[7555] in Kerberos
Re: krb4 application compatibility
daemon@ATHENA.MIT.EDU (Dave McGuire)
Sat Jun 29 15:20:15 1996
Date: Sat, 29 Jun 1996 15:10:11 -0400
From: Dave McGuire <mcguire@rocinante.digex.net>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: kerberos@MIT.EDU
In-Reply-To: Re: krb4 application compatibility (Sam Hartman)
On June 21, Sam Hartman wrote:
> >>>>> "Dave" == Dave McGuire <mcguire@rocinante.digex.net> writes:
> Dave> have a good-sized krb4 application (the UofMD backup package,
> Dave> "amanda") which I'd *love* to convert to krb5 but don't want to spend
> Dave> three weeks doing it. Any advice?
...
> On the other hand, you should have no problems if you continue
> to have a krb4 application. The KDC and krb524d should handle most of
> the issues involving assumptions that have changed between krb5 and
> krb4. Your application maintains compatability with past versions.
> Future versions of the application may even choose to maintain
> compatability with the past versions of the application in a manner
> similar to the BSD utilities, although you should probably drop krb4
> support some day.
Point well taken...and I agree...but the application in question
doesn't even come close to working against a krb5 kdc. I've been
working on it all day, to no avail. It gets tickets from its stashed
file, but mutual authentication blows up. I'm still looking into why.
Perhaps my problem is one of configuration. I haven't been able to
determine a few things...when using the krb4 interoperability features
in krb5 beta6:
Do I need an appropriately configured v4-style /etc/krb.conf, or
will the library code use information it found in /etc/krb5.conf?
Do I need to create a v4-style /etc/srvtab for applications which
use v4 mutual authentication, or will the library code use
/etc/v5srvtab?
Is converting a v4 realm to v5b6 a way around the infuriating "no
dots in principal names" problem in v4, or will I need to continue
to inflate our nameservers by duplicating hostnames that happen to be
in subdomains with dashes replacing the dots?
If you could clear these things up for me, I might be able to get a
bit farther. Of course, I'd *really* like to see this package
converted to use gssapi, but I've nowhere near the knowledge of gssapi
required to do that, and documentation is somewhat lacking. I will
spend a few hours this afternoon studying the gss-sample code...If I
can figure out how that works, I might take a stab at converting this
application to use gssapi.
Is there somewhere I might find a brief description of the "flow" of
a gss application, in terms of the functions and data structures used?
-Dave McGuire
mcguire@digex.net
