Re: RFC: Heimdal FreeBSD KDC users

In reply to: Cy Schubert : "Re: RFC: Heimdal FreeBSD KDC users"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Mon, 06 Oct 2025 12:57:16 UTC
On Mon, Oct 6, 2025 at 1:27 AM Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>
> In message <aOMTpQ43qBRdRyHz@amaryllis.le-fay.org>, Lexi Winter writes:
> >
> >
> > --TwTq9I2l5Fo3D1/W
> > Content-Type: text/plain; charset=us-ascii
> > Content-Disposition: inline
> >
> > Rick Macklem wrote in <CAM5tNy4BPvMd2Uv_w_qd8oU0sZJ8AwfwWemrE78+tuRgX9Dy7g@ma
> > il.gmail.com>:
> > > --> The problem is that it will require a
> > >       make buildworld, make installworld from
> > >       sources with WITHOUT_MITKRB5="yes"
> > >       set in /etc/src.conf, followed by an (re)upgrade
> > >       with the default MIT Kerberos setting.
> > >       (ie. no WITHOUT_MITKRB5="yes")
> >
> > would it make sense to provide this version of kadmin (+ whatever
> > else is required) as a self-contained port, so people could more
> > easily install it for a one-off migration?  that might also make
> > it less risky to provide on 14.x, if that's useful.
glebius@ is going to discuss MFC'ng this to stable/14 with secteam@.

> >
>
> kadmin from Heimda 1.5.2 cannot be ported without porting all or much of
> Heimdal 1.5.2. It uses many functions in the various Heimdal libraries. A
> Heimdal 1.5.2 port might be difficult to maintain as it's sensitive to the
> OpenSSL in base.
>
> We already have a Heimdal 7.8.0 port that includes a kadmin that does
> support export to MIT. But, it has the same issues with ancient crypto that
> recent versions of MIT do.
The dump created by Heimdal 7.8 has the problems I fixed
with the patch here:
https://people.freebsd.org/~rmacklem/kadmin.patch

Basically, without the above patch, the principals end up
in the MIT database, but they won't work until a "change_password"
is done on them.

I could try to apply the patch to Heimdal 7.8, but I don't know
how well it will work.
The more serious concern is "Will Heimdal 7.8 handle the old
Heimdal 1.5.2 database?".

This would require some testing/debugging. I don't know if/when
I might get around to it.

What I haven't yet seen is a single person putting up their
hand to say "I need this", so I wonder how much effort is
justified w.r.t. dealing with it.

rick

>
>
> --
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
> NTP:           <cy@nwtime.org>    Web:  https://nwtime.org
>
>                         e**(i*pi)+1=0
>
>