[7605] in Kerberos
Re: Krb5b6 server and Krb4 clients
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Mon Jul 8 11:53:22 1996
Date: Mon, 8 Jul 1996 11:22:15 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: ctrown@ecst.csuchico.edu (Chris Trown)
Cc: kerberos@MIT.EDU
In-Reply-To: [7599]
Date: 5 Jul 1996 22:17:31 GMT
From: ctrown@ecst.csuchico.edu (Chris Trown)
In article <4repfb$h6v@charnel.ecst.csuchico.edu>,
Chris Trown <ctrown@ecst.csuchico.edu> wrote:
> Is here any documentation on how to get a V4 client to communicate with a
>KRB5B6 server?
>
> When I try and use a V4 client, I see:
>
>Jul 3 14:35:37 cheops syslog: PROCESS_V4:Initial ticket request Host: 132.241.67.13 User: "ctrown" ""
>
> in syslog. On the Mac I get a dialog stating "Sorry, your password is
>incorrect. Please try again."
>
I saw at least three other posts in the mailing list archive asking
essentially the same question. None of them have follow-ups.
Actually, this question has been answered on this list before, but
perhaps not exactly in the context you answered it.
The V5 KDC handles V4 requests, as evidenced by the PROCESS_V4 entry
in syslog. The reason the client is reporting an incorrect password
is almost certainly because the salt type of the key in the KDC
database is wrong; it is probably a V5-style salt, instead of a
V4-style salt.
In previous releases, you could create a principal or change a
password to use V4 salt with the "add v4 key" and "change v4 password"
commands (I don't remember exactly what they were called). These two
commands set the principal's key to use a V4-style salt.
In krb5b6, things are a little different. Principals can have
multiple keys, one for each encryption type/salt type tuple that a
site chooses to support. The list of supported encryption types in
defined in kdc.conf:
[realms]
YOUR.REALM = {
<misc stuff>
supported_enctypes = des-cbc-crc:v4
<misc other stuff>
}
This block in kdc.conf will tell kdb5_edit, the admin server, etc.,
that principals should be created with V4-style salt (more precisely,
it says principals should have a key for the encryption type
DES-CBC-CRC, which means the DES cryptosystem with a CRC checksum, and
a V4 salt). You can specify a list of encryption/salt tuples on that
line, such as
supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
and then all principals will have one key for each of those types.
A change in supported_enctypes only takes affect when a principal's
password is changed or when a principal is created. So, in your case,
set that line in kdc.conf to include des-cbc-crc:v4, run kdb5_edit,
and change the password of all the clients you want to work from V4
hosts. After that, V4 clients should work.
Barry
