Date: Tue, 02 Sep 2025 21:37:14 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Rick Macklem <rick.macklem@gmail.com> Cc: Gleb Smirnoff <glebius@freebsd.org>, Cy Schubert <Cy.Schubert@cschubert.com>, freebsd-current@freebsd.org Subject: Re: heimdal -> MIT kdc migration Message-ID: <20250903043714.370F5311@slippy.cwsent.com> In-Reply-To: <CAM5tNy7aNgOyzaKvzRWFGPkpdaHsA_bhjNFjMDQVk0df0dBFjw@mail.gmail.com> References: <aKwYB4d6l4ze-yXA@cell.glebi.us> <aKxcwqKqW3ZpA3Po@cell.glebi.us> <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <CAM5tNy5sNv8z0zW2ZFt%2B9=ytUpjGVudsYbcSC2mQSudi3iWSfQ@mail.gmail.com> <CAM5tNy73KwR-DBqc28bqRPKqW7UqXN7RXYB=p-Za5Lsoy9jFcw@mail.gmail.com> <1578a4eac5402d0496d8989e5258bc78@Leidinger.net> <CAM5tNy42Xvj8M%2Bq4qDO35T31wWLO-2pC9H0_V0rVM2uZmSL2RA@mail.gmail.com> <CAM5tNy5m8tEaivQdC4G-=VNpf3ng6JcdpeJKvxA8oM==OdbMUw@mail.gmail.com> <aK3TQbWXkr_r24sW@cell.glebi.us> <aK3iW189fZ2_xSyB@cell.glebi.us> <CAM5tNy6t-gT54u4ox5OyYEWC9wq5COcyuUjT%2B0gG6bGhME2WNw@mail.gmail.com> <CAM5tNy4C1sFkqfDnO%2BA1Chkm86qxO--Rt%2BthbnFrBkWu_P7iDg@mail.gmail.com> <CAM5tNy4OAXmc12F_=6o%2Bse16ShE8jLX4np1X2T5rgeFxJTFFXA@mail.gmail.com> <CAM5tNy4fgqxYzT_aa9Ej0A1tsnuyHqQYuYRmeHF3ReSb%2BWsJ2A@mail.gmail.com> <CAM5tNy6ASuHS8O2ZKApcSQ61%2BBpnCQBKQitdYwtqEc9aBVDR7Q@mail.gmail.com> <CAM5tNy4C-nf_uLC9XO7Q3=dbFmC97NT%2BSAgVnjq6a63teXaMQw@mail.gmail.com> <CAM5tNy6ozGNiGqFREdepDxGVa3fsxRh%2BYhTpcRxVZkcqY2FJTQ@mail.gmail. com> <CAM5tNy4Aw7n-6dgNxUzi71=L9ewpxVL0z=jh3ntuZcXJo9Z2MQ@mail.gmail.com> <CAM5tNy5VKvx9rk-3DsWmdrH8C6f4uxQ8w8oyi71Zuwf-q6b_Yw@mail.gmail.com> <CAM5tNy7aNgOyzaKvzRWFGPkpdaHsA_bhjNFjMDQVk0df0dBFjw@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
In message <CAM5tNy7aNgOyzaKvzRWFGPkpdaHsA_bhjNFjMDQVk0df0dBFjw@mail.gmail.c om> , Rick Macklem writes: > On Sun, Aug 31, 2025 at 5:58=E2=80=AFPM Rick Macklem <rick.macklem@gmail.co= > m> wrote: > > > > On Sun, Aug 31, 2025 at 5:41=E2=80=AFPM Rick Macklem <rick.macklem@gmail.= > com> wrote: > > > > > > On Sat, Aug 30, 2025 at 9:47=E2=80=AFPM Rick Macklem <rick.macklem@gmai= > l.com> wrote: > > > > > > > > On Sat, Aug 30, 2025 at 4:22=E2=80=AFPM Rick Macklem <rick.macklem@gm= > ail.com> wrote: > > > > > > > > > > On Sat, Aug 30, 2025 at 8:56=E2=80=AFAM Rick Macklem <rick.macklem@= > gmail.com> wrote: > > > > > > > > > > > > On Fri, Aug 29, 2025 at 1:05=E2=80=AFPM Rick Macklem <rick.mackle= > m@gmail.com> wrote: > > > > > > > > > > > > > > On Fri, Aug 29, 2025 at 7:43=E2=80=AFAM Rick Macklem <rick.mack= > lem@gmail.com> wrote: > > > > > > > > > > > > > > > > On Wed, Aug 27, 2025 at 8:39=E2=80=AFPM Rick Macklem <rick.ma= > cklem@gmail.com> wrote: > > > > > > > > > > > > > > > > > > On Wed, Aug 27, 2025 at 7:43=E2=80=AFPM Rick Macklem <rick.= > macklem@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > On Tue, Aug 26, 2025 at 9:35=E2=80=AFAM Gleb Smirnoff <gl= > ebius@freebsd.org> wrote: > > > > > > > > > > > > > > > > > > > > > > On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff= > wrote: > > > > > > > > > > > T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Mackl= > em wrote: > > > > > > > > > > > T> R> Ok. If you install FreeBSD-13.5 and then "pkg ins= > tall heimdal", you get a > > > > > > > > > > > T> R> working Heimdal-7.8 in ports. > > > > > > > > > > > T> R> > > > > > > > > > > > T> R> Now, I have another challenge. Fixing the master = > passwords. > > > > > > > > > > > T> R> I'll work on it later to-day. > > > > > > > > > > > T> > > > > > > > > > > > T> I have applied two commits from Heimdal from 2012 th= > at add 'kadmin dump -f MIT' > > > > > > > > > > > T> feature to our base heimdal and polished them to com= > pile. So far it doesn't > > > > > > > > > > > T> work yet, either create an empty dump or create a co= > re dump, instead of > > > > > > > > > > > T> database dump :) I'll see how difficult it is going = > to further resolve that to > > > > > > > > > > > T> a working condition. If I succeed, then having 'dump= > -f MIT' in base without > > > > > > > > > > > T> any ports would be the best solution. Can also be m= > erged to FreeBSD 14.4. > > > > > > > > > > > > > > > > > > > > > > Good news. In the above paragraph I was testing my cha= > nge incorrectly - threw > > > > > > > > > > > the new binary on a system running unpatched libraries.= > When run correctly, > > > > > > > > > > > it successfully produced something that looks like a co= > rrect dump in MIT format. > > > > > > > > > > > I haven't yet tried to load it into MIT kdc yet, though= > . > > > > > Well, would you like the not so bad news or the bad news??;-) > > > > > Your patch works, in that it produces a dump that "kdb5_util load > > > > > -update" can load. > > > > > After loading, if the principal only has keys for the newer encrypt= > ion types of > > > > > aes256-cts-hmac-sha1-96 > > > > > aes128-cts-hmac-sha1-96 > > > > > then you can look at the principal via kadmin.local, but the passwo= > rd must > > > > > be changed before it works. > > > > > --> This is the same behaviour as you get if you use Heimdal-7.8 to= > do the > > > > > dump conversion. > > > > > So far, so good... > > > > > > > > > > Now, the not so good news. Once you update the Heimdal libraries > > > > > (libhdb.so and libkadm5srv.so) "kadmin -l" is broken on the system > > > > > running the old KDC. "kadmin -l dump" works, but something like: > > > > > # kadmin -l > > > > > kadmin> get rmacklem > > > > > kadmin: get rmacklem: Service key not available > > > > > - I have not yet looked in your patched sources to see where this > > > > > failure comes from? > > > > > > > > > > Now, more not so good news... > > > > > My patch doesn't help. > > > > > It does re-encrypt the key in the master key from the MIT KDC > > > > > system, but that doesn't make the password work. > > > > > When I compared the dump generated via kadmin with both > > > > > your patch and mine, the key for aes256-cts-hmac-sha1-96 > > > > > is 34bytes long. > > > > > After doing the change_password so that it works, a dump > > > > > generated by "kdb5_util dump -r13" (the same dump format) > > > > > has a key that is 62bytes long. > > > > > --> So, there is more to converting the key than just re-ecrypting > > > > > it. (I'll try and find where the MIT code encrypts a key in a= > master > > > > > key to see why it ends up at 62bytes and whether that can be = > done > > > > > in the old code.) > > > > > > > > > > So, if we are going to continue with this... > > > > > - We need to figure out why your patch breaks "kadmin" for other > > > > > things and fix that. > > > > > - I/we need to figure out how to convert the 34byte key to the MIT > > > > > 62byte key (and then maybe the password won't need to be changed?= > ). > > > > > > > > > > Or do we just say "When you convert the KDC database, all the passw= > ords > > > > > must be changed to get them to work?". > > > > All I've got sofar is this patch... > > > > https://people.freebsd.org/~rmacklem/print.patch > > > > > > > > It tweaks entry2mit_string_int() so that it skips over the keys for > > > > old encryption types and fills in a fake "modified by" entry if none > > > > exists. > > > > > > > > These changes at least make the MIT dump such that the records > > > > don't end up "incomplete or corrupted" when you try to do something > > > > like "get_principal <principal>" in kadmin.local. > > > > > > > > As noted, your patch makes "kadmin -l" break for most things, > > > > reporting "Service key not available". The failures go away if > > > > you revert back to the non-patched libraries. > > > > I have not located the problem yet. > > > > > > > > As for the passwords...no luck yet, rick > > > Finally..it works. (First off, apologies for all the posts, just ignore > > > them.;-) > > > > > > The patch is at: > > > https://people.freebsd.org/~rmacklem/kadmin.patch > I just updated the patch with a fix for the case where the > Heimdal principal does not have any keys for string encryption. > (That is fixed now and I haven't found any other bugs, so I > think I am done playing with it. Yippee!!) > > Please test when you can find the time, rick I think the problem is with OpenSSL 3.5. With the legacy provider loaded in OpenSSL 3.5 I get, test3# openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.5.1 status: active test3# Whereas in 3.0 I get, bob# openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.16 status: active legacy name: OpenSSL Legacy Provider version: 3.0.16 status: active bob# Some symbol must be missing. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e**(i*pi)+1=0help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20250903043714.370F5311>