From nobody Wed Sep 3 05:19:51 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cGrXB0YTMz66RZl for ; Wed, 03 Sep 2025 05:19:54 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cGrX923J6z446x; Wed, 03 Sep 2025 05:19:53 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=permerror reason="p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com" header.from=cschubert.com (policy=permerror); spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.33 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id tNRBuWRBO5MqytfuSux6wd; Wed, 03 Sep 2025 05:19:52 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id tfuRuqp6UWbOatfuSuZCH5; Wed, 03 Sep 2025 05:19:52 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=Q5lx4J2a c=1 sm=1 tr=0 ts=68b7cff8 a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=yJojWOMRYYMA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=zdPUvaFGAAAA:8 a=04oDvr9pAAAA:8 a=pGLkceISAAAA:8 a=YxBL1-UpAAAA:8 a=5H27IWoi4vgZ8F8KORwA:9 a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=fvD0gfNcX4AKPV7IvcuC:22 a=sT4bYkpex2i6d5iwGOJT:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy.cwsent.com [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 5C2CC22D; Tue, 02 Sep 2025 22:19:51 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 560A0215; Tue, 02 Sep 2025 22:19:51 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Rick Macklem cc: Cy Schubert , Gleb Smirnoff , freebsd-current@freebsd.org Subject: Re: heimdal -> MIT kdc migration In-reply-to: References: <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <1578a4eac5402d0496d8989e5258bc78@Leidinger.net> <20250903043714.370F5311@slippy.cwsent.com> Comments: In-reply-to Rick Macklem message dated "Tue, 02 Sep 2025 22:10:06 -0700." List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 02 Sep 2025 22:19:51 -0700 Message-Id: <20250903051951.560A0215@slippy.cwsent.com> X-CMAE-Envelope: MS4xfA4Oexq41eU9GfKTraSRVNbfbRn5YZ9EkEgrX0uVSRWle1u1aPxDu9hNqJmrB0EfbJ0ocq8NEUwd1MpEiIJixhYqNQtzKmmxquVlFnnZVd50Tc/kyId0 aWE3PAdMrlBLX8081UJJOpUbYOcgh5WTUV+TozMcCtHBrBFqbvzqEMA7rx7gtmhT/4eEWoOIP/jkEAGCDkAFNOw9+PHrHOHYXOCoY4/JOn50+Z8XBYi8yqfu W7BNi2B35vE58hOoxev7yl0tEZchyjzRCnPsIIaHJS4= X-Spamd-Bar: - X-Spamd-Result: default: False [-1.76 / 15.00]; SUSPICIOUS_RECIPS(1.50)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.957]; MV_CASE(0.50)[]; RWL_MAILSPIKE_EXCELLENT(-0.40)[3.97.99.33:from]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31:c]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.33:from]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; FREEMAIL_TO(0.00)[gmail.com]; ARC_NA(0.00)[]; DMARC_BAD_POLICY(0.00)[cschubert.com : p tag has invalid value: quarantine rua=mailto:p[ostmaster@cschubert.com]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_THREE(0.00)[4]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; TAGGED_RCPT(0.00)[]; REPLYTO_EQ_FROM(0.00)[] X-Rspamd-Queue-Id: 4cGrX923J6z446x In message , Rick Macklem writes: > On Tue, Sep 2, 2025 at 9:37=E2=80=AFPM Cy Schubert om> wrote: > > > > In message l.c > > om> > > , Rick Macklem writes: > > > On Sun, Aug 31, 2025 at 5:58=3DE2=3D80=3DAFPM Rick Macklem m@gmail.co=3D > > > m> wrote: > > > > > > > > On Sun, Aug 31, 2025 at 5:41=3DE2=3D80=3DAFPM Rick Macklem lem@gmail.=3D > > > com> wrote: > > > > > > > > > > On Sat, Aug 30, 2025 at 9:47=3DE2=3D80=3DAFPM Rick Macklem cklem@gmai=3D > > > l.com> wrote: > > > > > > > > > > > > On Sat, Aug 30, 2025 at 4:22=3DE2=3D80=3DAFPM Rick Macklem macklem@gm=3D > > > ail.com> wrote: > > > > > > > > > > > > > > On Sat, Aug 30, 2025 at 8:56=3DE2=3D80=3DAFAM Rick Macklem k.macklem@=3D > > > gmail.com> wrote: > > > > > > > > > > > > > > > > On Fri, Aug 29, 2025 at 1:05=3DE2=3D80=3DAFPM Rick Macklem ick.mackle=3D > > > m@gmail.com> wrote: > > > > > > > > > > > > > > > > > > On Fri, Aug 29, 2025 at 7:43=3DE2=3D80=3DAFAM Rick Macklem = > > > lem@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > On Wed, Aug 27, 2025 at 8:39=3DE2=3D80=3DAFPM Rick Mackle= > m > > cklem@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > On Wed, Aug 27, 2025 at 7:43=3DE2=3D80=3DAFPM Rick Mack= > lem > > macklem@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Aug 26, 2025 at 9:35=3DE2=3D80=3DAFAM Gleb Sm= > irnoff > > ebius@freebsd.org> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smir= > noff=3D > > > wrote: > > > > > > > > > > > > > T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick M= > ackl=3D > > > em wrote: > > > > > > > > > > > > > T> R> Ok. If you install FreeBSD-13.5 and then "pkg= > ins=3D > > > tall heimdal", you get a > > > > > > > > > > > > > T> R> working Heimdal-7.8 in ports. > > > > > > > > > > > > > T> R> > > > > > > > > > > > > > T> R> Now, I have another challenge. Fixing the mas= > ter =3D > > > passwords. > > > > > > > > > > > > > T> R> I'll work on it later to-day. > > > > > > > > > > > > > T> > > > > > > > > > > > > > T> I have applied two commits from Heimdal from 201= > 2 th=3D > > > at add 'kadmin dump -f MIT' > > > > > > > > > > > > > T> feature to our base heimdal and polished them to= > com=3D > > > pile. So far it doesn't > > > > > > > > > > > > > T> work yet, either create an empty dump or create = > a co=3D > > > re dump, instead of > > > > > > > > > > > > > T> database dump :) I'll see how difficult it is go= > ing =3D > > > to further resolve that to > > > > > > > > > > > > > T> a working condition. If I succeed, then having '= > dump=3D > > > -f MIT' in base without > > > > > > > > > > > > > T> any ports would be the best solution. Can also = > be m=3D > > > erged to FreeBSD 14.4. > > > > > > > > > > > > > > > > > > > > > > > > > > Good news. In the above paragraph I was testing my= > cha=3D > > > nge incorrectly - threw > > > > > > > > > > > > > the new binary on a system running unpatched librar= > ies.=3D > > > When run correctly, > > > > > > > > > > > > > it successfully produced something that looks like = > a co=3D > > > rrect dump in MIT format. > > > > > > > > > > > > > I haven't yet tried to load it into MIT kdc yet, th= > ough=3D > > > . > > > > > > > Well, would you like the not so bad news or the bad news??;-) > > > > > > > Your patch works, in that it produces a dump that "kdb5_util lo= > ad > > > > > > > -update" can load. > > > > > > > After loading, if the principal only has keys for the newer enc= > rypt=3D > > > ion types of > > > > > > > aes256-cts-hmac-sha1-96 > > > > > > > aes128-cts-hmac-sha1-96 > > > > > > > then you can look at the principal via kadmin.local, but the pa= > sswo=3D > > > rd must > > > > > > > be changed before it works. > > > > > > > --> This is the same behaviour as you get if you use Heimdal-7.= > 8 to=3D > > > do the > > > > > > > dump conversion. > > > > > > > So far, so good... > > > > > > > > > > > > > > Now, the not so good news. Once you update the Heimdal librarie= > s > > > > > > > (libhdb.so and libkadm5srv.so) "kadmin -l" is broken on the sys= > tem > > > > > > > running the old KDC. "kadmin -l dump" works, but something like= > : > > > > > > > # kadmin -l > > > > > > > kadmin> get rmacklem > > > > > > > kadmin: get rmacklem: Service key not available > > > > > > > - I have not yet looked in your patched sources to see where th= > is > > > > > > > failure comes from? > > > > > > > > > > > > > > Now, more not so good news... > > > > > > > My patch doesn't help. > > > > > > > It does re-encrypt the key in the master key from the MIT KDC > > > > > > > system, but that doesn't make the password work. > > > > > > > When I compared the dump generated via kadmin with both > > > > > > > your patch and mine, the key for aes256-cts-hmac-sha1-96 > > > > > > > is 34bytes long. > > > > > > > After doing the change_password so that it works, a dump > > > > > > > generated by "kdb5_util dump -r13" (the same dump format) > > > > > > > has a key that is 62bytes long. > > > > > > > --> So, there is more to converting the key than just re-ecrypt= > ing > > > > > > > it. (I'll try and find where the MIT code encrypts a key = > in a=3D > > > master > > > > > > > key to see why it ends up at 62bytes and whether that can= > be =3D > > > done > > > > > > > in the old code.) > > > > > > > > > > > > > > So, if we are going to continue with this... > > > > > > > - We need to figure out why your patch breaks "kadmin" for othe= > r > > > > > > > things and fix that. > > > > > > > - I/we need to figure out how to convert the 34byte key to the = > MIT > > > > > > > 62byte key (and then maybe the password won't need to be chan= > ged?=3D > > > ). > > > > > > > > > > > > > > Or do we just say "When you convert the KDC database, all the p= > assw=3D > > > ords > > > > > > > must be changed to get them to work?". > > > > > > All I've got sofar is this patch... > > > > > > https://people.freebsd.org/~rmacklem/print.patch > > > > > > > > > > > > It tweaks entry2mit_string_int() so that it skips over the keys f= > or > > > > > > old encryption types and fills in a fake "modified by" entry if n= > one > > > > > > exists. > > > > > > > > > > > > These changes at least make the MIT dump such that the records > > > > > > don't end up "incomplete or corrupted" when you try to do somethi= > ng > > > > > > like "get_principal " in kadmin.local. > > > > > > > > > > > > As noted, your patch makes "kadmin -l" break for most things, > > > > > > reporting "Service key not available". The failures go away if > > > > > > you revert back to the non-patched libraries. > > > > > > I have not located the problem yet. > > > > > > > > > > > > As for the passwords...no luck yet, rick > > > > > Finally..it works. (First off, apologies for all the posts, just ig= > nore > > > > > them.;-) > > > > > > > > > > The patch is at: > > > > > https://people.freebsd.org/~rmacklem/kadmin.patch > > > I just updated the patch with a fix for the case where the > > > Heimdal principal does not have any keys for string encryption. > > > (That is fixed now and I haven't found any other bugs, so I > > > think I am done playing with it. Yippee!!) > > > > > > Please test when you can find the time, rick > > > > I think the problem is with OpenSSL 3.5. With the legacy provider loaded = > in > > OpenSSL 3.5 I get, > > > > test3# openssl list -providers > > Providers: > > default > > name: OpenSSL Default Provider > > version: 3.5.1 > > status: active > > test3# > > > > Whereas in 3.0 I get, > > > > bob# openssl list -providers > > Providers: > > default > > name: OpenSSL Default Provider > > version: 3.0.16 > > status: active > > legacy > > name: OpenSSL Legacy Provider > > version: 3.0.16 > > status: active > > bob# > > > > Some symbol must be missing. > Ok, I seem to have missed something here? > Just in case it wasn't clear, I was referring to testing of the > kadmin patches for the old Heimdal, so that the KDC database > can be moved to an MIT KDC and still work. I'm back at the keyboard and catching up. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e**(i*pi)+1=0