
> > same KDC database in FreeBSD 15.
> >
> > I am asking because I just made a commit to
> > main (which will soon be in stable/15) which
> > adds support to the Heimdal code for doing
> > a database dump in an MIT compatible format.
> > --> The problem is that it will require a
> >       make buildworld, make installworld from
> >       sources with WITHOUT_MITKRB5="yes"
> >       set in /etc/src.conf, followed by an (re)upgrade
> >       with the default MIT Kerberos setting.
> >       (ie. no WITHOUT_MITKRB5="yes")
> >
> > Because the patch is rather large (commit 5000d023a446
> > in main) and a lot of it was a couple of cherry-picks
> > from Heimdal 7.8, I cannot easily audit it for any
> > security vulnerability it might have introduced.
> > As such, I am not comfortable MFC'ng it to stable/14,
> > although that would make the conversion path easier.
> >
> > So, who out there needs this Heimdal->MIT KDC
> > database conversion?
> >
> > Thanks for any info, rick