Configuring KDC on FreeBSD 14.0

[abishai]

I try to switch from Samba to NFSv4 since it works in jail starting from 14.0-RELEASE, but I want a bit of security. I use the following guide: https://www.freebsdhandbook.com/security#kerberos5

After I installed security/heimdal I noticed, that 2 versions of kadmin exist.
/usr/bin/kadmin
/usr/local/bin/kadmin

When handbook tells to run kadmin -l, base verion will be picked by default.
It segfaults during init phase

root@kerberos:/ # kadmin -l
kadmin> init EXAMPLE.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
Segmentation fault (core dumped)

/usr/local/bin/kadmin doesn't crash, but fails to initialize database with

root@kerberos:/ # /usr/local/bin/kadmin -l
kadmin> init EXAMPLE.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin: rc4 8: EVP_CipherInit_ex einit

RC4 looks insecure, maybe it was removed from OpenSSL in base?
Since I'm not familiar with Kerberos at all, maybe you can give my some hints how to initialize realm database? Or maybe Kerberos just not plays well with FreeBSD ?

 

[abishai]

I've found an investigation here https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275915, looks like several weak cyphers was removed from base's OpenSSL in FreeBSD 14.0
Here is solution for base kadmin

Append to /etc/krb5.conf

[kadmin]
    default_keys = aes256-cts-hmac-sha1-96:pw-salt

No idea why we ever need security/heimdal at all, I'll try to remove it and continue to setup KDC.