[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More, re: Heimdal compatibility with MIT Krb 4

At 2:35 PM +0100 3/14/03, Love wrote:
>"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:
>Do you have v4 salted keys ?


I'm not altogether dim *all* the time anyway.  That reminded me of a 
discussion in the AFS kerberos 5 migration kit docs.  I changed the 
password for that principal under OSX and suddenly it worked under 
Solaris v4.

>  >>  > Does the Heimdal kdc obey the convention that kill -HUP makes it
>>>>   reread its config files?
>>>No, the kdc doesn't reload its config file on SIGHUP.
>>  Thanks.  I'll be careful.  I guess you can say this is correctly
>>  documented by its absence from the documentation.  ;-)
>There is a manpage for kdc, and quite a lot of info documetation describing
>how to set up a realm.

I find the info on Heimdal to be more useful than the info on MIT 
kerberos.  More user-oriented anyway.  I mostly followed the 
instructions on 
http://www.mcc.ac.uk/Documentation/coda/heimdal_toc.html to set up 
the realm and I could telnet in from OSX immediately.

I added the

         use_v4_salt = true

after I had created the principal I was using for testing.

So now I can kinit under OSX with v5, under Solaris with v4, and I 
can klog.krb under Solaris with some flavor of OpenAFS as well.

klog.krb under OSX with OpenAFS 1.2.7 gives me the same error message 
as the older one under Solaris, but it doesn't keep the tickets 
afterwards.  (The msg is: "Unable to authenticate to AFS because 
unknown cell was passed to SetToken."  I expect it's because I don't 
actually have an AFS cell running on the kerberos server yet.  I did 
put an entry in the CellServDB.)

The only major Kerberos implementation I haven't verified 
compatibility with now is Windows.  I know there is a howto out there 
on the subject, so I'm sure it can be done.

>  > Should I send comments on the documentation to you or to NetBSD, or both?
>You can send it to me.

1) The man pages generally say #include <krb5/krb5.h>, but you really 
need a -I/usr/include/krb5 on the command line because of all the 
subsidiary include files needed.  That makes #include <krb5.h> a 
simpler thing to say.  OTOH maybe that means that the krb5.h file 
ought to say e.g. <krb5/asn1_err.h> itself.

2) It's obvious that you need -lkrb5 to link.  It's not obvious that 
you also need -lasn1 -ldes -lroken -lcom_err as well.

I don't actually know if these comments are specific to NetBSD (I'm 
running -current as of Jan 4, 2003, 1.6L) or if they are generic for 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu