1178825Sdfr@c $Id: kerberos4.texi 16370 2005-12-12 12:11:51Z lha $ 272445Sassar 378527Sassar@node Kerberos 4 issues, Windows 2000 compatability, Things in search for a better place, Top 455682Smarkm@comment node-name, next, previous, up 555682Smarkm@chapter Kerberos 4 issues 655682Smarkm 7178825SdfrThe KDC has built-in version 4 support. It is not enabled by default, 8178825Sdfrsee setup how to set it up. 955682Smarkm 1090926SnectarThe KDC will also have kaserver emulation and be able to handle 1190926SnectarAFS-clients that use @code{klog}. 1272445Sassar 1355682Smarkm@menu 1455682Smarkm* Principal conversion issues:: 1555682Smarkm* Converting a version 4 database:: 1672445Sassar* kaserver:: 1755682Smarkm@end menu 1855682Smarkm 1955682Smarkm@node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues 2055682Smarkm@section Principal conversion issues 2155682Smarkm 2255682SmarkmFirst, Kerberos 4 and Kerberos 5 principals are different. A version 4 2355682Smarkmprincipal consists of a name, an instance, and a realm. A version 5 2455682Smarkmprincipal has one or more components, and a realm (the terms ``name'' 2555682Smarkmand ``instance'' are still used, for the first and second component, 2655682Smarkmrespectively). Also, in some cases the name of a version 4 principal 2755682Smarkmdiffers from the first component of the corresponding version 5 2855682Smarkmprincipal. One notable example is the ``host'' type principals, where 2955682Smarkmthe version 4 name is @samp{rcmd} (for ``remote command''), and the 3055682Smarkmversion 5 name is @samp{host}. For the class of principals that has a 3155682Smarkmhostname as instance, there is an other major difference, Kerberos 4 3255682Smarkmuses only the first component of the hostname, whereas Kerberos 5 uses 3355682Smarkmthe fully qualified hostname. 3455682Smarkm 3555682SmarkmBecause of this it can be hard or impossible to correctly convert a 3655682Smarkmversion 4 principal to a version 5 principal @footnote{the other way is 3755682Smarkmnot always trivial either, but usually easier}. The biggest problem is 3855682Smarkmto know if the conversion resulted in a valid principal. To give an 3955682Smarkmexample, suppose you want to convert the principal @samp{rcmd.foo}. 4055682Smarkm 4155682SmarkmThe @samp{rcmd} name suggests that the instance is a hostname (even if 4255682Smarkmthere are exceptions to this rule). To correctly convert the instance 4355682Smarkm@samp{foo} to a hostname, you have to know which host it is referring 4455682Smarkmto. You can to this by either guessing (from the realm) which domain 4555682Smarkmname to append, or you have to have a list of possible hostnames. In the 4655682Smarkmsimplest cases you can cover most principals with the first rule. If you 4755682Smarkmhave several domains sharing a single realm this will not usually 4855682Smarkmwork. If the exceptions are few you can probably come by with a lookup 4955682Smarkmtable for the exceptions. 5055682Smarkm 5155682SmarkmIn a complex scenario you will need some kind of host lookup mechanism. 5255682SmarkmUsing DNS for this is tempting, but DNS is error prone, slow and unsafe 5355682Smarkm@footnote{at least until secure DNS is commonly available}. 5455682Smarkm 5555682SmarkmFortunately, the KDC has a trump on hand: it can easily tell if a 5655682Smarkmprincipal exists in the database. The KDC will use 5755682Smarkm@code{krb5_425_conv_principal_ext} to convert principals when handling 5855682Smarkmto version 4 requests. 5955682Smarkm 6072445Sassar@node Converting a version 4 database, kaserver , Principal conversion issues, Kerberos 4 issues 6155682Smarkm@section Converting a version 4 database 6255682Smarkm 6355682SmarkmIf you want to convert an existing version 4 database, the principal 6455682Smarkmconversion issue arises too. 6555682Smarkm 6655682SmarkmIf you decide to convert your database once and for all, you will only 6755682Smarkmhave to do this conversion once. It is also possible to run a version 5 6855682SmarkmKDC as a slave to a version 4 KDC. In this case this conversion will 6955682Smarkmhappen every time the database is propagated. When doing this 7055682Smarkmconversion, there are a few things to look out for. If you have stale 7155682Smarkmentries in the database, these entries will not be converted. This might 7255682Smarkmbe because these principals are not used anymore, or it might be just 7355682Smarkmbecause the principal couldn't be converted. 7455682Smarkm 7555682SmarkmYou might also see problems with a many-to-one mapping of 7655682Smarkmprincipals. For instance, if you are using DNS lookups and you have two 7755682Smarkmprincipals @samp{rcmd.foo} and @samp{rcmd.bar}, where `foo' is a CNAME 7855682Smarkmfor `bar', the resulting principals will be the same. Since the 7955682Smarkmconversion function can't tell which is correct, these conflicts will 8055682Smarkmhave to be resolved manually. 8155682Smarkm 8255682Smarkm@subsection Conversion example 8355682Smarkm 8455682SmarkmGiven the following set of hosts and services: 8555682Smarkm 8655682Smarkm@example 8755682Smarkmfoo.se rcmd 8855682Smarkmmail.foo.se rcmd, pop 8955682Smarkmftp.bar.se rcmd, ftp 9055682Smarkm@end example 9155682Smarkm 9255682Smarkmyou have a database that consists of the following principals: 9355682Smarkm 9455682Smarkm@samp{rcmd.foo}, @samp{rcmd.mail}, @samp{pop.mail}, @samp{rcmd.ftp}, and 9555682Smarkm@samp{ftp.ftp}. 9655682Smarkm 9755682Smarkmlets say you also got these extra principals: @samp{rcmd.gone}, 9855682Smarkm@samp{rcmd.old-mail}, where @samp{gone.foo.se} was a machine that has 9955682Smarkmnow passed away, and @samp{old-mail.foo.se} was an old mail machine that 10055682Smarkmis now a CNAME for @samp{mail.foo.se}. 10155682Smarkm 10255682SmarkmWhen you convert this database you want the following conversions to be 10355682Smarkmdone: 10455682Smarkm@example 10555682Smarkmrcmd.foo host/foo.se 10655682Smarkmrcmd.mail host/mail.foo.se 10755682Smarkmpop.mail pop/mail.foo.se 10855682Smarkmrcmd.ftp host/ftp.bar.se 10955682Smarkmftp.ftp ftp/ftp.bar.se 11055682Smarkmrcmd.gone @i{removed} 11155682Smarkmrcmd.old-mail @i{removed} 11255682Smarkm@end example 11355682Smarkm 11455682SmarkmA @file{krb5.conf} that does this looks like: 11555682Smarkm 11655682Smarkm@example 11755682Smarkm[realms] 11855682Smarkm FOO.SE = @{ 11955682Smarkm v4_name_convert = @{ 12055682Smarkm host = @{ 12155682Smarkm ftp = ftp 12255682Smarkm pop = pop 12355682Smarkm rcmd = host 12455682Smarkm @} 12555682Smarkm @} 12655682Smarkm v4_instance_convert = @{ 12755682Smarkm foo = foo.se 12855682Smarkm ftp = ftp.bar.se 12955682Smarkm @} 13055682Smarkm default_domain = foo.se 13155682Smarkm @} 13255682Smarkm@end example 13355682Smarkm 13455682SmarkmThe @samp{v4_name_convert} section says which names should be considered 13555682Smarkmhaving an instance consisting of a hostname, and it also says how the 13655682Smarkmnames should be converted (for instance @samp{rcmd} should be converted 13755682Smarkmto @samp{host}). The @samp{v4_instance_convert} section says how a 13855682Smarkmhostname should be qualified (this is just a hosts-file in 13955682Smarkmdisguise). Host-instances that aren't covered by 14055682Smarkm@samp{v4_instance_convert} are qualified by appending the contents of 14155682Smarkmthe @samp{default_domain}. 14255682Smarkm 14355682SmarkmActually, this example doesn't work. Or rather, it works to well. Since 14455682Smarkmit has no way of knowing which hostnames are valid and which are not, it 14555682Smarkmwill happily convert @samp{rcmd.gone} to @samp{host/gone.foo.se}. This 14655682Smarkmisn't a big problem, but if you have run your kerberos realm for a few 14755682Smarkmyears, chances are big that you have quite a few `junk' principals. 14855682Smarkm 14955682SmarkmIf you don't want this you can remove the @samp{default_domain} 15055682Smarkmstatement, but then you will have to add entries for @emph{all} your hosts 15155682Smarkmin the @samp{v4_instance_convert} section. 15255682Smarkm 15355682SmarkmInstead of doing this you can use DNS to convert instances. This is not 15455682Smarkma solution without problems, but it is probably easier than adding lots 15555682Smarkmof static host entries. 15655682Smarkm 15755682SmarkmTo enable DNS lookup you should turn on @samp{v4_instance_resolve} in 15855682Smarkmthe @samp{[libdefaults]} section. 15955682Smarkm 16055682Smarkm@subsection Converting a database 16155682Smarkm 16272445SassarThe database conversion is done with @samp{hprop}. You can run this 16372445Sassarcommand to propagate the database to the machine called 16455682Smarkm@samp{slave-server} (which should be running a @samp{hpropd}). 16555682Smarkm 16655682Smarkm@example 16790926Snectarhprop --source=krb4-db --master-key=/.m slave-server 16855682Smarkm@end example 16955682Smarkm 17072445SassarThis command can also be to use for converting the v4 database on the 17172445Sassarserver: 17272445Sassar 17372445Sassar@example 17490926Snectarhprop -n --source=krb4-db -d /var/kerberos/principal --master-key=/.m | hpropd -n 17572445Sassar@end example 17672445Sassar 17755682Smarkm@section Version 4 Kadmin 17855682Smarkm 17955682Smarkm@samp{kadmind} can act as a version 4 kadmind, and you can do most 18055682Smarkmoperations, but with some restrictions (since the version 4 kadmin 18155682Smarkmprotocol is, lets say, very ad hoc.) One example is that it only passes 18255682Smarkmdes keys when creating principals and changing passwords (modern kpasswd 18355682Smarkmclients do send the password, so it's possible to to password quality 18455682Smarkmchecks). Because of this you can only create principals with des keys, 18555682Smarkmand you can't set any flags or do any other fancy stuff. 18655682Smarkm 18757416SmarkmTo get this to work, you have to add another entry to inetd (since 18857416Smarkmversion 4 uses port 751, not 749). 18955682Smarkm 19055682Smarkm@emph{And then there are a many more things you can do; more on this in 19155682Smarkma later version of this manual. Until then, UTSL.} 19272445Sassar 19372445Sassar@node kaserver, , Converting a version 4 database, Kerberos 4 issues 19472445Sassar@section kaserver 19572445Sassar 19672445Sassar@subsection kaserver emulation 19772445Sassar 19872445SassarThe Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4 19972445Sassarserver with pre-authentication using Rx as the on-wire protocol. The kdc 20072445Sassarcontains a minimalistic Rx implementation. 20172445Sassar 20272445SassarThere are three parts of the kaserver; KAA (Authentication), KAT (Ticket 20372445SassarGranting), and KAM (Maintenance). The KAA interface and KAT interface 20472445Sassarboth passes over DES encrypted data-blobs (just like the 20590926SnectarKerberos-protocol) and thus do not need any other protection. The KAM 20672445Sassarinterface uses @code{rxkad} (Kerberos authentication layer for Rx) for 20772445Sassarsecurity and data protection, and is used for example for changing 20872445Sassarpasswords. This part is not implemented in the kdc. 20972445Sassar 21072445SassarAnother difference between the ka-protocol and the Kerberos 4 protocol 21172445Sassaris that the pass-phrase is salted with the cellname in the @code{string to 21272445Sassarkey} function in the ka-protocol, while in the Kerberos 4 protocol there 21372445Sassaris no salting of the password at all. To make sure AFS-compatible keys 21472445Sassarare added to each principals when they are created or their password are 21572445Sassarchanged, @samp{afs3-salt} should be added to 21672445Sassar@samp{[kadmin]default_keys}. 21772445Sassar 21872445Sassar@subsection Transarc AFS Windows client 21972445Sassar 22072445SassarThe Transarc Windows client uses Kerberos 4 to obtain tokens, and thus 22172445Sassardoes not need a kaserver. The Windows client assumes that the Kerberos 22272445Sassarserver is on the same machine as the AFS-database server. If you do not 22372445Sassarlike to do that you can add a small program that runs on the database 22472445Sassarservers that forward all kerberos requests to the real kerberos 22572445Sassarserver. A program that does this is @code{krb-forward} 22672445Sassar(@url{ftp://ftp.stacken.kth.se/pub/projekts/krb-forward}). 227