[4303] in Kerberos
K4 service ticket decryption on MVS
daemon@ATHENA.MIT.EDU (arogers@VNET.IBM.COM)
Fri Dec 9 17:58:38 1994
Date: Fri, 9 Dec 94 17:42:24 EST
From: arogers@VNET.IBM.COM
To: KERBEROS@MIT.EDU
Reply-To: AROGERS@VNET.IBM.COM
Christopher.I.Davies@Bell-Atl. wrote: Com
< We are attempting to decrypt a V4 service ticket (issued from a
< UNIX machine) on MVS and are running into problems. Has anyone
< accomplished this task yet? The scenario is as follows:
< We have a KDC running on Solaris. We have the sample_server program
< running on MVS with a srvtab file extracted from the database on the
< Solaris machine and ftp'd up to the mainframe.
< We then (successfully) get a TGT, and invoke the sample_client
< on Solaris. It fails with a "Can't decode authenticator (krb_rd_req)
< error. My suspicion is that there is something wrong with the srvtab
< file that was shipped up to the mainframe from Solaris.
Chris, you may be right! (We hit this with extracting srvtab files
from an AIX based Kerberos database.) The "trick" is that the MVS port
of Kerberos (IBM's TCPIP one) expects the srvtab to have one srvtab
ASCII character per record. The record length of that file is 1 and
it contains as many records as characters in the source srvtab records.
We had to issue the ftp commands to force record length to 1 AND
specify binary to prevent character translation from ASCII to EBCDIC.
Try that and see if it cures the problem.
Anne M. Rogers
-----------------------------------------------------------------------
IBM/ISSC Internet:arogers@vnet.ibm.com | Comments & Opinions are mine,
VNET:RHQVM09(ROGERSAM); IBMMAIL(USIB5P7F)| not my employer's.
(716)723-4282,TL451-4282;fax(716)723-4299|
