[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Heimdal compatibility with MIT Krb 4

I'm looking at setting up a Heimdal kdc to translate AFS, MITv4, 
MITv5, and maybe Microsoft kerberos requests into a cross-realm 
request to a kaserver.  My ignorance is clearly showing so any 
pointers to TFM so I can R would be appreciated.

Where I'm specifically hung up this instant is just plain ordinary 
MITv4 support.  I have a valid principal and OSX can do MITv5 
authentication, but not v4.

Solaris 7 with the old MITv4 code it came with always fails with an 
unknown principal message.  The kdc log on a NetBSD 1.6L machine says 
it's requesting a krbtgt.HOTZ.JPL.NASA.GOV@A ticket.  I don't see the 
"A" in a tcpdump of the network traffic.  The krb5.conf file is:

>         v4_instance_resolve = true
>         clockskew = 300
>         JPL.NASA.GOV = {
>                 kdc = eis-fil-afsdb08.jpl.nasa.gov
>                 kdc = eis-fil-afsdb09.jpl.nasa.gov
>                 kdc = eis-fil-afsdb10.jpl.nasa.gov
>                 admin_server = kerberos.jpl.nasa.gov
>         }
>         HOTZ.JPL.NASA.GOV = {
>                 kdc = machotz.jpl.nasa.gov
>                 admin_server = machotz.jpl.nasa.gov
>                 v4_domains = jpl.nasa.gov
>         }
>         .jpl.nasa.gov = JPL.NASA.GOV
>         jpl.nasa.gov = JPL.NASA.GOV
>         machotz.jpl.nasa.gov = HOTZ.JPL.NASA.GOV
>         enable-kerberos4 = true
>         enable-kaserver = true
>         use_v4_salt = true

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu