Date: Mon, 6 Oct 2025 05:57:16 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Cy Schubert <Cy.Schubert@cschubert.com> Cc: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, Gleb Smirnoff <glebius@freebsd.org>, Cy Schubert <cy@freebsd.org> Subject: Re: RFC: Heimdal FreeBSD KDC users Message-ID: <CAM5tNy4qmiNDo1O8VPydHYVwh1Qb4RjV5aNyULJXh0W-Xv%2Bacg@mail.gmail.com> In-Reply-To: <20251006082708.83FA51876@slippy.cwsent.com> References: <CAM5tNy4BPvMd2Uv_w_qd8oU0sZJ8AwfwWemrE78%2BtuRgX9Dy7g@mail.gmail.com> <aOMTpQ43qBRdRyHz@amaryllis.le-fay.org> <20251006082708.83FA51876@slippy.cwsent.com>
index | next in thread | previous in thread | raw e-mail
On Mon, Oct 6, 2025 at 1:27 AM Cy Schubert <Cy.Schubert@cschubert.com> wrote: > > In message <aOMTpQ43qBRdRyHz@amaryllis.le-fay.org>, Lexi Winter writes: > > > > > > --TwTq9I2l5Fo3D1/W > > Content-Type: text/plain; charset=us-ascii > > Content-Disposition: inline > > > > Rick Macklem wrote in <CAM5tNy4BPvMd2Uv_w_qd8oU0sZJ8AwfwWemrE78+tuRgX9Dy7g@ma > > il.gmail.com>: > > > --> The problem is that it will require a > > > make buildworld, make installworld from > > > sources with WITHOUT_MITKRB5="yes" > > > set in /etc/src.conf, followed by an (re)upgrade > > > with the default MIT Kerberos setting. > > > (ie. no WITHOUT_MITKRB5="yes") > > > > would it make sense to provide this version of kadmin (+ whatever > > else is required) as a self-contained port, so people could more > > easily install it for a one-off migration? that might also make > > it less risky to provide on 14.x, if that's useful. glebius@ is going to discuss MFC'ng this to stable/14 with secteam@. > > > > kadmin from Heimda 1.5.2 cannot be ported without porting all or much of > Heimdal 1.5.2. It uses many functions in the various Heimdal libraries. A > Heimdal 1.5.2 port might be difficult to maintain as it's sensitive to the > OpenSSL in base. > > We already have a Heimdal 7.8.0 port that includes a kadmin that does > support export to MIT. But, it has the same issues with ancient crypto that > recent versions of MIT do. The dump created by Heimdal 7.8 has the problems I fixed with the patch here: https://people.freebsd.org/~rmacklem/kadmin.patch Basically, without the above patch, the principals end up in the MIT database, but they won't work until a "change_password" is done on them. I could try to apply the patch to Heimdal 7.8, but I don't know how well it will work. The more serious concern is "Will Heimdal 7.8 handle the old Heimdal 1.5.2 database?". This would require some testing/debugging. I don't know if/when I might get around to it. What I haven't yet seen is a single person putting up their hand to say "I need this", so I wonder how much effort is justified w.r.t. dealing with it. rick > > > -- > Cheers, > Cy Schubert <Cy.Schubert@cschubert.com> > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org > NTP: <cy@nwtime.org> Web: https://nwtime.org > > e**(i*pi)+1=0 > >help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy4qmiNDo1O8VPydHYVwh1Qb4RjV5aNyULJXh0W-Xv%2Bacg>