Date: Wed, 27 Aug 2025 20:39:53 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Gleb Smirnoff <glebius@freebsd.org> Cc: Cy Schubert <Cy.Schubert@cschubert.com>, freebsd-current@freebsd.org Subject: Re: heimdal -> MIT kdc migration Message-ID: <CAM5tNy4C1sFkqfDnO%2BA1Chkm86qxO--Rt%2BthbnFrBkWu_P7iDg@mail.gmail.com> In-Reply-To: <CAM5tNy6t-gT54u4ox5OyYEWC9wq5COcyuUjT%2B0gG6bGhME2WNw@mail.gmail.com> References: <aKwYB4d6l4ze-yXA@cell.glebi.us> <aKxcwqKqW3ZpA3Po@cell.glebi.us> <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <CAM5tNy5sNv8z0zW2ZFt%2B9=ytUpjGVudsYbcSC2mQSudi3iWSfQ@mail.gmail.com> <CAM5tNy73KwR-DBqc28bqRPKqW7UqXN7RXYB=p-Za5Lsoy9jFcw@mail.gmail.com> <1578a4eac5402d0496d8989e5258bc78@Leidinger.net> <CAM5tNy42Xvj8M%2Bq4qDO35T31wWLO-2pC9H0_V0rVM2uZmSL2RA@mail.gmail.com> <CAM5tNy5m8tEaivQdC4G-=VNpf3ng6JcdpeJKvxA8oM==OdbMUw@mail.gmail.com> <aK3TQbWXkr_r24sW@cell.glebi.us> <aK3iW189fZ2_xSyB@cell.glebi.us> <CAM5tNy6t-gT54u4ox5OyYEWC9wq5COcyuUjT%2B0gG6bGhME2WNw@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
On Wed, Aug 27, 2025 at 7:43 PM Rick Macklem <rick.macklem@gmail.com> wrote:
>
> On Tue, Aug 26, 2025 at 9:35 AM Gleb Smirnoff <glebius@freebsd.org> wrote:
> >
> > On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote:
> > T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote:
> > T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", you get a
> > T> R> working Heimdal-7.8 in ports.
> > T> R>
> > T> R> Now, I have another challenge. Fixing the master passwords.
> > T> R> I'll work on it later to-day.
> > T>
> > T> I have applied two commits from Heimdal from 2012 that add 'kadmin dump -f MIT'
> > T> feature to our base heimdal and polished them to compile. So far it doesn't
> > T> work yet, either create an empty dump or create a core dump, instead of
> > T> database dump :) I'll see how difficult it is going to further resolve that to
> > T> a working condition. If I succeed, then having 'dump -f MIT' in base without
> > T> any ports would be the best solution. Can also be merged to FreeBSD 14.4.
> >
> > Good news. In the above paragraph I was testing my change incorrectly - threw
> > the new binary on a system running unpatched libraries. When run correctly,
> > it successfully produced something that looks like a correct dump in MIT format.
> > I haven't yet tried to load it into MIT kdc yet, though.
Oh, and one more thing...
- If there are keys for old encryption types like des.. or arcfour..
in the MIT dump,
those will screw up the load. (You can check and delete them in the
Heimdal-1.5.2
kdc system via..
# kadmin -l
get <principal>
- if old keys are listed in Keytypes:
del_enctype <principal> <enctypes>
exit
Ideally the conversion code would skip over these and not put them in the dump.
rick
ps: If you don't do this, when you "get_principal" in kadmin.local on
the MIT KDC
system, it will give you a "Database record is incomplete or corrupted..".
> >
> > I will finalize the branch promptly and share it. The above experience also
> > indicated that I need to do a library version bump.
> I don't know if you are enthusiastic about pursuing this, but hopefully this
> works and gets the principals in (although I doubt the passwords will
> work without changing them).
>
> To get the passwords to work, I think the following *might* do it:
> - If you look in the Heimdal sources, when "--decrypt" is specified,
> I think it finds its way down into a function called hdb_unseal_key_mkey()
> which decrypts the key using the master key by calling _hdb_mkey_decrypt().
> To get the passwords to work, I think the call to _hdb_mkey_decrypt() would
> need to be followed by a call to _hdb_mkey_encrypt() with the "key"
> argument being the master key for the MIT database. (It it a keytab
> entry called /var/db/krb5kdc/.k5.YOUR.REALM created when you do a
> "kdb5_util create -s" on the system that will be the MIT KDC.)
> - Just to make it even more fun, there is a flag called HDB_KU_MKEY
> which is set to the Heimdal way and not for the MIT way (whatever
> that really means?).
> - There is also some stuff about padding in hdb_unseal_key_mkey(),
> but hopefully that won't be a problem?
>
> I think hdb_read_master_key() can be used to read in the MIT master
> key from the file you provide as an argument to it.
>
> This all is just a hunch, based on what I've seen so far.
>
> I'll admit since the hardware I have takes forever to "make buildworld"
> and I don't know a quick way to build/test these changes, I'm not
> inspired to try it.
>
> rick
>
> >
> > --
> > Gleb Smirnoff
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy4C1sFkqfDnO%2BA1Chkm86qxO--Rt%2BthbnFrBkWu_P7iDg>