On Wed, Sep 3, 2025 at 8:28 AM Rick Macklem <[email protected]> wrote: > > On Tue, Sep 2, 2025 at 10:10 PM Rick Macklem <[email protected]> wrote: > > > > On Tue, Sep 2, 2025 at 9:37 PM Cy Schubert <[email protected]> > > wrote: > > > > > > In message > > > <[email protected] > > > om> > > > , Rick Macklem writes: > > > > On Sun, Aug 31, 2025 at 5:58=E2=80=AFPM Rick Macklem > > > > <[email protected]= > > > > m> wrote: > > > > > > > > > > On Sun, Aug 31, 2025 at 5:41=E2=80=AFPM Rick Macklem > > > > > <rick.macklem@gmail.= > > > > com> wrote: > > > > > > > > > > > > On Sat, Aug 30, 2025 at 9:47=E2=80=AFPM Rick Macklem > > > > > > <rick.macklem@gmai= > > > > l.com> wrote: > > > > > > > > > > > > > > On Sat, Aug 30, 2025 at 4:22=E2=80=AFPM Rick Macklem > > > > > > > <rick.macklem@gm= > > > > ail.com> wrote: > > > > > > > > > > > > > > > > On Sat, Aug 30, 2025 at 8:56=E2=80=AFAM Rick Macklem > > > > > > > > <rick.macklem@= > > > > gmail.com> wrote: > > > > > > > > > > > > > > > > > > On Fri, Aug 29, 2025 at 1:05=E2=80=AFPM Rick Macklem > > > > > > > > > <rick.mackle= > > > > [email protected]> wrote: > > > > > > > > > > > > > > > > > > > > On Fri, Aug 29, 2025 at 7:43=E2=80=AFAM Rick Macklem > > > > > > > > > > <rick.mack= > > > > [email protected]> wrote: > > > > > > > > > > > > > > > > > > > > > > On Wed, Aug 27, 2025 at 8:39=E2=80=AFPM Rick Macklem > > > > > > > > > > > <rick.ma= > > > > [email protected]> wrote: > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Aug 27, 2025 at 7:43=E2=80=AFPM Rick Macklem > > > > > > > > > > > > <rick.= > > > > [email protected]> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Aug 26, 2025 at 9:35=E2=80=AFAM Gleb Smirnoff > > > > > > > > > > > > > <gl= > > > > [email protected]> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb > > > > > > > > > > > > > > Smirnoff= > > > > wrote: > > > > > > > > > > > > > > T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick > > > > > > > > > > > > > > Mackl= > > > > em wrote: > > > > > > > > > > > > > > T> R> Ok. If you install FreeBSD-13.5 and then "pkg > > > > > > > > > > > > > > ins= > > > > tall heimdal", you get a > > > > > > > > > > > > > > T> R> working Heimdal-7.8 in ports. > > > > > > > > > > > > > > T> R> > > > > > > > > > > > > > > T> R> Now, I have another challenge. Fixing the > > > > > > > > > > > > > > master = > > > > passwords. > > > > > > > > > > > > > > T> R> I'll work on it later to-day. > > > > > > > > > > > > > > T> > > > > > > > > > > > > > > T> I have applied two commits from Heimdal from > > > > > > > > > > > > > > 2012 th= > > > > at add 'kadmin dump -f MIT' > > > > > > > > > > > > > > T> feature to our base heimdal and polished them to > > > > > > > > > > > > > > com= > > > > pile. So far it doesn't > > > > > > > > > > > > > > T> work yet, either create an empty dump or create > > > > > > > > > > > > > > a co= > > > > re dump, instead of > > > > > > > > > > > > > > T> database dump :) I'll see how difficult it is > > > > > > > > > > > > > > going = > > > > to further resolve that to > > > > > > > > > > > > > > T> a working condition. If I succeed, then having > > > > > > > > > > > > > > 'dump= > > > > -f MIT' in base without > > > > > > > > > > > > > > T> any ports would be the best solution. Can also > > > > > > > > > > > > > > be m= > > > > erged to FreeBSD 14.4. > > > > > > > > > > > > > > > > > > > > > > > > > > > > Good news. In the above paragraph I was testing my > > > > > > > > > > > > > > cha= > > > > nge incorrectly - threw > > > > > > > > > > > > > > the new binary on a system running unpatched > > > > > > > > > > > > > > libraries.= > > > > When run correctly, > > > > > > > > > > > > > > it successfully produced something that looks like > > > > > > > > > > > > > > a co= > > > > rrect dump in MIT format. > > > > > > > > > > > > > > I haven't yet tried to load it into MIT kdc yet, > > > > > > > > > > > > > > though= > > > > . > > > > > > > > Well, would you like the not so bad news or the bad news??;-) > > > > > > > > Your patch works, in that it produces a dump that "kdb5_util > > > > > > > > load > > > > > > > > -update" can load. > > > > > > > > After loading, if the principal only has keys for the newer > > > > > > > > encrypt= > > > > ion types of > > > > > > > > aes256-cts-hmac-sha1-96 > > > > > > > > aes128-cts-hmac-sha1-96 > > > > > > > > then you can look at the principal via kadmin.local, but the > > > > > > > > passwo= > > > > rd must > > > > > > > > be changed before it works. > > > > > > > > --> This is the same behaviour as you get if you use > > > > > > > > Heimdal-7.8 to= > > > > do the > > > > > > > > dump conversion. > > > > > > > > So far, so good... > > > > > > > > > > > > > > > > Now, the not so good news. Once you update the Heimdal libraries > > > > > > > > (libhdb.so and libkadm5srv.so) "kadmin -l" is broken on the > > > > > > > > system > > > > > > > > running the old KDC. "kadmin -l dump" works, but something like: > > > > > > > > # kadmin -l > > > > > > > > kadmin> get rmacklem > > > > > > > > kadmin: get rmacklem: Service key not available > > > > > > > > - I have not yet looked in your patched sources to see where > > > > > > > > this > > > > > > > > failure comes from? > > > > > > > > > > > > > > > > Now, more not so good news... > > > > > > > > My patch doesn't help. > > > > > > > > It does re-encrypt the key in the master key from the MIT KDC > > > > > > > > system, but that doesn't make the password work. > > > > > > > > When I compared the dump generated via kadmin with both > > > > > > > > your patch and mine, the key for aes256-cts-hmac-sha1-96 > > > > > > > > is 34bytes long. > > > > > > > > After doing the change_password so that it works, a dump > > > > > > > > generated by "kdb5_util dump -r13" (the same dump format) > > > > > > > > has a key that is 62bytes long. > > > > > > > > --> So, there is more to converting the key than just > > > > > > > > re-ecrypting > > > > > > > > it. (I'll try and find where the MIT code encrypts a key > > > > > > > > in a= > > > > master > > > > > > > > key to see why it ends up at 62bytes and whether that can > > > > > > > > be = > > > > done > > > > > > > > in the old code.) > > > > > > > > > > > > > > > > So, if we are going to continue with this... > > > > > > > > - We need to figure out why your patch breaks "kadmin" for other > > > > > > > > things and fix that. > > > > > > > > - I/we need to figure out how to convert the 34byte key to the > > > > > > > > MIT > > > > > > > > 62byte key (and then maybe the password won't need to be > > > > > > > > changed?= > > > > ). > > > > > > > > > > > > > > > > Or do we just say "When you convert the KDC database, all the > > > > > > > > passw= > > > > ords > > > > > > > > must be changed to get them to work?". > > > > > > > All I've got sofar is this patch... > > > > > > > https://people.freebsd.org/~rmacklem/print.patch > > > > > > > > > > > > > > It tweaks entry2mit_string_int() so that it skips over the keys > > > > > > > for > > > > > > > old encryption types and fills in a fake "modified by" entry if > > > > > > > none > > > > > > > exists. > > > > > > > > > > > > > > These changes at least make the MIT dump such that the records > > > > > > > don't end up "incomplete or corrupted" when you try to do > > > > > > > something > > > > > > > like "get_principal <principal>" in kadmin.local. > > > > > > > > > > > > > > As noted, your patch makes "kadmin -l" break for most things, > > > > > > > reporting "Service key not available". The failures go away if > > > > > > > you revert back to the non-patched libraries. > > > > > > > I have not located the problem yet. > > > > > > > > > > > > > > As for the passwords...no luck yet, rick > > > > > > Finally..it works. (First off, apologies for all the posts, just > > > > > > ignore > > > > > > them.;-) > > > > > > > > > > > > The patch is at: > > > > > > https://people.freebsd.org/~rmacklem/kadmin.patch > > > > I just updated the patch with a fix for the case where the > > > > Heimdal principal does not have any keys for string encryption. > > > > (That is fixed now and I haven't found any other bugs, so I > > > > think I am done playing with it. Yippee!!) > > > > > > > > Please test when you can find the time, rick > Outstanding issue/question w.r.t. converting the KDC database > from Heimdal 1.5.2->MIT. > > Right now, the patch I have drops the weak encryption type keys > (des3.. and arcfour..). > If the principal in the Heimdal KDC does not have keys for either > of: > aes256-cts-hmac-sha1-96 > aes128-cts-hmac-sha1-96 > the patch generates a "fake" one. As a result, a change_password > for the principal is needed for this case. > > The alternative to doing this would be an option that converts > the weak keys, but... > - The MIT KDC will find the principal "incomplete or corrupted" > for at least the "out-of-the-box" configuration. > - It might accept them if "accept_weak_ecntypes" is set in > the kdc.conf. > This leads to a couple of questions: > - Does anyone know if MIT 1.22 still allows > "accept_weak_enctypes? > If it does not allow them, I don't think there is much use > for this option? > > Given the release schedule, it would be nice to get this > resolved soon. Since no one reported whether or not they saw the "Service key not available" errors from the patched kadmin for commands like "get", I poked at it and found it was caused by some code the cherry-pick from the newer Heimdal added, related to historical keys (which are not supported by Heimdal 1.5.2.)
Commenting out one new function the cherry-pick added along with the two calls to it seems to have fixed the problem. I've updated my patch at: https://people.freebsd.org/~rmacklem/kadmin.patch to include these changes. So, can you guys test this and get it into main? (You are welcome to include my patch in the commit, That is probably faster than doing it as a separate one.) At this point, it works for everything I have tested and, yes, the passwords do work after the dump is loaded into the MIT KDC! rick ps: I cannot test it more than I have already done until it is in a snapshot that I can install for further testing. > Also, someone needs to document this. > The Handbook section does a nice job of explaining > the setup of a Heimdal KDC, but has nothing w.r.t. > setting up an MIT KDC nor converting the KDC database > over to it. > > rick > > > > > > > I think the problem is with OpenSSL 3.5. With the legacy provider loaded > > > in > > > OpenSSL 3.5 I get, > > > > > > test3# openssl list -providers > > > Providers: > > > default > > > name: OpenSSL Default Provider > > > version: 3.5.1 > > > status: active > > > test3# > > > > > > Whereas in 3.0 I get, > > > > > > bob# openssl list -providers > > > Providers: > > > default > > > name: OpenSSL Default Provider > > > version: 3.0.16 > > > status: active > > > legacy > > > name: OpenSSL Legacy Provider > > > version: 3.0.16 > > > status: active > > > bob# > > > > > > Some symbol must be missing. > > Ok, I seem to have missed something here? > > Just in case it wasn't clear, I was referring to testing of the > > kadmin patches for the old Heimdal, so that the KDC database > > can be moved to an MIT KDC and still work. > > > > rick > > > > > > > > > > > -- > > > Cheers, > > > Cy Schubert <[email protected]> > > > FreeBSD UNIX: <[email protected]> Web: https://FreeBSD.org > > > NTP: <[email protected]> Web: https://nwtime.org > > > > > > e**(i*pi)+1=0 > > > > > >
