From Newsgroup: muc.lists.freebsd.stable

Hi,

I am posting to try and find out how many users
are currently using the old Heimdal 1.5 KDC in
FreeBSD 14.n and are interested in using the
same KDC database in FreeBSD 15.

I am asking because I just made a commit to
main (which will soon be in stable/15) which
adds support to the Heimdal code for doing
a database dump in an MIT compatible format.

The problem is that it will require a

make buildworld, make installworld from
sources with WITHOUT_MITKRB5="yes"
set in /etc/src.conf, followed by an (re)upgrade
with the default MIT Kerberos setting.
(ie. no WITHOUT_MITKRB5="yes")

Because the patch is rather large (commit 5000d023a446
in main) and a lot of it was a couple of cherry-picks
from Heimdal 7.8, I cannot easily audit it for any
security vulnerability it might have introduced.
As such, I am not comfortable MFC'ng it to stable/14,
although that would make the conversion path easier.

So, who out there needs this Heimdal->MIT KDC
database conversion?

Thanks for any info, rick


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

On Sun, Oct 5, 2025 at 2:05rC>PM vermaden <vermaden@interia.pl> wrote:

Hi,

I am in an opposite camp.

I tried to make NFSv4 server on FreeBSD to auth users against Red Hat IDM (or FreeIPA) but failed to do so over multiple tries.

Well, I a involved in testing events (one starting tomorrow) where the infrastructure is done by Redhat and the Kerberos stuff works (and did
work with the Heimdal stuff as well).
I don't know, but I suspect your problems are related to the way they
do ldap or dns and that won't change w.r.t. the MIT transition.
Yes, getting Kerberos working can be tricky. Just yesterday I struggled
until I found that the client machine's reverse DNS got the wrong answer.
A few useful tricks to help diagnose it:
- Run the gssd with -v and then look at what is in /var/log/daemon.log.
(If you get an error with a large negative number, you can find those
in /usr/include/krb5_err.h. This file goes away for MIT, so you might
want to keep a copy around.)
- Look in the KDC's log if you have access to it.
- Capture packets and look at them in wireshark. It can decode all
the unencrypted stuff and that can give you a hint.
- Try hard to always use fqdn names (put the fqdn first in the line
in /etc/hosts if you use one of those).
Good luck with it, but I doubt the transition to MIT will help? rick

After I heard that Heimdal will be exchanged into MIT I was more then happy.

I currently wait till all that Heimdal -> MIT Kerberos change finish - so I can try again.

Hope that helps.

Regards,
vermaden

Temat: RFC: Heimdal FreeBSD KDC users
Data: 2025-10-05 22:58
Nadawca: "Rick Macklem" <rick.macklem@gmail.com>
Adresat: "FreeBSD-STABLE Mailing List" <freebsd-stable@freebsd.org>; "Gleb Smirnoff" <glebius@freebsd.org>; "Cy Schubert" <cy@freebsd.org>;

Hi,

I am posting to try and find out how many users
are currently using the old Heimdal 1.5 KDC in
FreeBSD 14.n and are interested in using the
same KDC database in FreeBSD 15.

I am asking because I just made a commit to
main (which will soon be in stable/15) which
adds support to the Heimdal code for doing
a database dump in an MIT compatible format.

The problem is that it will require a

make buildworld, make installworld from
sources with WITHOUT_MITKRB5="yes"
set in /etc/src.conf, followed by an (re)upgrade
with the default MIT Kerberos setting.
(ie. no WITHOUT_MITKRB5="yes")

Because the patch is rather large (commit 5000d023a446
in main) and a lot of it was a couple of cherry-picks
from Heimdal 7.8, I cannot easily audit it for any
security vulnerability it might have introduced.
As such, I am not comfortable MFC'ng it to stable/14,
although that would make the conversion path easier.

So, who out there needs this Heimdal->MIT KDC
database conversion?

Thanks for any info, rick

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

On Sun, Oct 5, 2025 at 2:05rC>PM vermaden <vermaden@interia.pl> wrote:

Hi,

I am in an opposite camp.

I tried to make NFSv4 server on FreeBSD to auth users against Red Hat IDM (or FreeIPA) but failed to do so over multiple tries.

After I heard that Heimdal will be exchanged into MIT I was more then happy.

I currently wait till all that Heimdal -> MIT Kerberos change finish - so I can try again.

Although it's a little dated, there might be some useful stuff here.. https://people.freebsd.org/~rmacklem/nfs-krb5-setup.txt
rick

Hope that helps.

Regards,
vermaden

Temat: RFC: Heimdal FreeBSD KDC users
Data: 2025-10-05 22:58
Nadawca: "Rick Macklem" <rick.macklem@gmail.com>
Adresat: "FreeBSD-STABLE Mailing List" <freebsd-stable@freebsd.org>; "Gleb Smirnoff" <glebius@freebsd.org>; "Cy Schubert" <cy@freebsd.org>;

Hi,

I am posting to try and find out how many users
are currently using the old Heimdal 1.5 KDC in
FreeBSD 14.n and are interested in using the
same KDC database in FreeBSD 15.

I am asking because I just made a commit to
main (which will soon be in stable/15) which
adds support to the Heimdal code for doing
a database dump in an MIT compatible format.

The problem is that it will require a

make buildworld, make installworld from
sources with WITHOUT_MITKRB5="yes"
set in /etc/src.conf, followed by an (re)upgrade
with the default MIT Kerberos setting.
(ie. no WITHOUT_MITKRB5="yes")

Because the patch is rather large (commit 5000d023a446
in main) and a lot of it was a couple of cherry-picks
from Heimdal 7.8, I cannot easily audit it for any
security vulnerability it might have introduced.
As such, I am not comfortable MFC'ng it to stable/14,
although that would make the conversion path easier.

So, who out there needs this Heimdal->MIT KDC
database conversion?

Thanks for any info, rick

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

On Sun, Oct 5, 2025 at 2:47rC>PM vermaden <vermaden@interia.pl> wrote:

Thanks for hints.

If I fail - I will contact You for help.

Maybe together we will be able to figure it out.

IMHO such setup should be even in the FreeBSD Handbook - the FreeIPA is probably the only open and free Microsoft AD solution out there. I would of course add 'Samba 4' in AD mode and OpenLDAP integration.

Yes, the handbook could definitely use some tlc for Kerberos related stuff. (I'm not a doc guy. Anyone interested?)
rick

Although it's a little dated, there might be some useful stuff here. https://people.freebsd.org/~rmacklem/nfs-krb5-setup.txt

I believe I also tried hints from Your guide ... but I have tried way to many different guides ... and all failed.

Maybe I have done some 'typo' - maybe its one of the FreeIPA settings - maybe DNS - maybe me ...

This NFSv4 <-> IDM topic will not leave me be - so I will share how it went next time I will be doing it ... along with results.

Thanks,
vermaden

Temat: Re: RFC: Heimdal FreeBSD KDC users
Data: 2025-10-05 23:33
Nadawca: "Rick Macklem" <rick.macklem@gmail.com>
Adresat: "vermaden" <vermaden@interia.pl>;
DW: "FreeBSD-STABLE Mailing List" <freebsd-stable@freebsd.org>; "Gleb Smirnoff" <glebius@freebsd.org>; "Cy Schubert" <cy@freebsd.org>;

On Sun, Oct 5, 2025 at 2:05rC>PM vermaden wrote:

Hi,

I am in an opposite camp.

I tried to make NFSv4 server on FreeBSD to auth users against Red
Hat IDM (or FreeIPA) but failed to do so over multiple tries.

Well, I a involved in testing events (one starting tomorrow) where the infrastructure is done by Redhat and the Kerberos stuff works (and did
work with the Heimdal stuff as well).

I don't know, but I suspect your problems are related to the way they
do ldap or dns and that won't change w.r.t. the MIT transition.

Yes, getting Kerberos working can be tricky. Just yesterday I
struggled until I found that the client machine's reverse DNS
got the wrong answer.

A few useful tricks to help diagnose it:
- Run the gssd with -v and then look at what is in /var/log/daemon.log.
(If you get an error with a large negative number, you can find those
in /usr/include/krb5_err.h. This file goes away for MIT, so you might
want to keep a copy around.)
- Look in the KDC's log if you have access to it.
- Capture packets and look at them in wireshark. It can decode all
the unencrypted stuff and that can give you a hint.
- Try hard to always use fqdn names (put the fqdn first in the line
in /etc/hosts if you use one of those).

Good luck with it, but I doubt the transition to MIT will help? rick

After I heard that Heimdal will be exchanged into MIT I was more then happy.

I currently wait till all that Heimdal -> MIT Kerberos change finish - so I can try again.

Hope that helps.

Regards,
vermaden



Temat: RFC: Heimdal FreeBSD KDC users
Data: 2025-10-05 22:58
Nadawca: "Rick Macklem"
Adresat: "FreeBSD-STABLE Mailing List" ; "Gleb Smirnoff" ; "Cy Schubert" ; >>

Hi,

I am posting to try and find out how many users
are currently using the old Heimdal 1.5 KDC in
FreeBSD 14.n and are interested in using the
same KDC database in FreeBSD 15.

I am asking because I just made a commit to
main (which will soon be in stable/15) which
adds support to the Heimdal code for doing
a database dump in an MIT compatible format.

The problem is that it will require a

make buildworld, make installworld from
sources with WITHOUT_MITKRB5="yes"
set in /etc/src.conf, followed by an (re)upgrade
with the default MIT Kerberos setting.
(ie. no WITHOUT_MITKRB5="yes")

Because the patch is rather large (commit 5000d023a446
in main) and a lot of it was a couple of cherry-picks
from Heimdal 7.8, I cannot easily audit it for any
security vulnerability it might have introduced.
As such, I am not comfortable MFC'ng it to stable/14,
although that would make the conversion path easier.

So, who out there needs this Heimdal->MIT KDC
database conversion?

Thanks for any info, rick

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable


--TwTq9I2l5Fo3D1/W
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Rick Macklem wrote in <CAM5tNy4BPvMd2Uv_w_qd8oU0sZJ8AwfwWemrE78+tuRgX9Dy7g@mail.gmail.com>:

The problem is that it will require a

make buildworld, make installworld from
sources with WITHOUT_MITKRB5="yes"
set in /etc/src.conf, followed by an (re)upgrade
with the default MIT Kerberos setting.
(ie. no WITHOUT_MITKRB5="yes")

would it make sense to provide this version of kadmin (+ whatever
else is required) as a self-contained port, so people could more
easily install it for a one-off migration? that might also make
it less risky to provide on 14.x, if that's useful.

--TwTq9I2l5Fo3D1/W
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQSyjTg96lp3RifySyn1nT63mIK/YAUCaOMTnwAKCRD1nT63mIK/ YE8FAQCjwIFGC21MSmWqrNMw8BUmieiKDIRo7RdIvAAhID2z8QEAoltBf1wqktaI gsaRvsY73jbLGC5+TvzX0TZr8IQD2QE=
=tLR1
-----END PGP SIGNATURE-----

--TwTq9I2l5Fo3D1/W--


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

In message <aOMTpQ43qBRdRyHz@amaryllis.le-fay.org>, Lexi Winter writes:

--TwTq9I2l5Fo3D1/W
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Rick Macklem wrote in <CAM5tNy4BPvMd2Uv_w_qd8oU0sZJ8AwfwWemrE78+tuRgX9Dy7g@ma il.gmail.com>:

The problem is that it will require a

make buildworld, make installworld from
sources with WITHOUT_MITKRB5="yes"
set in /etc/src.conf, followed by an (re)upgrade
with the default MIT Kerberos setting.
(ie. no WITHOUT_MITKRB5="yes")

would it make sense to provide this version of kadmin (+ whatever
else is required) as a self-contained port, so people could more
easily install it for a one-off migration? that might also make
it less risky to provide on 14.x, if that's useful.

kadmin from Heimda 1.5.2 cannot be ported without porting all or much of Heimdal 1.5.2. It uses many functions in the various Heimdal libraries. A Heimdal 1.5.2 port might be difficult to maintain as it's sensitive to the OpenSSL in base.

We already have a Heimdal 7.8.0 port that includes a kadmin that does
support export to MIT. But, it has the same issues with ancient crypto that recent versions of MIT do.
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org

e**(i*pi)+1=0




--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable


--V7ztAugQPNJIbITV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Cy Schubert wrote in <20251006082708.83FA51876@slippy.cwsent.com>:

In message <aOMTpQ43qBRdRyHz@amaryllis.le-fay.org>, Lexi Winter writes:

would it make sense to provide this version of kadmin (+ whatever
else is required) as a self-contained port, so people could more
easily install it for a one-off migration? that might also make
it less risky to provide on 14.x, if that's useful.

kadmin from Heimda 1.5.2 cannot be ported without porting all or much of=

=20

Heimdal 1.5.2. It uses many functions in the various Heimdal libraries. A=

=20

Heimdal 1.5.2 port might be difficult to maintain as it's sensitive to th=

e=20

OpenSSL in base.

i don't really follow why this preventing adding it as a port. the
source is in crypto/heimdal, so we could simply take that source and
put it in a port.

it must compile with the version of OpenSSL that's in base, since we
still ship Heimdal in base. if Heimdal is removed from base, we can
also remove the port, if needed.

the point would be to allow people to migrate their Heimdal 1.5 KDCs
to MIT Kerberos without having to rebuild src twice.

--V7ztAugQPNJIbITV
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQSyjTg96lp3RifySyn1nT63mIK/YAUCaOOD8gAKCRD1nT63mIK/ YLbHAQDKVLNOHTTP9UWF1ZXs417AEJQCc+U+fBh12l4NLeYDigD/cO4GYzZAktNU hsjiOROLpoU9X7HAu4LtulBBRcv6lAw=
=OlaB
-----END PGP SIGNATURE-----

--V7ztAugQPNJIbITV--


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

On Mon, Oct 6, 2025 at 1:27rC>AM Cy Schubert <Cy.Schubert@cschubert.com> wrote:

In message <aOMTpQ43qBRdRyHz@amaryllis.le-fay.org>, Lexi Winter writes:

--TwTq9I2l5Fo3D1/W
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Rick Macklem wrote in <CAM5tNy4BPvMd2Uv_w_qd8oU0sZJ8AwfwWemrE78+tuRgX9Dy7g@ma
il.gmail.com>:

The problem is that it will require a

make buildworld, make installworld from
sources with WITHOUT_MITKRB5="yes"
set in /etc/src.conf, followed by an (re)upgrade
with the default MIT Kerberos setting.
(ie. no WITHOUT_MITKRB5="yes")

would it make sense to provide this version of kadmin (+ whatever
else is required) as a self-contained port, so people could more
easily install it for a one-off migration? that might also make
it less risky to provide on 14.x, if that's useful.

glebius@ is going to discuss MFC'ng this to stable/14 with secteam@.

kadmin from Heimda 1.5.2 cannot be ported without porting all or much of Heimdal 1.5.2. It uses many functions in the various Heimdal libraries. A Heimdal 1.5.2 port might be difficult to maintain as it's sensitive to the OpenSSL in base.

We already have a Heimdal 7.8.0 port that includes a kadmin that does
support export to MIT. But, it has the same issues with ancient crypto that recent versions of MIT do.

The dump created by Heimdal 7.8 has the problems I fixed
with the patch here:
https://people.freebsd.org/~rmacklem/kadmin.patch
Basically, without the above patch, the principals end up
in the MIT database, but they won't work until a "change_password"
is done on them.
I could try to apply the patch to Heimdal 7.8, but I don't know
how well it will work.
The more serious concern is "Will Heimdal 7.8 handle the old
Heimdal 1.5.2 database?".
This would require some testing/debugging. I don't know if/when
I might get around to it.
What I haven't yet seen is a single person putting up their
hand to say "I need this", so I wonder how much effort is
justified w.r.t. dealing with it.
rick

--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
NTP: <cy@nwtime.org> Web: https://nwtime.org

e**(i*pi)+1=0

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

On Mon, Oct 6, 2025 at 9:04rC>AM Garrett Wollman <wollman@bimajority.org> wrote:

<<On Mon, 6 Oct 2025 05:57:16 -0700, Rick Macklem <rick.macklem@gmail.com> said:

What I haven't yet seen is a single person putting up their
hand to say "I need this", so I wonder how much effort is
justified w.r.t. dealing with it.

The project itself (i.e., freebsd.org infrastructure) is literally the
only user of a FreeBSD/Heimdal KDC that I know of. I would not be
surprised if it was the only such realm currently in operation.

My hunch is close to the same. I suspect there are some "home setups"
like I use for testing, but those consist of only a few principals, so they
can just be re-created from scratch.
rick

-GAWollman

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2