[356] in Kerberos-V5-bugs
Re: Building Kerberos V on HP-UX: Krb4KDCCompat
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Tue Sep 21 20:04:59 1993
Date: Tue, 21 Sep 93 20:04:22 EDT
From: tytso@MIT.EDU (Theodore Ts'o)
To: "Hugh C. Lauer" <lauer@merl.com>
Cc: "Hugh C. Lauer" <lauer@merl.com>, krb5-bugs@MIT.EDU
In-Reply-To: Hugh C. Lauer's message of Sat, 18 Sep 93 14:29:43 -0400,
Date: Sat, 18 Sep 93 14:29:43 -0400
From: "Hugh C. Lauer" <lauer@merl.com>
Thanks. Making clean did the trick, if ignoring KRB4 is what I want
to do. But is it? There are a number of Kerberos 4 clients out
there and more coming for system like the Mac, etc. If I want to
allow them to authenticate, get tickets, etc., do I need to provide
Kerberos IV compatibility in any case?
The Kerberos V4 compatibility allows the V5 KDC to respond to requests
from V4 clients --- but this doesn't help unless you have V4 application
servers as well. The compatibility code is really designed for sites
that are currently running V4 and need to gradually transition over to
V5.
For those sites who want to transition over, the idea is for them to
write dual-headed application servers, that can understand both V4 and
V5, and then gradually cut the clients over to V5. The V5 bsd and
telnet programs are dual-headed. We haven't had a chance to convert
over the other application servers yet.
The take home message from all of this is that the V4 compatibility in
the KDC isn't enough, all by itself.
If you still want Kerberos V4, then you'll need to grab the Kerberos V4
package, and compile that in a separate tree. Then configure site.def
to use the V4 library which you've compiled from that tree.
I ran across a second use of -lkrb, namely in building admin/convert. This
doesn't seem to go away even when I commented out Krb4KDCCompat. Are there
any other uses of -lkrb anywhere? If so, where do I get it (short of having
to go back and port Kerberos IV to HP-UX)?
Yeah; that's a bug; admin/convert shouldn't be built if Krb4KDCCompat is
commented out. (Actually, in the next release, we actually use a
separate variable to control it.) The function of kdb5_convert is to
convert a V4 KDC database to a V5 database --- this is not very useful
if you don't have an existing V4 KDC database. :-)
- Ted
