[6920] in Kerberos
Re: realm conversion question with v4 compatibility
daemon@ATHENA.MIT.EDU (Paul Pomes)
Tue Mar 19 20:22:07 1996
To: kerberos@MIT.EDU
Date: 19 Mar 1996 23:03:04 GMT
From: P-Pomes@Qualcomm.com (Paul Pomes)
P-Pomes@Qualcomm.com (Paul Pomes) writes:
> However when the client presents
>his credentials to hydra1, login fails with "can't decode authenticator"
>error. Obviously different keys are in hydra1:/etc/srvtab and what was
>used by the KDC to encrypt the service ticket.
>
>How do I bring these keys into sync?
After experimentation, inspiration, and a fair amount of plodding, I've
answered my own question. The key (literally) is to make sure both the
v5 and v4 entries use the same key. This implies the same string_to_key
function, same salt type, *AND* key version number.
Recall I was using hydra1.glab.globalstar.com. First I deleted both the
rcmd and host entries for hydra1. I then used av4k to add both entries
again. By re-creating them both I insured that their key version numbers
were the same (1). Both were given the same password. I then used xst and
xst4 to extract the srvtab and v5srvtab files. V5 services can cope with
a v4 key by examining the salt type. V4 services must have a v4 key.
Ideally there should only have to be one file, the v5srvtab file. This
would probably require modifying all servers such as telnetd to first
convert the principal and then look it up in the /etc/v5srvtab file.
/pbp
