Date: Mon, 16 Jun 2025 04:28:49 +0000 From: Minsoo Choo <minsoochoo0122@proton.me> To: Cy Schubert <Cy.Schubert@cschubert.com> Cc: freebsd-current@freebsd.org, emaste@freebsd.org, jrm@freebsd.org Subject: Re: MIT KRB5 in 15-CURRENT Message-ID: <B9dYbVelBxymjeSLSXKQit3RdzeG3R8OLdfQ9co9Nts-ZFwv55O5YTUpAkZgrpyOOYkAX4ro5IaZH6Y4W_mrBW3v3oiGvEVjFVuEZWD7jUE=@proton.me> In-Reply-To: <20250616034233.ED587134@slippy.cwsent.com>
index | next in thread | previous in thread | raw e-mail
On Sunday, June 15th, 2025 at 11:43 PM, Cy Schubert <Cy.Schubert@cschubert.com> wrote: > Hi freebsd-current@, > > MIT KRB5 has been imported. It is disabled by default. To build and install > MIT KRB5 in 15-CURRENT, > > 1. Add WITH_MITKRB5=yes in src.conf. > > 2. Do a buildworld and buildkernel. > > 3. Then installworld, run etcupdate to update files in /etc. > > 4. make delete-old and delete-old-libs. This is important. Skip this step > and your > resulting install will contain both MIT and Heimdal Kerberos. This will > not work. > > Avoid using MIT KRB5 (for now) if you are running a Heimdal 1.5.2 KDC on > FreeBSD. There is a > procedure to convert the Heimdal HDB to an MIT KRB5 KDB. I am still working > on documenting the procedure. The process is not straightforward as our > Heimdal 1.5.2 is very old and does not support the feature found later > versions of Heimdal needed to migrate the HDB to KDB. In a nutshell: one > must export the HDB, import it into the latest version of Heimdal (using > ports/security/heimdal), then export an MIT KRB5 export, and finally import > it into a new MIT KRB5 KDB. > > If you use FreeBSD as part of an Active Directory domain, MIT KRB5 will > simplify integration into a Microsoft network. You will still need to use > winbind from samba or sssd, as Active Directory uses MIT KRB5 and LDAP for > authentication. > > A ports exp-run will be needed to list any ports that may fail to build > with MIT KRB5 in base. If any are found they will be fixed before we switch > the default from Heimdal 1.5.2 to MIT KRB5 1.21.3. > > A decision to remove Heimdal from the source tree will come sometime after > the default has been switched from Heimdal to MIT KRB5. > > I also expect some ports plumbing changes, especially in Mk/Uses/gssapi.mk > in order to support MIT KRB5 in base. Any required changes should be > identified with an exp-run. > > > -- > Cheers, > Cy Schubert Cy.Schubert@cschubert.com > > FreeBSD UNIX: cy@FreeBSD.org Web: https://FreeBSD.org > > NTP: cy@nwtime.org Web: https://nwtime.org > > > e**(i*pi)+1=0 > > Thank you for your great work. I will close D43625 and D43624 as the adoption of MIT krb5 makes them obsolete. I have a few questions regarding to MIT krb5 replacing heimdal: 1. In which FreeBSD version will MIT krb5 be default? 2. In which FreeBSD version will heimdal be removed? Regards, Minsoohome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B9dYbVelBxymjeSLSXKQit3RdzeG3R8OLdfQ9co9Nts-ZFwv55O5YTUpAkZgrpyOOYkAX4ro5IaZH6Y4W_mrBW3v3oiGvEVjFVuEZWD7jUE=>