From nobody Mon Jun 16 03:42:33 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bLG6Q0gzsz5yQV7 for ; Mon, 16 Jun 2025 03:42:38 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bLG6P0jVSz45H2; Mon, 16 Jun 2025 03:42:37 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.32 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com; dmarc=permerror reason="p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com" header.from=cschubert.com (policy=permerror) Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id Ql6Fun1nU9JM2R0k0uEBko; Mon, 16 Jun 2025 03:42:36 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id R0jyu3DByWbOaR0jzuOFMx; Mon, 16 Jun 2025 03:42:36 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=Q5lx4J2a c=1 sm=1 tr=0 ts=684f92ac a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=6IFa9wvqVegA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=YxBL1-UpAAAA:8 a=mt9FY5lUz8t67Ick57cA:9 a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 2C078F72; Sun, 15 Jun 2025 20:42:34 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id ED587134; Sun, 15 Jun 2025 20:42:33 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: freebsd-current@freebsd.org cc: emaste@freebsd.org, jrm@freebsd.org Subject: MIT KRB5 in 15-CURRENT List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 15 Jun 2025 20:42:33 -0700 Message-Id: <20250616034233.ED587134@slippy.cwsent.com> X-CMAE-Envelope: MS4xfKNQqOS77JnVaMmFuFiC6vwwimKgrvbYER1HKvCa5OKWr0ljsXt4omE9xSpKRo9i7XIVNQAaUJo32YzRHEN1pj7kLA8RR1cjcxMvt3bg3l9WzGBJctQM owhlEkFOFNSjRk8zrMz3FxlC+ZtNRzFMwaFtCh8AK14kRNG7f8L0EYmg5KF6rX5fcN03SRiZp3EOPXw8C9I9Jx2LGziHs5AIfnfFBAZNS1PAU0jFnaxBy1eU SDBOxX0Ea9NWeE78OZhy1wTL3Kl6cg/6WfMj8jW5XN8= X-Spamd-Result: default: False [1.17 / 15.00]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_MEDIUM(0.97)[0.967]; NEURAL_HAM_SHORT(-0.90)[-0.900]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.32:from]; MIME_GOOD(-0.10)[text/plain]; REPLYTO_EQ_FROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; DMARC_BAD_POLICY(0.00)[cschubert.com : p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; RCPT_COUNT_THREE(0.00)[3] X-Rspamd-Queue-Id: 4bLG6P0jVSz45H2 X-Spamd-Bar: + Hi freebsd-current@, MIT KRB5 has been imported. It is disabled by default. To build and install MIT KRB5 in 15-CURRENT, 1. Add WITH_MITKRB5=yes in src.conf. 2. Do a buildworld and buildkernel. 3. Then installworld, run etcupdate to update files in /etc. 4. make delete-old and delete-old-libs. This is important. Skip this step and your resulting install will contain both MIT and Heimdal Kerberos. This will not work. Avoid using MIT KRB5 (for now) if you are running a Heimdal 1.5.2 KDC on FreeBSD. There is a procedure to convert the Heimdal HDB to an MIT KRB5 KDB. I am still working on documenting the procedure. The process is not straightforward as our Heimdal 1.5.2 is very old and does not support the feature found later versions of Heimdal needed to migrate the HDB to KDB. In a nutshell: one must export the HDB, import it into the latest version of Heimdal (using ports/security/heimdal), then export an MIT KRB5 export, and finally import it into a new MIT KRB5 KDB. If you use FreeBSD as part of an Active Directory domain, MIT KRB5 will simplify integration into a Microsoft network. You will still need to use winbind from samba or sssd, as Active Directory uses MIT KRB5 and LDAP for authentication. A ports exp-run will be needed to list any ports that may fail to build with MIT KRB5 in base. If any are found they will be fixed before we switch the default from Heimdal 1.5.2 to MIT KRB5 1.21.3. A decision to remove Heimdal from the source tree will come sometime after the default has been switched from Heimdal to MIT KRB5. I also expect some ports plumbing changes, especially in Mk/Uses/gssapi.mk in order to support MIT KRB5 in base. Any required changes should be identified with an exp-run. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e**(i*pi)+1=0