From 8bec800fd877c4245fded1c25f90ff6b075ec557 Mon Sep 17 00:00:00 2001 From: Assar Westerlund Date: Sun, 28 Jan 2001 21:59:17 +0000 Subject: [PATCH] more text on kaserver compatability from lha@stacken.kth.se git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9544 ec53bebd-3082-4978-b11e-865c3cabbd6b --- doc/kerberos4.texi | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/doc/kerberos4.texi b/doc/kerberos4.texi index 3bfb04c75..23a8cb4d1 100644 --- a/doc/kerberos4.texi +++ b/doc/kerberos4.texi @@ -5,9 +5,13 @@ If compiled with version 4 support, the KDC can serve requests from a Kerberos 4 client. There are a few things you must do for this to work. +You might also want use the built in kaserver emulation in the kdc +when you have AFS-clients that use @code{klog}. + @menu * Principal conversion issues:: * Converting a version 4 database:: +* kaserver:: @end menu @node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues @@ -51,7 +55,7 @@ principal exists in the database. The KDC will use @code{krb5_425_conv_principal_ext} to convert principals when handling to version 4 requests. -@node Converting a version 4 database, , Principal conversion issues, Kerberos 4 issues +@node Converting a version 4 database, kaserver , Principal conversion issues, Kerberos 4 issues @section Converting a version 4 database If you want to convert an existing version 4 database, the principal @@ -176,3 +180,38 @@ version 4 uses port 751, not 749). @emph{And then there are a many more things you can do; more on this in a later version of this manual. Until then, UTSL.} + +@node kaserver, , Converting a version 4 database, Kerberos 4 issues +@section kaserver + +@subsection kaserver emulation + +The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4 +server with pre-authentication using Rx as the on-wire protocol. The kdc +contains a minimalistic Rx implementation. + +There are three parts of the kaserver; KAA (Authentication), KAT (Ticket +Granting), and KAM (Maintenance). The KAA interface and KAT interface +both passes over DES encrypted data-blobs (just like the +Kerberos-protocol) and thus o not need any other protection. The KAM +interface uses @code{rxkad} (Kerberos authentication layer for Rx) for +security and data protection, and is used for example for changing +passwords. This part is not implemented in the kdc. + +Another difference between the ka-protocol and the Kerberos 4 protocol +is that the pass-phrase is salted with the cellname in the @code{string to +key} function in the ka-protocol, while in the Kerberos 4 protocol there +is no salting of the password at all. To make sure AFS-compatible keys +are added to each principals when they are created or their password are +changed, @samp{afs3-salt} should be added to +@samp{[kadmin]default_keys}. + +@subsection Transarc AFS Windows client + +The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus +does not need a kaserver. The Windows client assumes that the Kerberos +server is on the same machine as the AFS-database server. If you do not +like to do that you can add a small program that runs on the database +servers that forward all kerberos requests to the real kerberos +server. A program that does this is @code{krb-forward} +(@url{ftp://ftp.stacken.kth.se/pub/projekts/krb-forward}).