[5489] in Kerberos
Kerberos 5 supporting K 4?
daemon@ATHENA.MIT.EDU (Michael Helm)
Wed Jul 12 22:10:42 1995
To: kerberos@MIT.EDU
Date: 13 Jul 1995 00:33:18 GMT
From: mike@frey.lbl.gov (Michael Helm)
Reply-To: mike@fionn.lbl.gov (Michael Helm)
I've been trying to make use of the support for Kerberos 4
that exists in Kerberos 5 beta 5. I'd like to support clients
that can only use k4 at the moment, but settle on k5 for the
database & provide these clients & servers also.
Some things work, but there are configuration issues I just
don't understand & I'm stumbling around in the dark. Is anyone
doing this, & can they offer some advice?
Specifically,
1) I can kinit with a k4 kinit, but I need to have made the
principal with add_v4_key.
2) I can't change passwords from a k4 kpasswd-like client.
The Mac client I was trying, I can't tell what it was having
a problem with, but the Unix k4 client seems to want to connect
on a port (751) that the k5 kadmin isn't listening to (749).
Can I fix this? What do I do? I do have changepw/kerberos
principal in the database, & there's syslogged info that shows
that something in the kdc got there:
Jul 12 16:39:46 xxyyzz krb5kdc[1800]: PROCESS_V4:INITIAL request from someuser. for changepw.kerberos
I also get an additional ticket on the client machine for this principal.
But after this comes the connection problem.
3) If someone covered by #1 above stumbles upon a k5 kpasswd client
somewhere, they can change their password just fine. But it's changed
using k5 rules:
Jul 12 14:25:50 xxyyzz kadmind[2084]: Converting v4user to v5user
This is nasty. They've now lost whatever ability they had to
kinit in a k4-using universe. Maybe this is not so important
on a Unix platform, where one could do something with k524 (which
I haven't tried). But what do I do for the Mac & PC users?
4) My k5 telnetd's are configured by inetd to run with "-a valid", &
so accept automatic logins (only). k4 telnet clients are rejected.
Can this work? What do I need to do to make it work? I haven't yet
had time to pick thru the build configuration & source for the telnet
in the k5 distribution to see what's going on. Any advice
appreciated.
5) The other target client application is pop service. I'm not
ready to do anything about it yet but I may as well mention it.
Any advice or comment appreciated. Thanks, ==mwh
