Hi freebsd-current@,
MIT KRB5 has been imported. It is disabled by default. To build and install
MIT KRB5 in 15-CURRENT,
1. Add WITH_MITKRB5=yes in src.conf.
2. Do a buildworld and buildkernel.
3. Then installworld, run etcupdate to update files in /etc.
4. make delete-old and delete-old-libs. This is important. Skip this step
and your
resulting install will contain both MIT and Heimdal Kerberos. This will
not work.
Avoid using MIT KRB5 (for now) if you are running a Heimdal 1.5.2 KDC on
FreeBSD. There is a
procedure to convert the Heimdal HDB to an MIT KRB5 KDB. I am still working
on documenting the procedure. The process is not straightforward as our
Heimdal 1.5.2 is very old and does not support the feature found later
versions of Heimdal needed to migrate the HDB to KDB. In a nutshell: one
must export the HDB, import it into the latest version of Heimdal (using
ports/security/heimdal), then export an MIT KRB5 export, and finally import
it into a new MIT KRB5 KDB.
If you use FreeBSD as part of an Active Directory domain, MIT KRB5 will
simplify integration into a Microsoft network. You will still need to use
winbind from samba or sssd, as Active Directory uses MIT KRB5 and LDAP for
authentication.
A ports exp-run will be needed to list any ports that may fail to build
with MIT KRB5 in base. If any are found they will be fixed before we switch
the default from Heimdal 1.5.2 to MIT KRB5 1.21.3.
A decision to remove Heimdal from the source tree will come sometime after
the default has been switched from Heimdal to MIT KRB5.
I also expect some ports plumbing changes, especially in Mk/Uses/gssapi.mk
in order to support MIT KRB5 in base. Any required changes should be
identified with an exp-run.
--
Cheers,
Cy Schubert <cy.schub...@cschubert.com>
FreeBSD UNIX: <c...@freebsd.org> Web: https://FreeBSD.org
NTP: <c...@nwtime.org> Web: https://nwtime.org
e**(i*pi)+1=0
