From nobody Thu Aug 28 03:39:53 2025
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cC6bv3SM3z66BB1
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Thu, 28 Aug 2025 03:40:11 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cC6bt5VsZz3qDL;
	Thu, 28 Aug 2025 03:40:10 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=NnyT67G4;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of rick.macklem@gmail.com designates 2a00:1450:4864:20::52c as permitted sender) smtp.mailfrom=rick.macklem@gmail.com
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-6188b6f501cso591945a12.2;
        Wed, 27 Aug 2025 20:40:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1756352404; x=1756957204; darn=freebsd.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WU1nPgjPFlBaWPBvaLa4FTn2pmRtmGH8RxCwI/wXXNA=;
        b=NnyT67G4sYquwGtC1y/7uail9Rk36D89y47N22GePTDxj2sQBWdkJ3DTcmEyAmH3QA
         q0O2/cQ9RUeZ/QBYhEd+ALy1jggoNijRx53CTeTiRgCkllFQFMdo3eTU7ZmMuCFQtV7f
         wnVWT0iUnirmaWJK0KqpC3X4oy1edZIr/OcXSm/bTjRdjnJ6oAcxXVYp2ZU5TCLpWkkh
         2oG9E7SoUwC8SjNVcthxMnhX/vBZ0g5E5Mf8Ua75+tXJ9Pt+jB77Cu+Cp1wDsd4NtoPQ
         qnZEVM10fobI3xFplEEGtR4jV+m0Df1GAn2VC5ZRVNx+sP7LX1ejgZKSg0u1E1SRVshN
         3WZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1756352404; x=1756957204;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WU1nPgjPFlBaWPBvaLa4FTn2pmRtmGH8RxCwI/wXXNA=;
        b=Muk+8Zn1Oxp442TiOjVzmXegIxvK/4SfoOSHLI7xnXbuOdHdEFZI2kC9T6+ql7r0CC
         ugXmMEw5W9m0GtSPIrO7db+frT2L6iGwUpAZ3K706dZZWaIZoGq7SLu7aKnjkjnoWT9x
         V46HkrwPdVf29tL1L7b4KMGvmAuqDq/ZaVTrAp/3Q+TRmWZAKRYuXpOurd9wSfKHe9C+
         yVQ5GzMU121Qc9iuHigome1XFq9rDGn+mp8J4dbMEPcCoFyRM2veQfOo99c1beXQdXTA
         iW8s4PgP0CJHYzHIsA+8VUCFKbCYEAoGF2vG5mIScBhMvq8B+yg1Rc2OMXwp5iHBzwtY
         HAQA==
X-Forwarded-Encrypted: i=1; AJvYcCXAWViHvVe4b8deWQCo3WYGR1JmCFmZgiRBOwmZZlP6bStJ3hZjKH8PICcWA0yYm490d8ZjgOT/KeyncJaAzEM=@freebsd.org
X-Gm-Message-State: AOJu0YzbZCF+9Ttro+XYHK5WQO6fTiCI9PQ+HmDkNR8QfPoIP0RjlxRi
	WX3l3BE6dgq+nlW0C/vK7xTejr1k4eDJpVWHYEx0YuC2xLJ7xnUNouEmBSpKjSk3SqUFHoR31J3
	oi2hNBV0Bz5ljuNNunBr1egO4uFTWX3XA
X-Gm-Gg: ASbGncv3bJbIAgEOJfo3n7hAtSLnN0I//kguVsMA5K9uNxJX3NKFDpE8sUjE32H8RSY
	1vFZawXztks4eISGd9WJyccvRgm57/TYGpdBsLPh/MIMbUIB8ttOH2YE354HFL2IJNGKCobcWkf
	BVjlacu1yQqTLVyq2s9jrdeS1uExlKJgsAPqPGHnCHuQIEqC5ikJFLbRfnJdZMpgPMzkVU6zmdb
	8KsegEa2Zjqf91hBP0gnAU/2mezjiv7Vsj1VLM=
X-Google-Smtp-Source: AGHT+IHDoT692H+2yaddJYoQi3LgeaL+P6WL6Mo/Lk4Hf1mpXGx268Q/0OQ8Iz4dQ2hDYPsBfsxHuO5z7WInPRdz3RI=
X-Received: by 2002:a05:6402:2189:b0:615:77cf:782e with SMTP id
 4fb4d7f45d1cf-61c1b6f247bmr16177712a12.25.1756352404443; Wed, 27 Aug 2025
 20:40:04 -0700 (PDT)
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@FreeBSD.org
MIME-Version: 1.0
References: <aKwYB4d6l4ze-yXA@cell.glebi.us> <aKxcwqKqW3ZpA3Po@cell.glebi.us>
 <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <CAM5tNy5sNv8z0zW2ZFt+9=ytUpjGVudsYbcSC2mQSudi3iWSfQ@mail.gmail.com>
 <CAM5tNy73KwR-DBqc28bqRPKqW7UqXN7RXYB=p-Za5Lsoy9jFcw@mail.gmail.com>
 <1578a4eac5402d0496d8989e5258bc78@Leidinger.net> <CAM5tNy42Xvj8M+q4qDO35T31wWLO-2pC9H0_V0rVM2uZmSL2RA@mail.gmail.com>
 <CAM5tNy5m8tEaivQdC4G-=VNpf3ng6JcdpeJKvxA8oM==OdbMUw@mail.gmail.com>
 <aK3TQbWXkr_r24sW@cell.glebi.us> <aK3iW189fZ2_xSyB@cell.glebi.us> <CAM5tNy6t-gT54u4ox5OyYEWC9wq5COcyuUjT+0gG6bGhME2WNw@mail.gmail.com>
In-Reply-To: <CAM5tNy6t-gT54u4ox5OyYEWC9wq5COcyuUjT+0gG6bGhME2WNw@mail.gmail.com>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Wed, 27 Aug 2025 20:39:53 -0700
X-Gm-Features: Ac12FXzvzLBlCLinI89-cbf95wLNeR0gBwwefMIl1RvAcYlq1Tixy2a2iSd7N-U
Message-ID: <CAM5tNy4C1sFkqfDnO+A1Chkm86qxO--Rt+thbnFrBkWu_P7iDg@mail.gmail.com>
Subject: Re: heimdal -> MIT kdc migration
To: Gleb Smirnoff <glebius@freebsd.org>
Cc: Cy Schubert <Cy.Schubert@cschubert.com>, freebsd-current@freebsd.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-4.00 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.997];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601];
	R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c];
	MIME_GOOD(-0.10)[text/plain];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	RCVD_TLS_LAST(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	TAGGED_FROM(0.00)[];
	TO_DN_SOME(0.00)[];
	FROM_HAS_DN(0.00)[];
	MISSING_XM_UA(0.00)[];
	RCPT_COUNT_THREE(0.00)[3];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org];
	RCVD_COUNT_ONE(0.00)[1];
	ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
	RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::52c:from];
	FREEMAIL_ENVFROM(0.00)[gmail.com]
X-Rspamd-Queue-Id: 4cC6bt5VsZz3qDL

On Wed, Aug 27, 2025 at 7:43=E2=80=AFPM Rick Macklem <rick.macklem@gmail.co=
m> wrote:
>
> On Tue, Aug 26, 2025 at 9:35=E2=80=AFAM Gleb Smirnoff <glebius@freebsd.or=
g> wrote:
> >
> > On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote:
> > T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote:
> > T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", y=
ou get a
> > T> R> working Heimdal-7.8 in ports.
> > T> R>
> > T> R> Now, I have another challenge. Fixing the master passwords.
> > T> R> I'll work on it later to-day.
> > T>
> > T> I have applied two commits from Heimdal from 2012 that add 'kadmin d=
ump -f MIT'
> > T> feature to our base heimdal and polished them to compile.  So far it=
 doesn't
> > T> work yet, either create an empty dump or create a core dump, instead=
 of
> > T> database dump :) I'll see how difficult it is going to further resol=
ve that to
> > T> a working condition. If I succeed, then having 'dump -f MIT' in base=
 without
> > T> any ports would be the best solution.  Can also be merged to FreeBSD=
 14.4.
> >
> > Good news.  In the above paragraph I was testing my change incorrectly =
- threw
> > the new binary on a system running unpatched libraries.  When run corre=
ctly,
> > it successfully produced something that looks like a correct dump in MI=
T format.
> > I haven't yet tried to load it into MIT kdc yet, though.
Oh, and one more thing...
- If there are keys for old encryption types like des.. or arcfour..
in the MIT dump,
  those will screw up the load. (You can check and delete them in the
Heimdal-1.5.2
  kdc system via..
  # kadmin -l
  get <principal>
  - if old keys are listed in Keytypes:
  del_enctype <principal> <enctypes>
 exit

 Ideally the conversion code would skip over these and not put them in the =
dump.

rick
ps: If you don't do this, when you "get_principal" in kadmin.local on
the MIT KDC
      system, it will give you a "Database record is incomplete or corrupte=
d..".

> >
> > I will finalize the branch promptly and share it.  The above experience=
 also
> > indicated that I need to do a library version bump.
> I don't know if you are enthusiastic about pursuing this, but hopefully t=
his
> works and gets the principals in (although I doubt the passwords will
> work without changing them).
>
> To get the passwords to work, I think the following *might* do it:
> - If you look in the Heimdal sources, when "--decrypt" is specified,
>   I think it finds its way down into a function called hdb_unseal_key_mke=
y()
>   which decrypts the key using the master key by calling _hdb_mkey_decryp=
t().
>   To get the passwords to work, I think the call to _hdb_mkey_decrypt() w=
ould
>   need to be followed by a call to _hdb_mkey_encrypt() with the "key"
>   argument being the master key for the MIT database. (It it a keytab
>   entry called /var/db/krb5kdc/.k5.YOUR.REALM created when you do a
>   "kdb5_util create -s" on the system that will be the MIT KDC.)
>   - Just to make it even more fun, there is a flag called HDB_KU_MKEY
>     which is set to the Heimdal way and not for the MIT way (whatever
>     that really means?).
>   - There is also some stuff about padding in hdb_unseal_key_mkey(),
>     but hopefully that won't be a problem?
>
> I think hdb_read_master_key() can be used to read in the MIT master
> key from the file you provide as an argument to it.
>
> This all is just a hunch, based on what I've seen so far.
>
> I'll admit since the hardware I have takes forever to "make buildworld"
> and I don't know a quick way to build/test these changes, I'm not
> inspired to try it.
>
> rick
>
> >
> > --
> > Gleb Smirnoff