In message <B9dYbVelBxymjeSLSXKQit3RdzeG3R8OLdfQ9co9Nts-ZFwv55O5YTUpAkZgrpyO OYk [email protected]>, Minsoo Choo writes: > On Sunday, June 15th, 2025 at 11:43 PM, Cy Schubert <Cy.Schubert@cschubert.= > com> wrote: > > > Hi freebsd-current@, > >=20 > > MIT KRB5 has been imported. It is disabled by default. To build and insta= > ll > > MIT KRB5 in 15-CURRENT, > >=20 > > 1. Add WITH_MITKRB5=3Dyes in src.conf. > >=20 > > 2. Do a buildworld and buildkernel. > >=20 > > 3. Then installworld, run etcupdate to update files in /etc. > >=20 > > 4. make delete-old and delete-old-libs. This is important. Skip this step > > and your > > resulting install will contain both MIT and Heimdal Kerberos. This will > > not work. > >=20 > > Avoid using MIT KRB5 (for now) if you are running a Heimdal 1.5.2 KDC on > > FreeBSD. There is a > > procedure to convert the Heimdal HDB to an MIT KRB5 KDB. I am still worki= > ng > > on documenting the procedure. The process is not straightforward as our > > Heimdal 1.5.2 is very old and does not support the feature found later > > versions of Heimdal needed to migrate the HDB to KDB. In a nutshell: one > > must export the HDB, import it into the latest version of Heimdal (using > > ports/security/heimdal), then export an MIT KRB5 export, and finally impo= > rt > > it into a new MIT KRB5 KDB. > >=20 > > If you use FreeBSD as part of an Active Directory domain, MIT KRB5 will > > simplify integration into a Microsoft network. You will still need to use > > winbind from samba or sssd, as Active Directory uses MIT KRB5 and LDAP fo= > r > > authentication. > >=20 > > A ports exp-run will be needed to list any ports that may fail to build > > with MIT KRB5 in base. If any are found they will be fixed before we swit= > ch > > the default from Heimdal 1.5.2 to MIT KRB5 1.21.3. > >=20 > > A decision to remove Heimdal from the source tree will come sometime afte= > r > > the default has been switched from Heimdal to MIT KRB5. > >=20 > > I also expect some ports plumbing changes, especially in Mk/Uses/gssapi.m= > k > > in order to support MIT KRB5 in base. Any required changes should be > > identified with an exp-run. > >=20 > >=20 > > -- > > Cheers, > > Cy Schubert [email protected] > >=20 > > FreeBSD UNIX: [email protected] Web: https://FreeBSD.org > >=20 > > NTP: [email protected] Web: https://nwtime.org > >=20 > >=20 > > e**(i*pi)+1=3D0 > >=20 > >=20 > > Thank you for your great work. I will close D43625 and D43624 as the adopti= > on of MIT krb5 makes them obsolete. > > I have a few questions regarding to MIT krb5 replacing heimdal: > 1. In which FreeBSD version will MIT krb5 be default?
15-RELEASE. > 2. In which FreeBSD version will heimdal be removed? Hopefully 15-RELEASE though 16-RELEASE could be likely. > > Regards, > Minsoo -- Cheers, Cy Schubert <[email protected]> FreeBSD UNIX: <[email protected]> Web: https://FreeBSD.org NTP: <[email protected]> Web: https://nwtime.org e**(i*pi)+1=0
