Subject: Re: Kerberos questions
To: Tracy J. Di Marco White <gendalia@iastate.edu>
From: Aidan Cully <aidan@kublai.com>
List: current-users
Date: 05/30/2000 03:10:22
I've just committed code to allow login to get both krb4 and krb5
tickets, when told to do so in krb5.conf.  The way you enable it is:
[appdefaults]
	login = {
		LOCAL.REALM = {
			krb5_get_tickets = true
			krb4_get_tickets = true
		}
	}

Sorry for not getting to it sooner...  It seems it's taking me
longer and longer to recover from my real job, these days.

I also apologize for the wording of the phrase, "someone's old
attempt at integrating kerberos5, apparently without using MIT
code".  I'm glad the work had been done, and glad that it had been
done in the fashion that it has.  It's made my job a lot easier,
and I don't really know what I was thinking by implying that parts
of MIT's login implementation should have been used instead, since
it's not a particularly good fit to our needs.

--aidan

On Tue, May 02, 2000 at 01:56:25AM -0400, Aidan Cully wrote:
> On Mon, May 01, 2000 at 03:12:11PM -0500, Tracy J. Di Marco White wrote:
> > 
> > }>I wanted to use Kerberos 5 on a NetBSD/i386 machine I'm setting up, but
> > }>when I log in I'd like to get Kerberos 4 tickets as well as Kerberos 5
> > }>tickets.  I'm authenticating against a Kerberos 5 KDC, and I do get
> > }>a Kerberos 5 ticket at login.  Does anyone have instructions on how to
> > }>get both?
> 
> The klogin we're running right now doesn't currently support V4
> tickets when compiled with KERBEROS5 defined.  I'll try to fix that
> this weekend, or sooner.
> 
> Ken Hornstein wrote:
> > }(Note: this is with US crypto) You can tell login to get a V4 ticket;
> > }kinit doesn't (currently) have that ability.  _If_ you are running
> > }krb524d, you can run krb524init after you get a V5 ticket; otherwise,
> > }you're outta luck.
> 
> Well, that's how it is in MIT's tree, but the NetBSD code is mostly
> based on someone's old attempt at integrating kerberos5, apparently
> without using MIT code.  This missing feature was an oversight on
> my part, and I'll try to fix it.