more text on kaserver compatability from lha@stacken.kth.se
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9544 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
@@ -5,9 +5,13 @@
|
||||
If compiled with version 4 support, the KDC can serve requests from a
|
||||
Kerberos 4 client. There are a few things you must do for this to work.
|
||||
|
||||
You might also want use the built in kaserver emulation in the kdc
|
||||
when you have AFS-clients that use @code{klog}.
|
||||
|
||||
@menu
|
||||
* Principal conversion issues::
|
||||
* Converting a version 4 database::
|
||||
* kaserver::
|
||||
@end menu
|
||||
|
||||
@node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues
|
||||
@@ -51,7 +55,7 @@ principal exists in the database. The KDC will use
|
||||
@code{krb5_425_conv_principal_ext} to convert principals when handling
|
||||
to version 4 requests.
|
||||
|
||||
@node Converting a version 4 database, , Principal conversion issues, Kerberos 4 issues
|
||||
@node Converting a version 4 database, kaserver , Principal conversion issues, Kerberos 4 issues
|
||||
@section Converting a version 4 database
|
||||
|
||||
If you want to convert an existing version 4 database, the principal
|
||||
@@ -176,3 +180,38 @@ version 4 uses port 751, not 749).
|
||||
|
||||
@emph{And then there are a many more things you can do; more on this in
|
||||
a later version of this manual. Until then, UTSL.}
|
||||
|
||||
@node kaserver, , Converting a version 4 database, Kerberos 4 issues
|
||||
@section kaserver
|
||||
|
||||
@subsection kaserver emulation
|
||||
|
||||
The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4
|
||||
server with pre-authentication using Rx as the on-wire protocol. The kdc
|
||||
contains a minimalistic Rx implementation.
|
||||
|
||||
There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
|
||||
Granting), and KAM (Maintenance). The KAA interface and KAT interface
|
||||
both passes over DES encrypted data-blobs (just like the
|
||||
Kerberos-protocol) and thus o not need any other protection. The KAM
|
||||
interface uses @code{rxkad} (Kerberos authentication layer for Rx) for
|
||||
security and data protection, and is used for example for changing
|
||||
passwords. This part is not implemented in the kdc.
|
||||
|
||||
Another difference between the ka-protocol and the Kerberos 4 protocol
|
||||
is that the pass-phrase is salted with the cellname in the @code{string to
|
||||
key} function in the ka-protocol, while in the Kerberos 4 protocol there
|
||||
is no salting of the password at all. To make sure AFS-compatible keys
|
||||
are added to each principals when they are created or their password are
|
||||
changed, @samp{afs3-salt} should be added to
|
||||
@samp{[kadmin]default_keys}.
|
||||
|
||||
@subsection Transarc AFS Windows client
|
||||
|
||||
The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus
|
||||
does not need a kaserver. The Windows client assumes that the Kerberos
|
||||
server is on the same machine as the AFS-database server. If you do not
|
||||
like to do that you can add a small program that runs on the database
|
||||
servers that forward all kerberos requests to the real kerberos
|
||||
server. A program that does this is @code{krb-forward}
|
||||
(@url{ftp://ftp.stacken.kth.se/pub/projekts/krb-forward}).
|
||||
|
||||
Reference in New Issue
Block a user