[6679] in Kerberos
Notes on installing the K5B5 Key server (KDC)
daemon@ATHENA.MIT.EDU (Wayne Schroeder)
Sat Feb 17 10:49:49 1996
To: kerberos@MIT.EDU
Date: 14 Feb 1996 22:17:03 GMT
From: schroede@number6.sdsc.edu (Wayne Schroeder)
The following information might be useful to people installing the
K5B5 KDC.
We are running K5B4 rel 3 on an assortment of architectures and are
installing the K5B5 KDC (to provide K4 support and to be more
current). In general, the 5B5 KDC will operate just fine in a 5B4
environment.
1) If you want to incorporate k4 support, use 'configure --with-krb4',
without a directory name (or maybe without any --with-krb4 option
at all).
The FAQ* correctly mentions that "Starting with the beta 5 release,
the MIT Kerberos V5 distribution contains the V4 code so it is no
longer necessary to obtain and build it separately." But the
(old) .../doc/HOW_TO_BUILD file and the updated .../doc/install.ps
describe the --with-krb4=KRB4DIR as the way to specify the location
of v4 libaries and include files. The install.ps documentation
was updated for Beta 5, but does not describe the new option. It
is correctly described in the configure script (.../src/configure):
ac_help="$ac_help
--without-krb4 don't include Kerberos V4 backwards compatibility
--with-krb4 use V4 libraries included with V5 (default)
--with-krb4=KRB4DIR use preinstalled V4 libraries"
All you need is '--with-krb4', without a directory name.
* Where is the current FAQ? I thought it was at:
http://www.ov.com/misc/krb-faq.html#1.6
but it doesn't seem to be there today. I haven't seen the
location posted to comp.protocols.kerberos lately.
2) If you configure with a --with-krb5-root=DIR option, the configure
files are still in /etc. With K5B4 rel 3, the --with-krb5-root=name
directory would contain the krb.conf and krb.realms config files, now
it is /etc/krb5.conf.
Likewise, kadmind5 will look for its config file in /etc
(/etc/krb5_adm.acl).
3) If your /etc/krb5.conf file is missing, the error message you
get from krb5kdc is:
krb5kdc: Improper format of configuration file while attempting to
retrieve default realm
The format in my file was fine, I just needed to put it into /etc.
(The new syntax is straight forward, and well documented, and there is
convert script.)
4) You may need to dump and load the K5B4 principal database (to ascii
and back). Use the old kdb5_edit, the dump_db command, and then the
new kdb5_edit and the load_db command. When I had just copied the
principal file, authentications would work with old credentials, but
if I kinit'ed again, my logins would fail. It turned out that a field
in the old db was wrong (when used by the new KDC) and ktelnetd would
get an error in krb5_ktfile_get_entry. This was due to a different
kvno input argument (from the packet back from the KDC). The call
tree being:
krb5_rd_req
krb5_rd_req_decoded
krb5_kt_get_entry
(obfuscation layer)
krb5_ktfile_get_entry
krb5_principal_compare
5) K5B4 kpasswd will not work with the K5B5 kadmind5 due to
protocol changes. kadmind5 would print:
kadmind5: Invalid message type - 0: cannot decode AP_REQ message
But if you want to continue running K5B4 kpasswd's, you can run the
old kadmind on the new principal database. This seems to work fine.
Wayne Schroeder
