[2633] in Kerberos
Re: Mixing V4 & V5
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Thu Mar 18 19:55:57 1993
Date: Thu, 18 Mar 93 19:46:16 -0500
From: Theodore Ts'o <tytso@Athena.MIT.EDU>
To: kerberos@Athena.MIT.EDU
In-Reply-To: Joe Ramus's message of Mon, 8 Mar 93 15:04:46 PST,
Here's an excerpt of my answer to Joe Ramus's query about mixing V4 and
V5 Kerberos..
- Ted
--------------------------------------------------------
When you request a V4 application ticket, say for example
rcmd.tsx-11@ATHENA.MIT.EDU, the KDC automatically calls the routine
krb5_425_conv_principal() which converts the V4 principal name to the V5
principal: host/tsx-11.mit.edu@ATHENA.MIT.EDU. This happens
automatically so that you don't need to have two service principals for
V4 and V5 operation.
How we're currently operating at MIT is that our master Kerberos server
is still a V4 server, and we are running our V5 KDC slaved off of our V4
KDC, using the program kdb5_convert to take a V4 slave propagation file
and convert it into a V5 Kerberos Database. This program automatically
converts the V4 principal names to the V5 principal format before
storing it in the V5 Kerberos Database. This way, V5 KDB lookups work
automatically, and V4 requests, which are converted to the V5 format
before doing the lookup, also work, without requiring that we double the
size of our database.
Unfortunately, in the Beta 2 distribution, I forgot to fix the kdb5_edit
extract_v4_srvtab function to call the krb5_425_conv_principal function.
(We don't need this functionality yet, since when we need to create a V4
srvtab, we extract it from the V4 master Kerberos server; hence, I
didn't notice this problem before the Beta 2 release.) So, what you're
going to need to do is to do an extract_v4_srvtab using the V5 convetion
of "host/hostname.domain.gov@REALM", and then use an editor which can
handle binary data, such as GNU emacs, to change "host" to "rcmd", and
"hostname.domain.gov" to "hostname". The V4 srvtab format uses
NULL-terminated strings, so it will be safe to delete ".domain.gov", as
long as you don't get the trailing NULL character as well.
If this is really a problem, I can try to fix the problem right away,
and send you patches to kdb5_edit.c --- in any case, I will make sure
this problem is fixed before the next BETA release. (Sorry, I don't
have a planned timeframe for that yet.)
Sorry for the inconvenience!
- Ted
P.S. You may want to take a look at the routine V4 to V5 principal name
conversion routine --- it is configurable, and some sites may need to
change it, depending on what Kerberos services they are running.
