Date: Wed, 27 Aug 2025 11:52:06 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Alexander Leidinger <Alexander@leidinger.net> Cc: Gleb Smirnoff <glebius@freebsd.org>, Cy Schubert <Cy.Schubert@cschubert.com>, freebsd-current@freebsd.org Subject: Re: heimdal -> MIT kdc migration Message-ID: <CAM5tNy5ugaPgqYWn_VSUJuuVcgeqcQsekY=7XexotFyEAXSqGA@mail.gmail.com> In-Reply-To: <dd10e5ee3d0b9bb79fe7857385095022@Leidinger.net> References: <aKwYB4d6l4ze-yXA@cell.glebi.us> <aKxcwqKqW3ZpA3Po@cell.glebi.us> <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <CAM5tNy5sNv8z0zW2ZFt%2B9=ytUpjGVudsYbcSC2mQSudi3iWSfQ@mail.gmail.com> <CAM5tNy73KwR-DBqc28bqRPKqW7UqXN7RXYB=p-Za5Lsoy9jFcw@mail.gmail.com> <1578a4eac5402d0496d8989e5258bc78@Leidinger.net> <CAM5tNy42Xvj8M%2Bq4qDO35T31wWLO-2pC9H0_V0rVM2uZmSL2RA@mail.gmail.com> <CAM5tNy5m8tEaivQdC4G-=VNpf3ng6JcdpeJKvxA8oM==OdbMUw@mail.gmail.com> <aK3TQbWXkr_r24sW@cell.glebi.us> <aK3iW189fZ2_xSyB@cell.glebi.us> <CAM5tNy5ra8y76FSHvi31JgoJDXRtGKUd5wzy8N9nf%2BtVYhjvJQ@mail.gmail.com> <dd10e5ee3d0b9bb79fe7857385095022@Leidinger.net>
index | next in thread | previous in thread | raw e-mail
On Wed, Aug 27, 2025 at 1:18 AM Alexander Leidinger
<Alexander@leidinger.net> wrote:
>
> Am 2025-08-26 19:21, schrieb Rick Macklem:
> > On Tue, Aug 26, 2025 at 9:35 AM Gleb Smirnoff <glebius@freebsd.org>
> > wrote:
> >>
> >> On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote:
> >> T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote:
> >> T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal",
> >> you get a
> >> T> R> working Heimdal-7.8 in ports.
> >> T> R>
> >> T> R> Now, I have another challenge. Fixing the master passwords.
> >> T> R> I'll work on it later to-day.
> >> T>
> >> T> I have applied two commits from Heimdal from 2012 that add 'kadmin
> >> dump -f MIT'
> >> T> feature to our base heimdal and polished them to compile. So far
> >> it doesn't
> >> T> work yet, either create an empty dump or create a core dump,
> >> instead of
> >> T> database dump :) I'll see how difficult it is going to further
> >> resolve that to
> >> T> a working condition. If I succeed, then having 'dump -f MIT' in
> >> base without
> >> T> any ports would be the best solution. Can also be merged to
> >> FreeBSD 14.4.
> >>
> >> Good news. In the above paragraph I was testing my change incorrectly
> >> - threw
> >> the new binary on a system running unpatched libraries. When run
> >> correctly,
> >> it successfully produced something that looks like a correct dump in
> >> MIT format.
> >> I haven't yet tried to load it into MIT kdc yet, though.
> > You might have better luck than me, but if I just loaded it,
> > "kadmin.local" wouldn't
> > work.
> > To get it loaded, I had to:
> > - edit the mit.dump and remove the entries for
> > K/M, kadmin/admin, kadmin/changepw and krbtgt/REALM.
> > Then I...
> > # kdb5_util create -s
> > and
> > # kdb5_util load -update mit.dump
> > -after that, kadmin.local would find the prinicipals, but
> > a "kinit" wouldn't work until I did a "change_password" on it.
>
> Have you tried "kadmin -l dump --decrypt --format=MIT"?
As I noted in the last post, this does not work.
I think the problem is that the current MIT KDC requires keys
to be encrypted in the master key.
If the old Heimdal-1.5.2 KDC was configured with a master
key of type aes256-cts-hmac-sha1-96, then it might be
possible to put that master key on the MIT KDC and
make things work.
--> Since the Heimdal default for the master key is
des3-cbc-sha1, almost all Heimdal-1.5.2 KDCs
will have used that.
If you "kadmin -l dump --decrypt old.dump" on the Heimdal-1.5.2
KDC, that file will load and work in the Heimdal-7.8 KDC.
However, the next stage of "kadmin -l dump --decrypt -f MIT mit.dump"
results in a file that, after loading into the MIT KDC via "kdb5_util
load mit.dump"
is reported as corrupt/incomplete by kadmin.local, etc.
I think what would be needed is a command that both writes
out a dump in MIT format and converts the encrypted keys
to the new master key (kdb5_util can do this, but the database
has to be loaded first) instead of just --decrypt'ng them.
The only thing I have not yet tried is getting the MIT KDC to
use the old des3-cbc-sha1 master key from the Heimdal-1.5.2
KDC, but I doubt it will allow it?
rick
>
> Bye,
> Alexander.
>
> --
> http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
> http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy5ugaPgqYWn_VSUJuuVcgeqcQsekY=7XexotFyEAXSqGA>