Re: RFC: Heimdal FreeBSD KDC users

Thanks for hints.

If I fail - I will contact You for help.

Maybe together we will be able to figure it out.

IMHO such setup should be even in the FreeBSD Handbook - the FreeIPA is probably the only open and free Microsoft AD solution out there. I would of course add 'Samba 4' in AD mode and OpenLDAP integration.

> Although it's a little dated, there might be some useful stuff here.
> https://people.freebsd.org/~rmacklem/nfs-krb5-setup.txt

I believe I also tried hints from Your guide ... but I have tried way to many different guides ... and all failed.

Maybe I have done some 'typo' - maybe its one of the FreeIPA settings - maybe DNS - maybe me ...

This NFSv4 <-> IDM topic will not leave me be - so I will share how it went next time I will be doing it ... along with results.

Thanks,
vermaden



Temat: Re: RFC: Heimdal FreeBSD KDC users
Data: 2025-10-05 23:33
Nadawca: "Rick Macklem" <rick.macklem@gmail.com>
Adresat: "vermaden" <vermaden@interia.pl>; 
DW: "FreeBSD-STABLE Mailing List" <freebsd-stable@freebsd.org>; "Gleb Smirnoff" <glebius@freebsd.org>; "Cy Schubert" <cy@freebsd.org>; 


> > On Sun, Oct 5, 2025 at 2:05 PM vermaden wrote:
>>
>> Hi,
>>
>> I am in an opposite camp.
>>
>> I tried to make NFSv4 server on FreeBSD to auth users against Red
>> Hat IDM (or FreeIPA) but failed to do so over multiple tries.
> Well, I a involved in testing events (one starting tomorrow) where the
> infrastructure is done by Redhat and the Kerberos stuff works (and did
> work with the Heimdal stuff as well).
> 
> I don't know, but I suspect your problems are related to the way they
> do ldap or dns and that won't change w.r.t. the MIT transition.
> 
> Yes, getting Kerberos working can be tricky. Just yesterday I
> struggled until I found that the client machine's reverse DNS
> got the wrong answer.
> 
> A few useful tricks to help diagnose it:
> - Run the gssd with -v and then look at what is in /var/log/daemon.log.
>   (If you get an error with a large negative number, you can find those
>   in /usr/include/krb5_err.h. This file goes away for MIT, so you might
>   want to keep a copy around.)
> - Look in the KDC's log if you have access to it.
> - Capture packets and look at them in wireshark. It can decode all
>   the unencrypted stuff and that can give you a hint.
> - Try hard to always use fqdn names (put the fqdn first in the line
>   in /etc/hosts if you use one of those).
> 
> Good luck with it, but I doubt the transition to MIT will help? rick
> 
>>
>> After I heard that Heimdal will be exchanged into MIT I was more then happy.
>>
>> I currently wait till all that Heimdal -> MIT Kerberos change finish - so I can try again.
>>
>> Hope that helps.
>>
>> Regards,
>> vermaden
>>
>>
>>
>> Temat: RFC: Heimdal FreeBSD KDC users
>> Data: 2025-10-05 22:58
>> Nadawca: "Rick Macklem" 
>> Adresat: "FreeBSD-STABLE Mailing List" ; "Gleb Smirnoff" ; "Cy Schubert" ;
>>
>> > Hi,
>> >
>> > I am posting to try and find out how many users
>> > are currently using the old Heimdal 1.5 KDC in
>> > FreeBSD 14.n and are interested in using the
>> > same KDC database in FreeBSD 15.
>> >
>> > I am asking because I just made a commit to
>> > main (which will soon be in stable/15) which
>> > adds support to the Heimdal code for doing
>> > a database dump in an MIT compatible format.
>> > --> The problem is that it will require a
>> >       make buildworld, make installworld from
>> >       sources with WITHOUT_MITKRB5="yes"
>> >       set in /etc/src.conf, followed by an (re)upgrade
>> >       with the default MIT Kerberos setting.
>> >       (ie. no WITHOUT_MITKRB5="yes")
>> >
>> > Because the patch is rather large (commit 5000d023a446
>> > in main) and a lot of it was a couple of cherry-picks
>> > from Heimdal 7.8, I cannot easily audit it for any
>> > security vulnerability it might have introduced.
>> > As such, I am not comfortable MFC'ng it to stable/14,
>> > although that would make the conversion path easier.
>> >
>> > So, who out there needs this Heimdal->MIT KDC
>> > database conversion?
>> >
>> > Thanks for any info, rick