Subject: Re: kerberos 5 to 4 conversion
To: Johan Danielsson <joda@pdc.kth.se>
From: Tracy J. Di Marco White <gendalia@iastate.edu>
List: tech-security
Date: 11/09/2001 09:45:33
joda@pdc.kth.se (Johan Danielsson) wrote:
}"Tracy J. Di Marco White" <gendalia@iastate.edu> writes:
}
}> How likely is it that the changes that make heimdal work against an
}> MIT KDC will be pulled up into 1.5?
}
}Depends on what the fix consists of.
It looks like the fixes were pulled up somewhere between 1.5.1_ALPHA and
1.5.3_ALPHA, since I just tested the same krb5.conf on each of them, and
on 1.5.3_ALPHA I get both k5 & k4 tickets with kinit. I'm happy there.
One problem I'm seeing is that I can't login and get both v4 & v5 tickets,
but that kinit will get both. I'm including most of my krb5.conf because
I've been adding to it for so long trying to make this work I'm not sure
how much of it is necessary and/or if I might be missing something.
socrates: {1} klist
Credentials cache: FILE:/tmp/krb5cc_14768.console
Principal: gendalia@IASTATE.EDU
Issued Expires Principal
Nov 9 09:29:39 Nov 9 19:29:39 krbtgt/IASTATE.EDU@IASTATE.EDU
v4-ticket file: /tmp/tkt14768
klist: No ticket file (tf_util)
socrates: {2} kinit gendalia
gendalia@IASTATE.EDU's Password:
socrates: {3} klist
Credentials cache: FILE:/tmp/krb5cc_14768.console
Principal: gendalia@IASTATE.EDU
Issued Expires Principal
Nov 9 09:31:35 Nov 9 21:31:35 krbtgt/IASTATE.EDU@IASTATE.EDU
v4-ticket file: /tmp/tkt14768
Principal: gendalia@IASTATE.EDU
Issued Expires Principal
Nov 9 09:31:35 Nov 9 21:43:09 krbtgt.IASTATE.EDU@IASTATE.EDU
Another problem I'm having is that when I try to use encrypted telnet
from a NetBSD machine to one of our normal client machines, It complains
about not being able to get an inter-realm ticket granting ticket.
socrates# telnet -ax entilzha.ait
Trying 129.186.145.163...
Connected to entilzha.ait.iastate.edu.
Escape character is '^]'.
[ Trying KERBEROS4 ... ]
mk_req failed: Can't get inter-realm ticket granting ticket (get_ad_tkt)
[ Trying KERBEROS4 ... ]
mk_req failed: Can't get inter-realm ticket granting ticket (get_ad_tkt)
socrates# cat /etc/krb5.conf
[appdefaults]
krb4_get_tickets = true
krb5_get_tickets = true
[libdefaults]
ticket_lifetime = 43200
default_realm = IASTATE.EDU
default_etypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
krb4_get_tickets = true
krb5_get_tickets = true
krb4_srvtab = /etc/kerberosIV/srvtab
krb4_config = /etc/kerberosIV/krb.conf
krb4_realms = /etc/kerberosIV/krb.realms
[login]
krb5_get_tickets = true
krb4_get_tickets = true
krb_run_aklog = true
[realms]
IASTATE.EDU = {
kdc = kerberos-1.iastate.edu
kdc = kerberos-2.iastate.edu
admin_server = kerberos-1.iastate.edu:749
default_domain = iastate.edu
supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
v5_principal_convert = {
host = rcmd
}
v4_principal_convert = {
rcmd = host
}
v4_instance_convert = {
entilzha = entilzha.ait.iastate.edu
}
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu
kdc = kerberos-3.mit.edu
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
[domain_realm]
.admin.iastate.edu = IASTATE.EDU
.adp.iastate.edu = IASTATE.EDU
.ae.iastate.edu = IASTATE.EDU
.aecl.iastate.edu = IASTATE.EDU
.aeem.iastate.edu = IASTATE.EDU
.ag.iastate.edu = IASTATE.EDU
.agron.iastate.edu = IASTATE.EDU
.ait.iastate.edu = IASTATE.EDU
It goes on with many of these, we have many 3rd level domains, but that is
all that I didn't include from my /etc/krb5.conf.
I'm also interested in having longer ticket lifetimes work, as we allow
up to 30 day ticket lifetimes at work, but that's not a showstopper for
what I've wanted to do, so isn't near as important.
Tracy J. Di Marco White
Project Vincent Systems Manager
gendalia@iastate.edu