Date: Wed, 27 Aug 2025 06:16:02 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Alexander Leidinger <Alexander@leidinger.net> Cc: Gleb Smirnoff <glebius@freebsd.org>, Cy Schubert <Cy.Schubert@cschubert.com>, freebsd-current@freebsd.org Subject: Re: heimdal -> MIT kdc migration Message-ID: <CAM5tNy7kwuoCUPHFTUteJ3Qw76zhxFJ1Xwfz-5QQ-w5TpchwnQ@mail.gmail.com> In-Reply-To: <dd10e5ee3d0b9bb79fe7857385095022@Leidinger.net> References: <aKwYB4d6l4ze-yXA@cell.glebi.us> <aKxcwqKqW3ZpA3Po@cell.glebi.us> <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <CAM5tNy5sNv8z0zW2ZFt%2B9=ytUpjGVudsYbcSC2mQSudi3iWSfQ@mail.gmail.com> <CAM5tNy73KwR-DBqc28bqRPKqW7UqXN7RXYB=p-Za5Lsoy9jFcw@mail.gmail.com> <1578a4eac5402d0496d8989e5258bc78@Leidinger.net> <CAM5tNy42Xvj8M%2Bq4qDO35T31wWLO-2pC9H0_V0rVM2uZmSL2RA@mail.gmail.com> <CAM5tNy5m8tEaivQdC4G-=VNpf3ng6JcdpeJKvxA8oM==OdbMUw@mail.gmail.com> <aK3TQbWXkr_r24sW@cell.glebi.us> <aK3iW189fZ2_xSyB@cell.glebi.us> <CAM5tNy5ra8y76FSHvi31JgoJDXRtGKUd5wzy8N9nf%2BtVYhjvJQ@mail.gmail.com> <dd10e5ee3d0b9bb79fe7857385095022@Leidinger.net>
index | next in thread | previous in thread | raw e-mail
On Wed, Aug 27, 2025 at 1:18 AM Alexander Leidinger <Alexander@leidinger.net> wrote: > > Am 2025-08-26 19:21, schrieb Rick Macklem: > > On Tue, Aug 26, 2025 at 9:35 AM Gleb Smirnoff <glebius@freebsd.org> > > wrote: > >> > >> On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote: > >> T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote: > >> T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", > >> you get a > >> T> R> working Heimdal-7.8 in ports. > >> T> R> > >> T> R> Now, I have another challenge. Fixing the master passwords. > >> T> R> I'll work on it later to-day. > >> T> > >> T> I have applied two commits from Heimdal from 2012 that add 'kadmin > >> dump -f MIT' > >> T> feature to our base heimdal and polished them to compile. So far > >> it doesn't > >> T> work yet, either create an empty dump or create a core dump, > >> instead of > >> T> database dump :) I'll see how difficult it is going to further > >> resolve that to > >> T> a working condition. If I succeed, then having 'dump -f MIT' in > >> base without > >> T> any ports would be the best solution. Can also be merged to > >> FreeBSD 14.4. > >> > >> Good news. In the above paragraph I was testing my change incorrectly > >> - threw > >> the new binary on a system running unpatched libraries. When run > >> correctly, > >> it successfully produced something that looks like a correct dump in > >> MIT format. > >> I haven't yet tried to load it into MIT kdc yet, though. > > You might have better luck than me, but if I just loaded it, > > "kadmin.local" wouldn't > > work. > > To get it loaded, I had to: > > - edit the mit.dump and remove the entries for > > K/M, kadmin/admin, kadmin/changepw and krbtgt/REALM. > > Then I... > > # kdb5_util create -s > > and > > # kdb5_util load -update mit.dump > > -after that, kadmin.local would find the prinicipals, but > > a "kinit" wouldn't work until I did a "change_password" on it. > > Have you tried "kadmin -l dump --decrypt --format=MIT"? Yes. It has not helped. (I've tried --decrypt at both the first dump of Heimdal-1.5 and at the second one in Heimdal-7.8.) I'll note that the MIT "kinit" fails before it prompts for a password, which suggests something is fundamentally broken in the TGT. I will be investigating this further to-day. rick > > Bye, > Alexander. > > -- > http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF > http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BFhelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy7kwuoCUPHFTUteJ3Qw76zhxFJ1Xwfz-5QQ-w5TpchwnQ>