current-users: Re: Kerberos IV

Subject: Re: Kerberos IV
To: Love <lha@stacken.kth.se>
From: Tracy J. Di Marco White <gendalia@iastate.edu>
List: current-users
Date: 11/05/2000 12:32:11
}seebs@plethora.net (Peter Seebach) writes:
}
}> Quick summary:  I am stuck, for the forseeable future, using a Kerberos IV
}> server.
}> 
}> Can NetBSD-current be made, in *any* way, to use a KerberosIV server?  If
}> not, why, oh why, did we switch to Kerberos V if it would break
}> interoperability?
}
}It doesn't. You can get the best of two worlds (and the still have the bad
}onces of krb4). We use a heimdal(0.3c) kdc with both krb4 and krb5 client
}w/o any problems. Two programs left that require krb4 support (afs and
}zephyr) for now...

I need to run zephyr, afs would be a bonus.  Are you using the pkgsrc
zephyr?  I haven't been able to get that to compile.  Arla pulls in the
kth-krb4 pkg, which I don't think I should need to have pulled in on 1.5BETA,
should I?

This is my krb5.conf (copied from a MIT kerberos client and modified):
[libdefaults]
        ticket_lifetime = 600
        default_realm = IASTATE.EDU
        default_tkt_enctypes = des-cbc-crc
        default_tgs_enctypes = des-cbc-crc
        krb4_srvtab = /etc/srvtab
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        krb4_get_tickets = yes

[realms]
        IASTATE.EDU = {
                kdc = kerberos-1.iastate.edu
                kdc = kerberos-2.iastate.edu
                admin_server = kerberos-1.iastate.edu:749
                default_domain = iastate.edu
                supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
		v5_principal_convert = {
			host = rcmd
		}
		v4_principal_convert = {
			rcmd = host
		}
        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu
                kdc = kerberos-3.mit.edu
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }

}Adding `[libdefaults]krb4_get_tickets = yes' might also improve your
}quailty of life as a krb4 client.

I added this, things are getting better, encrypted telnet to the NetBSD
machine is working:
% telnet bb.cc
Trying 129.186.140.61...
Connected to bb.cc.iastate.edu.
Escape character is '^]'.
[ Trying KERBEROS4 ... ]
[ Kerberos V4 accepts you ]
[ Kerberos V4 challenge successful ]
Password:

I can't do encrypted telnet the other way yet, I can't get K4 tickets:
bb: {3} telnet -ax zathras.cc
Trying 129.186.140.8...
Connected to zathras.cc.iastate.edu.
Escape character is '^]'.
[ Trying KERBEROS4 ... ]
mk_req failed: No ticket file (tf_util)
[ Trying KERBEROS4 ... ]
mk_req failed: No ticket file (tf_util)
login: gendalia

bb: {2} klist -4
Credentials cache: FILE:/tmp/krb5cc_14768.ttyp1
        Principal: gendalia@IASTATE.EDU

  Issued           Expires          Principal
Nov  5 11:48:53  Nov  5 21:47:43  krbtgt/IASTATE.EDU@IASTATE.EDU
Nov  5 11:48:53  Nov  5 21:47:43  host/bb.cc.iastate.edu@IASTATE.EDU

v4-ticket file: /tmp/tkt14768
klist: No ticket file (tf_util)

Tracy J. Di Marco White
Project Vincent Systems Manager
gendalia@iastate.edu