Subject: Re: kerberosV with kerberosIV compatibility
To: Love <lha@stacken.kth.se>
From: Tracy J. Di Marco White <gendalia@iastate.edu>
List: tech-crypto
Date: 11/01/2000 22:44:57
}Tracy Di Marco White <gendalia@iastate.edu> writes:
}
}> Should this be working?  Am I doing something wrong?  If I'm not doing
}> something wrong, what can I do to help solve the problem?
}> 
}> bb# kinit -4 gendalia
}> gendalia@IASTATE.EDU's Password: 
}> kinit: converting creds: Cannot contact any KDC for requested realm
}> 
}> I have /etc/krb.conf /etc/krb.realms, /etc/kerberosIV/krb.conf,
}> /etc/kerberosIV/krb.realms, /etc/srvtab, and /etc/kerberosIV/srvtab.
}> I'm not sure I've got whatever needs to be set up in krb5.conf
}> configured correctly.
}> 
}> I ktrace'd kinit -4, and while I mention our machines kerberos-1 and
}> kerberos-2 in my /etc/krb5.conf, it also seems to go looking and find
}> our windc1 and windc2 machines, our windows kerberosV domain controllers.
}> I'm not sure how it found those.  Possibly it goes out and tries to do
}> windows style kerberos detection?  Of course, the windc[12] machines
}> don't do kerberosIV at all.
}
}Probably found the DC by the SRV-rr you have in DNS.

I suspected it might be, but wasn't sure.

}In order to get a krb4 ticket from a krb5 ditto (that is want -4 means) you
}need to have support in the kerberos server, running on port 4444.

We do.  We're running a K5 (MIT) server that is doing K4 compatibility
mode, running krb524d.  All of our client machines are standard K4 clients,
and they work fine authenticating against the server.

}I guess that you have krb5 ticket, but no krb4, is that right ?

Right.

}What are you trying to do. Get a krb4 ticket directly ?

What I'd most like to do is to login and get K5 & K4 tickets automatically.
Failing that, log in and get K5 tickets then be able to kinit -4 and get K4
tickets.  I don't necessarily have krb5.conf set up correctly to do that,
but I've gotten several different answers about how to set that up, and have
no idea which one is correct.

I'd also love to be able to use encrypted telnet between our standard K4
clients and NetBSD's K5/K4 enabled telnet(d).

Tracy J. Di Marco White
Project Vincent Systems Manager
gendalia@iastate.edu