Moving a KDC from Red Hat 8 to OpenBSD 3.3

I’ve decided to move a few of my security-conscious services over to an OpenBSD box. Today I moved my Kerberos domain.

A quick note. OpenBSD is fun. It’s kind of nice to get back to not feeling like your system might be laden with cruft you won’t use. Of course, I got annoyed that I didn’t have a simple ntp.conf, for example, to start with. I also hate the way init is laid out; give me SysV-style init any day.

So Red Hat 8.0 ships with MIT Kerberos V 1.2.5. OpenBSD 3.3 ships with Heimdal. I followed the instructions for setting up a Kerberos V server in the Red Hat 8.0 manual when I did this originally. All the paths I give pretty much depend on you configuring things like they’re described there.

First, kdb5_util dump -b7 -verbose krb5-dump as root on the Linux box. This gives you a krb5-dump file. This, combined with /var/kerberos/krb5kdc/.k5.YOUR.REALM (where YOUR.REALM is really your Kerberos realm name) will need to be copied to the OpenBSD box. krb5-dump is a dump of all your principals, and the .k5… file is your “master key stash.” I think. If you don’t use -b7 to dump in what appears to be a slightly older format, the Heimdal tools won’t understand the dump.

Now hop on over to your OpenBSD box and create /var/heimdal, root:wheel, 0640. Next, /usr/libexec/hprop -m the-stash-file -d krb5-dump --source=mit-dump -n | /usr/libexec/hpropd -n on the OpenBSD box. Note that hpropd needs to be run as root as it’s going to write out your database, so if you’re a fan of running as a regular user and using sudo, tack sudo in front of hpropd. Now move the stash file to /var/heimdal/m-key and make sure that file is 0640 root:wheel. By now you hopefully have /var/heimdal/heimdal.db from hpropd.

You’re pretty much done at this point. You need to configure /etc/kerberosV/krb5.conf; there’s a sample file in that directory as well. Don’t forget to create a host principal for your KDC if you need one. Instructions for doing that are in info heimdal and krb5.conf(5). You can run verify_krb5_conf and get a little help making sure your krb5.conf is at least possibly OK. You probably want a /var/heimdal/kadmind.acl file, also described in the Heimdal info pages. You also probably want krb5_master_kdc=YES in /etc/rc.conf.local.

One more note about OpenBSD, unrelated to Kerberos. Here’s information on the stable branch of OpenBSD, packages fixed in 3.3-stable, OpenBSD anonymous CVS instructions, and if you want to know what’s changed in -stable you need (I think) the OpenBSD errata. (Honestly, this is more for my future benefit than yours. Sorry you had to sit through it.)