Subject: Re: WARNING: Heimdal Krb5 interoperability issue as of 2/11/2001
To: None <thorpej@zembu.com>
From: None <assar@netbsd.org>
List: current-users
Date: 03/12/2001 03:20:40
Jason R Thorpe <thorpej@zembu.com> writes:
> For those of you using Heimdal for your KDC and for the clients
> in your realm, the update of Heimdal in the NetBSD source tree
> from 0.3a to 0.3e causes an interoperability problem between
> new Heimdal clients and an older KDC.  The issue appears to be
> the inverse of an interoperability problem between Heimdal 0.3a
> and MIT Kerberos 5 KDCs (the change likely made Heimdal clients
> communicate properly with MIT KDCs).

I do not understand why it would fail this way.  There should have
been no changes between 0.3a and 0.3e that caused this to happen.  I
have tried `kinit -4' with 0.3a again a 0.3e kdc without any problem.
And also with a NetBSD 1.5 kinit against a NetBSD-current kdc.  I have
not tried building a world from the date mentioned above.  A change in
NetBSD between that date and the current version is that the md5
functions in libcrypto are used instead of those in libc, but as far
as I can tell, both set of functions work properly and handle the test
cases correctly.

You were using a modern kinit against an older KDC, right?  Then I
think the problem is that we were using the wrong key usage and that
there is code in the KDC for handling both, but that of course doesn't
work when it's the client that's using the wrong type.  Adding:

[libdefaults]
	default_etypes = des-cbc-md5 des-cbc-md4 des-cbc-crc

to your /etc/krb5.conf should also work.

> (Assar -- this means that the Heimdal update should probably be pulled
> up into the netbsd-1-5 branch, since -current clients talking to a 1.5
> KDC are kind of screwed).

Yes, I agree.

/assar