On Sat, Sep 08, 2001 at 11:57:03PM -0400, Kevin P. Neal wrote:

 > I enabled the kerberos-adm and kpasswd services in inetd.conf. 
 > 
 > If I change my password with kpasswd then my poor box pauses and swaps
 > in agony as inetd fires up a couple dozen kpasswdd's. Then kpasswd
 > either fails with the message "mutual authentication failed" or
 > it says the password change was successful. Either way I have a couple
 > dozen kpasswdd's running. 
 > 
 > If I run kpasswdd from the command line and disable it in inetd.conf
 > then everything is peachy. Why is kpasswdd in inetd.conf? Does it
 > actually work for anyone? Would it be best to run kpasswdd standalone?
 > Cause I can throw together a quick rc.d script if needed.

I think what has happened is a disconnect between 1.5 and -current's
Kerberos.  I wrote that document using a -current machine.  I do use
kpasswdd from inetd.  It may be that it's different on the 1.5 branch.

 > Is there a good FAQ for Heimdal Kerberos? The configuration seems to
 > be identical to MIT Kerberos except when it isn't. The "isn't" part
 > is what nails me, especially when I try to get Kerberos 4 compat
 > working (different problem from the kpasswdd issues I think). 

Err, krb4 compat is really easy.  Just "kinit -4", and it will fetch
a krb5 TGT, and do a 5-to-4 on it (the Heimdal KDC has the "524" service
built-in).

If you put:

	krb4_get_tickets = true

in the [libdefaults] section, it should do this automagically no
matter what fetches the tickets for you (be it login or whatever).

-- 
        -- Jason R. Thorpe <thorpej@wasabisystems.com>