February 18, 2026

Keytab kaboom alert!

Article URL →HN comments →

Native FreeBSD Kerberos/LDAP with FreeIPA/IDM

MIT move brings cheers, side‑eye, and a ‘don’t leak your keys’ scare

TLDR: FreeBSD 15’s switch to MIT Kerberos enables a simpler guide for logging machines into a central FreeIPA server. Commenters cheer the lighter setup but warn about nasty failure modes and a key security gotcha (don’t leak the key file), while others question abandoning Heimdal instead of upgrading it.

FreeBSD 15’s big switch from one login system (Heimdal) to another (MIT Kerberos) just got a turbo‑charged how‑to, and the comments lit up like a server rack at 2 a.m. The blogger credits Larvitz’s original guide and doubles down with copy‑paste‑ready commands to hook FreeBSD into a central login service called FreeIPA, using a lighter helper tool instead of the old heavyweight setup.

The community vibes? Equal parts applause, panic, and pure sysadmin gallows humor. One user slammed the brakes with a security PSA: if you fetch the secret “keytab” file over the web and leave it lying around on the server, “anyone” could grab it and pretend to be your machine. Cue the chorus of “encrypt it, delete it, do not pass Go.” Meanwhile, a veteran rolled in with their DIY empire—OpenLDAP (address book), MIT Kerberos (logins), and PowerDNS (names)—and joked about mastering “ldif incantations,” like they’re casting spells just to get group memberships working.

Then came the existential dread: another commenter called the whole identity stack “incredibly byzantine,” warning that when it breaks, it breaks ugly. And a thoughtful skeptic asked the million‑dollar question: why ditch Heimdal at all—why not just upgrade it? In short: new setup, fewer moving parts, but the age‑old drama remains. It’s faster, lighter, and still one typo from chaos—classic sysadmin TV.

Key Points

  • FreeBSD 15.0-RELEASE switched from Heimdal to MIT Kerberos, enabling native Kerberos/LDAP integration with FreeIPA/IdM.
  • The guide replaces prior sssd-based methods with a simpler setup using nslcd from the nss-pam-ldapd package.
  • Steps include switching pkg to latest, installing nss-pam-ldapd, pam_mkhomedir, sudo, and doas, and configuring name resolution.
  • On the IdM server, the process adds DNS and host entries and retrieves a host keytab via ipa-getkeytab.
  • On the FreeBSD host, the keytab is placed at /etc/krb5.keytab with proper permissions and verified using klist.

Hottest takes

“Don’t forget to delete the keytab file from the ipa server!” — ipython
“the freeipa/sssd/nss/pam/krb/ldap/dns … stack is just incredibly byzantine” — zokier
“why not upgrade to a newer version of Heimdal instead of switching” — ptx

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.