[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 20 Dec 2022 23:27:44 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186 --- Comment #38 from Cy Schubert <cy@FreeBSD.org> --- (In reply to amendlik from comment #37) The former. You don't have the means or ability to apply a patch -- the vast majority of people don't and I (with 45 years of IT experience I seem to forget this sometimes). My comments were a reset to square one, to use the binary tools at our disposal. It's a "let's use this to test the hypothesis." My sandbox at $JOB is a 13.1p3 machine with no /usr/src and no /usr/ports. I understand not having the means to do anything but pkg install. The hypothesis is that Heimdal in base is way out of date. That won't change anytime soon as upgrading it isn't simple. It regressed authentication significantly because much code added to other parts of FreeBSD to work with it. Upgrading Heimdal to 7.8.0 breaks all the code that depends on 1.5.0. To test this theory would be to try something that is linked with MIT KRB5 1.20.1 instead of the ancient Heimdal. If that works we have a) a workaround until Heimdal can be updated in FreeBSD and b) something that can be pointed to in order to possibly replace Heimdal with MIT (which some have opposed because the kadmin protocols between the two are incompatible, causing existing users POLA). Heimdal and MIT use the same protocol for authentication (KDC) but use different protocols for administration (kadmin). I'm also not sure if FreeIPA is using the Red Hat KRB5. Red Hat has applied patches to their KRB5 that are not applied to MIT's version (or what we use in FreeBSD ports). This is because they backport patches from MIT to their ancient MIT KRB5. Red Hat does this for all software in order to maintain their ten year guarantee. (Heard it was five years now.) Long story short, I don't know if this is caused by an ancient Heimdal in FreeBSD or a divergent MIT in Red Hat's KRB5, or if this was caused by some patch applied to FreeIPA's KRB5. My strategy is to isolate the problem using whatever tools at our disposal. If we can't isolate the problem we're left with reviewing source code in FreeBSD Heimdal and FreeIPA KRB5 and this is time consuming. BTW, I don't get paid for this. This is a volunteer effort. I have a fulltime day job as a sysadmin at a small datacentre with approximately 10k servers (actually two datacentres in two cities). -- You are receiving this mail because: You are the assignee for the bug.