[742] in athena10
Re: Advance notice about krb4
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Dec 17 21:32:43 2008
From: Greg Hudson <ghudson@MIT.EDU>
To: Ken Raeburn <raeburn@mit.edu>
Cc: athena10@mit.edu
In-Reply-To: <BAFD2540-4BA6-444C-A36B-80E7575BB018@mit.edu>
Content-Type: text/plain
Date: Wed, 17 Dec 2008 21:28:13 -0500
Message-Id: <1229567293.12360.26.camel@ray>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
On Wed, 2008-12-17 at 20:25 -0500, Ken Raeburn wrote:
> Sounds like things have improved since last I heard (when there was
> krb5 inter-server code but clients still were krb4 only). What's the
> transition mechanism? Flag day, or incremental changes?
To the best of my understanding:
Clients are compatible with either krb4 or krb5 servers, but not both.
Servers are compatible with both krb4 and krb5 clients, but the servers
in the galaxy need to be either all old or all new. (I'm not sure how
bad the failure mode is for mixing server versions; if the brain dump
code can still authenticate, then you could possibly do an incremental
transition as long as no one expects v5 clients to work in the meantime.
But I'm not sure the brain dump auth is compatible across an upgrade.)
