From nobody Mon Jun 16 05:01:56 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bLHt01PMJz5yWWP for ; Mon, 16 Jun 2025 05:02:00 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta003.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bLHsz6Ssxz40Yh; Mon, 16 Jun 2025 05:01:59 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id Ql6Fun1nU9JM2R1youEfXO; Mon, 16 Jun 2025 05:01:58 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id R1ynu3RcpWbOaR1youOIYZ; Mon, 16 Jun 2025 05:01:58 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=Q5lx4J2a c=1 sm=1 tr=0 ts=684fa546 a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=6IFa9wvqVegA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=YxBL1-UpAAAA:8 a=DAQKpz5FxlKkIvH-YIcA:9 a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id B76CBFEB; Sun, 15 Jun 2025 22:01:56 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 82F661A3; Sun, 15 Jun 2025 22:01:56 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Minsoo Choo cc: Cy Schubert , freebsd-current@freebsd.org, emaste@freebsd.org, jrm@freebsd.org Subject: Re: MIT KRB5 in 15-CURRENT In-reply-to: References: <20250616034233.ED587134@slippy.cwsent.com> Comments: In-reply-to Minsoo Choo message dated "Mon, 16 Jun 2025 04:28:49 -0000." List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 15 Jun 2025 22:01:56 -0700 Message-Id: <20250616050156.82F661A3@slippy.cwsent.com> X-CMAE-Envelope: MS4xfNAK6XmzdaGxojyAt4sZ6RcsTBw7DRTZMF6VydrTw3H/iIPmpbgluoRZ8YmG81zRccpXDqSfSiJ9azIQ/w/Vo9AFIxEW2Pa25sN52PbxA13elMCtrRZo hpo4PMx3hiiHtZXpzGJ+xPotmh4uF0OnZr6XUEz9BOs/dd0cyVClzm+fNTUPrgL6liDvhhGIFK8G2gm7BWbFx8/W5woZoyJXxt1wM/NEdzuxdhkyhYqRz49M BPhiwXcXC8lXzRwBMxYhOdY1+trJa9TOrrFodHoyqmbLAOUEgsIuw9T3p9Q6VWYU9g9nT7qE//piC1U+DkhYAw== X-Rspamd-Queue-Id: 4bLHsz6Ssxz40Yh X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] In message , Minsoo Choo writes: > On Sunday, June 15th, 2025 at 11:43 PM, Cy Schubert com> wrote: > > > Hi freebsd-current@, > >=20 > > MIT KRB5 has been imported. It is disabled by default. To build and insta= > ll > > MIT KRB5 in 15-CURRENT, > >=20 > > 1. Add WITH_MITKRB5=3Dyes in src.conf. > >=20 > > 2. Do a buildworld and buildkernel. > >=20 > > 3. Then installworld, run etcupdate to update files in /etc. > >=20 > > 4. make delete-old and delete-old-libs. This is important. Skip this step > > and your > > resulting install will contain both MIT and Heimdal Kerberos. This will > > not work. > >=20 > > Avoid using MIT KRB5 (for now) if you are running a Heimdal 1.5.2 KDC on > > FreeBSD. There is a > > procedure to convert the Heimdal HDB to an MIT KRB5 KDB. I am still worki= > ng > > on documenting the procedure. The process is not straightforward as our > > Heimdal 1.5.2 is very old and does not support the feature found later > > versions of Heimdal needed to migrate the HDB to KDB. In a nutshell: one > > must export the HDB, import it into the latest version of Heimdal (using > > ports/security/heimdal), then export an MIT KRB5 export, and finally impo= > rt > > it into a new MIT KRB5 KDB. > >=20 > > If you use FreeBSD as part of an Active Directory domain, MIT KRB5 will > > simplify integration into a Microsoft network. You will still need to use > > winbind from samba or sssd, as Active Directory uses MIT KRB5 and LDAP fo= > r > > authentication. > >=20 > > A ports exp-run will be needed to list any ports that may fail to build > > with MIT KRB5 in base. If any are found they will be fixed before we swit= > ch > > the default from Heimdal 1.5.2 to MIT KRB5 1.21.3. > >=20 > > A decision to remove Heimdal from the source tree will come sometime afte= > r > > the default has been switched from Heimdal to MIT KRB5. > >=20 > > I also expect some ports plumbing changes, especially in Mk/Uses/gssapi.m= > k > > in order to support MIT KRB5 in base. Any required changes should be > > identified with an exp-run. > >=20 > >=20 > > -- > > Cheers, > > Cy Schubert Cy.Schubert@cschubert.com > >=20 > > FreeBSD UNIX: cy@FreeBSD.org Web: https://FreeBSD.org > >=20 > > NTP: cy@nwtime.org Web: https://nwtime.org > >=20 > >=20 > > e**(i*pi)+1=3D0 > >=20 > >=20 > > Thank you for your great work. I will close D43625 and D43624 as the adopti= > on of MIT krb5 makes them obsolete. > > I have a few questions regarding to MIT krb5 replacing heimdal: > 1. In which FreeBSD version will MIT krb5 be default? 15-RELEASE. > 2. In which FreeBSD version will heimdal be removed? Hopefully 15-RELEASE though 16-RELEASE could be likely. > > Regards, > Minsoo -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e**(i*pi)+1=0