[3219] in Kerberos
Re: Problems getting V5 to talk to V4
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Sun May 1 15:17:24 1994
To: kerberos@MIT.EDU
Date: Fri, 29 Apr 1994 09:41:48
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
cflaniga@oucsace.cs.ohiou.edu (C. Patrick Flanigan) writes:
> Hello everyone. I'm running into some problems as I try to install a
>Kerberos V5 server and I thought perhaps I could benefit by the collective
>experience of this newsgroup. My problem lies in the fact that this kerberos
>has to work with a Xyplex terminal server which only speaks V4. I've built
>the new program in V4 compatability mode and am using V4 keys. Users are
>able to present their login passwords at the xyplex and have kerberos
>verify them -- so far so good, but I can't figure out how to configure things
>so that they can change their passwords from the Xyplex prompt. Peeking at
>the packet interchange between the two boxes indicates that the Xyplex wants
>to connect to the kerberos_master port, rather than the port the kadmin
>daemon listens on. Does anyone have any ideas what I'm doing wrong?
You're not doing anything wrong; the code simply doesn't support what
you're trying to do.
While the V5 KDC server has V4 compatibility built in (which is why getting
V4 tickets works), the V5 kadmin server (at least the one supplied with MIT
Beta 3) doesn't support the V4 kadmin protocol, which is what you need
to change passwords. There is one source file included with the Beta 3
kadmin server that has at least the beginnings of V4 kadmind support, but
more work would be needed to make it fly (for starters, it would have
to listen on the kerberos_master port (751), which is what most V4 kadmin
clients expect to use, as well as the kerberos_adm port (752) which the
V5 Beta 3 kadmin uses).
Probably the best bet, if you still have the V4 code around (which you
probably do if you made the V4 compatibility work with the V5 KDC), is
to take the V4 kadmin server code and change it to use the kdb5 data
representations and library calls, and build it as a separate daemon (should
work, since it's using a different port than the V5 kadmind). Note that
you'll have to make sure to get things like the salt type right for V4
compatibility (left as an exercise for the reader... :-)
-Shawn Mamros
E-mail to: mamros@ftp.com
