[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Remapping old Kerberos 4 realm name to new Kerberos 5 realm name

Is there a Heimdal equivalent to MIT Kerberos + Ken Hornstein's
monster-patch krb524d [1] --with-krb524-remapping option? I'm trying to
remap an old Kerberos 4 realm name to a new Kerberos 5 realm name as
described in the migration scenario here [2]. If there isn't I assume I
could use krb524d to replace some Heimdal functionality, but I'd like to
stick with pure Heimdal if at all possible. Specific Heimdal error I am
getting now is:

2004-06-07T12:49:29 AS-REQ (krb4) dclark.@OLD.DOMAIN.COM from
                    IPv4: for afs.@NEW.DOMAIN.COM
2004-06-07T12:49:29 Lookup dclark@OLD.DOMAIN.COM failed: No such entry
                    in the database
2004-06-07T12:49:29 Client not found in database: dclark.@OLD.DOMAIN.COM:
                    Failed to convert v4 principal
2004-06-07T12:49:29 sending 42 bytes to IPv4:

I need to map OLD.DOMAIN.COM to NEW.DOMAIN.COM in all above instances.
dclark@NEW.DOMAIN.COM and afs@NEW.DOMAIN.COM exist in the KDC.

Here is an explanation of what --with-krb524-remapping does:

+ --with-krb524-remapping
+       This enables code in the 524 ticket converter to map principals
+       in foreign realms to principals in the local realm when getting
+       tickets for the AFS service.  This is used to solve the problem
+       of foreign cross-realm users having PTS IDs that don't match
+       their Unix userid.  Note that this code has a number of
+       interesting security implications, so do not enable it unless
+       you know what you're doing!

[1] Kerberos FAQ: 2.19. What does krb524d do? Do I need to run it?

[2] [OpenAFS] kaserver -> Heimdal where cell name != REALM and using 
              Windows (krb4) AFS client

Daniel Joseph Barnhart Clark