[1023] in Kerberos_V5_Development
K5 problems, esp. with k4 compatibility
daemon@ATHENA.MIT.EDU (Richard Basch)
Mon Mar 11 11:38:53 1996
Date: Mon, 11 Mar 1996 11:36:18 -0500
To: krbdev@MIT.EDU, krb5-bugs@MIT.EDU
From: "Richard Basch" <basch@lehman.com>
Let's just say there is quite a bit of work to do to get this to work.
I just put V5 servers into production at Lehman, but much of our
existing infrastructure is still V4, so the kdc is trying to run in
compatibility mode.
Problems seen:
1. DES_CBC_CRC = DES_CBC_MD5 = DES_* in terms of V4, but the key lookups only
do one mode, and that isn't necessarily the mode that was encoded in
the db, especially for non-V4 salt keys.
2. v4kadmind lets you change the key of a service, causing kvno to increase,
but if you use ktutil to also create a v5srvtab, you might hit the case
where kvno = 256+, and you can't detect it. (I did, and it was annoying.)
For compatibility, I made the v4kadmind increase kvno modulo 256.
3. Similar problems exist in krb5_get_in_tkt_with_keytab, because the
AS_REQ occurs without specifying the enctypes that are supported within
the keytab.
4. Several problems were noted with kprop/kpropd, some of which I have checked
into the tree.
I still have to check in some of the patches, but others are hacks that
I do not think are necessarily correct, but were required because of
timeliness.
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
