[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

need more explanation on krb4->krb5 conversion

To: heimdal-discuss@sics.se
Subject: need more explanation on krb4->krb5 conversion
From: David Komanek <xdavid@lib-eth.natur.cuni.cz>
Date: Tue, 30 Sep 2003 17:08:37 +0200 (CEST)
cc: mmokrejs@natur.cuni.cz
Sender: owner-heimdal-discuss@sics.se

Hi all,

I am trying to undertand, why am not able to use principals converted from
krb4 to heimdal. Using kdc with the "default" database which is created
with "kadmin init" command works well, even if I "ank" new principals. I
am able to get tickets, list them, destroy them, everything seems to work
fine.

But after the conversion of the old version principals I run into
problems:

/usr/local/heimdal/libexec/hprop -n --source=krb4-db -d /var/kerberos/principal --master-key=/.k -E pteryx.natur.cuni.cz | /usr/local/heimdal/libexec/hpropd -n

( /.k is the old master key from the krb4 database, right ? )

This adds about 4700 principals to the heimdal database. It says it cannot
convert some principals (all of them are in format service.name, normal
and admin users seem to be converted.
When I dump the database, the imported records are there, but no imported
record is working:

# /usr/local/heimdal/bin/kinit komanek@DOMAIN.CZ
komanek@DOMAIN.CZ's Password:
kinit: krb5_get_init_creds: Client (komanek@DOMAIN.CZ) unknown

# /usr/local/heimdal/sbin/kadmin -p komanek
kadmin> list komanek
komanek@DOMAIN.CZ's Password:
kadmin: get komanek: Client (komanek@DOMAIN.CZ) unknown

.... and from kdc logfile:
2003-09-30T16:56:49 AS-REQ komanek@DOMAIN.CZ from IPv4:a.b.c.d for kadmin/admin@DOMAIN.CZ
2003-09-30T16:56:49 UNKNOWN -- komanek@DOMAIN.CZ: Invalid argument
2003-09-30T16:56:49 sending 129 bytes to IPv4:a.b.c.d

My friend and former colleague thinks the problem is somewhere in the
master key and/or in the difference of OpenSSL version used: 0.9.6j for
old krb4 database and 0.9.7 for heimdal. In contrast to this, I suppose
that the only important thing which changed in OpenSSL is the API, so the
data remained the same and are still readable if the api calls match the
used crypto library. Regarding the master key, I think hprop should say i
the data could not be decrypted and the problem would wanish if I use
plaintext krb4 slave dump file for conversion. But the problem persists.

What do you think the problem is ? Are there some useful debug options
which would help me to trace down the problem ?

I am using Irix 6.5.20, all binaries are 64-bit, produced with native
compiler, not gcc, if it matters.

Thanks in advance for any hints,

David Komanek

Follow-Ups:
- Re: need more explanation on krb4->krb5 conversion
  - From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
- Re: need more explanation on krb4->krb5 conversion
  - From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
- Re: need more explanation on krb4->krb5 conversion
  - From: Love <lha@stacken.kth.se>

Prev by Date: Re: [OpenAFS-devel] OpenSSH support for krb4/afs
Next by Date: Re: need more explanation on krb4->krb5 conversion
Prev by thread: Fwd: Make a wish. this really works
Next by thread: Re: need more explanation on krb4->krb5 conversion
Index(es):
- Date
- Thread