Date: Sun, 15 Jun 2025 22:01:56 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Minsoo Choo <minsoochoo0122@proton.me> Cc: Cy Schubert <Cy.Schubert@cschubert.com>, freebsd-current@freebsd.org, emaste@freebsd.org, jrm@freebsd.org Subject: Re: MIT KRB5 in 15-CURRENT Message-ID: <20250616050156.82F661A3@slippy.cwsent.com> In-Reply-To: <B9dYbVelBxymjeSLSXKQit3RdzeG3R8OLdfQ9co9Nts-ZFwv55O5YTUpAkZgrpyOOYkAX4ro5IaZH6Y4W_mrBW3v3oiGvEVjFVuEZWD7jUE=@proton.me> References: <20250616034233.ED587134@slippy.cwsent.com> <B9dYbVelBxymjeSLSXKQit3RdzeG3R8OLdfQ9co9Nts-ZFwv55O5YTUpAkZgrpyOOYkAX4ro5IaZH6Y4W_mrBW3v3oiGvEVjFVuEZWD7jUE=@proton.me>
index | next in thread | previous in thread | raw e-mail
In message <B9dYbVelBxymjeSLSXKQit3RdzeG3R8OLdfQ9co9Nts-ZFwv55O5YTUpAkZgrpyO OYk AX4ro5IaZH6Y4W_mrBW3v3oiGvEVjFVuEZWD7jUE=@proton.me>, Minsoo Choo writes: > On Sunday, June 15th, 2025 at 11:43 PM, Cy Schubert <Cy.Schubert@cschubert.= > com> wrote: > > > Hi freebsd-current@, > >=20 > > MIT KRB5 has been imported. It is disabled by default. To build and insta= > ll > > MIT KRB5 in 15-CURRENT, > >=20 > > 1. Add WITH_MITKRB5=3Dyes in src.conf. > >=20 > > 2. Do a buildworld and buildkernel. > >=20 > > 3. Then installworld, run etcupdate to update files in /etc. > >=20 > > 4. make delete-old and delete-old-libs. This is important. Skip this step > > and your > > resulting install will contain both MIT and Heimdal Kerberos. This will > > not work. > >=20 > > Avoid using MIT KRB5 (for now) if you are running a Heimdal 1.5.2 KDC on > > FreeBSD. There is a > > procedure to convert the Heimdal HDB to an MIT KRB5 KDB. I am still worki= > ng > > on documenting the procedure. The process is not straightforward as our > > Heimdal 1.5.2 is very old and does not support the feature found later > > versions of Heimdal needed to migrate the HDB to KDB. In a nutshell: one > > must export the HDB, import it into the latest version of Heimdal (using > > ports/security/heimdal), then export an MIT KRB5 export, and finally impo= > rt > > it into a new MIT KRB5 KDB. > >=20 > > If you use FreeBSD as part of an Active Directory domain, MIT KRB5 will > > simplify integration into a Microsoft network. You will still need to use > > winbind from samba or sssd, as Active Directory uses MIT KRB5 and LDAP fo= > r > > authentication. > >=20 > > A ports exp-run will be needed to list any ports that may fail to build > > with MIT KRB5 in base. If any are found they will be fixed before we swit= > ch > > the default from Heimdal 1.5.2 to MIT KRB5 1.21.3. > >=20 > > A decision to remove Heimdal from the source tree will come sometime afte= > r > > the default has been switched from Heimdal to MIT KRB5. > >=20 > > I also expect some ports plumbing changes, especially in Mk/Uses/gssapi.m= > k > > in order to support MIT KRB5 in base. Any required changes should be > > identified with an exp-run. > >=20 > >=20 > > -- > > Cheers, > > Cy Schubert Cy.Schubert@cschubert.com > >=20 > > FreeBSD UNIX: cy@FreeBSD.org Web: https://FreeBSD.org > >=20 > > NTP: cy@nwtime.org Web: https://nwtime.org > >=20 > >=20 > > e**(i*pi)+1=3D0 > >=20 > >=20 > > Thank you for your great work. I will close D43625 and D43624 as the adopti= > on of MIT krb5 makes them obsolete. > > I have a few questions regarding to MIT krb5 replacing heimdal: > 1. In which FreeBSD version will MIT krb5 be default? 15-RELEASE. > 2. In which FreeBSD version will heimdal be removed? Hopefully 15-RELEASE though 16-RELEASE could be likely. > > Regards, > Minsoo -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e**(i*pi)+1=0help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20250616050156.82F661A3>