On Mon, Aug 25, 2025 at 1:27 PM Rick Macklem <rick.mack...@gmail.com> wrote: > > On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans <kev...@freebsd.org> wrote: > > > > CAUTION: This email originated from outside of the University of Guelph. Do > > not click links or open attachments unless you recognize the sender and > > know the content is safe. If in doubt, forward suspicious emails to > > ith...@uoguelph.ca. > > > > On 8/25/25 07:53, Gleb Smirnoff wrote: > > > Hi, > > > > > > On Mon, Aug 25, 2025 at 01:00:07AM -0700, Gleb Smirnoff wrote: > > > T> This is an automated email to inform you that the August 2025 > > > stabilization week > > > T> started with FreeBSD/main at main-n279838-6c45a5dad0a0, which was > > > tagged as > > > T> main-stabweek-2025-Aug. > > > > > > This stabilization cycle is expected to be more bumpy than usually. > > > > > > 1) We got major upgrade - OpenSSL 3.5.1. One known issue is that the > > > legacy > > > provider is broken. > I believe that KTLS support isn't yet enabled for it? > (If so, NFS over TLS wo't work.) > > > > > > > 2) The default Kerberos now is MIT. We have already checked that a > > > Kerberized > > > NFS client can migrate from Heimdal to MIT. We did not check Kerberized > > > NFS > > > server, but should be fine. > I tested the server a couple of days ago and it was fine. > > > There is no yet an official way to migrate kdc > > > from Heimdal to MIT. > Yea. One possibility is to install Heimdal-7.8 from ports/packages and then > use it to dump the KDC's database in MIT format. (Although Cy seemed to > find it didn't work, doing this with the "--decrypt" option might retain the > passwords.) > > I'll give this a try and report back if it worked for me. Well, I'm not having any luck. Every time I try and use Heimdal-7.8 to load the database from Heimdal-1.5.2, "kadmin -l" throws this error and exits.
kadmin: rc4 8: EVP_CipherInit_ex einit I need the Heimdal-7.8 kadmin to work to try and convert the database to MIT format. So, does anyone know the trick to fixing this? rick > > rick > > > So, if you are upgrading a machine that is kdc, you need > > > WITHOUT_MITKRB5="yes" in your src.conf. > > > > > > 3) The official pkg repo is now almost empty, see email from Colin [1]. > > > So, do > > > not rush with 'make delete-old-libs', unless you are ready to build a lot > > > of > > > packages yourself. > > > > > > 4) The unfortunate coincidence with 3) is ABI breakage in the > > > setgroups(2)/getgroups(2) syscalls compared to the July stabilization > > > point. > > > Some packages would dump core. These packages need to be rebuilt. > > > > > > > This should be mitigated if you have COMPAT_FREEBSD14 enabled? Old > > packages would > > reference the old compat symbol versions in libc, which should use the > > COMPAT_FREEBSD14 > > variants of setgroups/getgroups. If you have a pointer to scenarios where > > that isn't > > the case, that'd be helpful- old packages should be fine in the GENERIC > > case. > > > > Thanks, > > > > Kyle Evans
