[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Remapping old Kerberos 4 realm name to new Kerberos 5 realm name
Is there a Heimdal equivalent to MIT Kerberos + Ken Hornstein's
monster-patch krb524d  --with-krb524-remapping option? I'm trying to
remap an old Kerberos 4 realm name to a new Kerberos 5 realm name as
described in the migration scenario here . If there isn't I assume I
could use krb524d to replace some Heimdal functionality, but I'd like to
stick with pure Heimdal if at all possible. Specific Heimdal error I am
getting now is:
2004-06-07T12:49:29 AS-REQ (krb4) dclark.@OLD.DOMAIN.COM from
IPv4:126.96.36.199 for afs.@NEW.DOMAIN.COM
2004-06-07T12:49:29 Lookup dclark@OLD.DOMAIN.COM failed: No such entry
in the database
2004-06-07T12:49:29 Client not found in database: dclark.@OLD.DOMAIN.COM:
Failed to convert v4 principal
2004-06-07T12:49:29 sending 42 bytes to IPv4:188.8.131.52
I need to map OLD.DOMAIN.COM to NEW.DOMAIN.COM in all above instances.
dclark@NEW.DOMAIN.COM and afs@NEW.DOMAIN.COM exist in the KDC.
Here is an explanation of what --with-krb524-remapping does:
+ This enables code in the 524 ticket converter to map principals
+ in foreign realms to principals in the local realm when getting
+ tickets for the AFS service. This is used to solve the problem
+ of foreign cross-realm users having PTS IDs that don't match
+ their Unix userid. Note that this code has a number of
+ interesting security implications, so do not enable it unless
+ you know what you're doing!
 Kerberos FAQ: 2.19. What does krb524d do? Do I need to run it?
 [OpenAFS] kaserver -> Heimdal where cell name != REALM and using
Windows (krb4) AFS client
Daniel Joseph Barnhart Clark