Kerberos 5-to-4 ticket conversion (aklog with Heimdal?)

Economou, Matthew [EESUS] MEconom at EESUS.JNJ.com
Fri May 25 17:25:41 CEST 2001 




"Assar Westerlund" <assar at stacken.kth.se> writes:


> "Economou, Matthew [EESUS]" <MEconom at EESUS.JNJ.com> writes:
>
> > krb524d can be configured to read the unencrypted V5
> > ticket from the keytab.
>
> Storing the key of the krbtgt service in a keytab on the machine
> running krb524d?


Actually, storing the key of the "afs" service in a keytab on the
machine running krb524d.  Only the "afs" key needs to be converted.


> Do you forward v5 packets fro your Unix server to the Windows KDC also?


I should, but I don't.  I haven't bothered with figuring out how to set
up port forwarding on Linux with ipchains, and kinit and friends don't
complain when they can't contact the fake KDC.


> heimdal's kauth/afslog use the 524 protocol to obtain the ticket
>
> It sounds to me that you would wantto use heimdal's programs.  As to
> why that doesn't work, I would need some more details on how it fails
> to diagnose that for you.


Perhaps the Heimdal client software cannot find the 524 service?  I don't
know how to specify it in krb5.conf (it's not documented in the manual page),
and "krb524_server=eco-afs1.cinci.irtnog.org" doesn't work.  In lieu of that,
I've listed both the domain controller and the krb524 server as KDCs, just
like my MIT clients:


| [libdefaults]
|     default_realm=IRTNOG.ORG
|     default_etypes=des-cbc-crc
|     default_etypes_des=des-cbc-crc
| [realms]
|     IRTNOG.ORG={
|         kdc=eco-dc1.cinci.irtnog.org:88
|         kdc=eco-afs1.cinci.irtnog.org:88
|     }
|     CINCI.IRTNOG.ORG={
|         kdc=eco-dc2.cinci.irtnog.org:88
|     }
| [domain_realm]
|     .irtnog.org=IRTNOG.ORG
|     .cinci.irtnog.org=CINCI.IRTNOG.ORG
| [logging]
|     default=SYSLOG:INFO:USER
|     kdc=SYSLOG:INFO


I can authenticate successfully:


| eco-web1# kinit sacmxe
| sacmxe at IRTNOG.ORG's Password:
| eco-web1# klist
| Credentials cache: FILE:/tmp/krb5cc_0
|         Principal: sacmxe at IRTNOG.ORG
|
|   Issued           Expires          Principal
| May 25 10:24:52  May 25 20:24:50  krbtgt/IRTNOG.ORG at IRTNOG.ORG


But afslog just doesn't work, and and I don't understand the error message:


| eco-web1# afslog -d
| afslog: Failed getting tokens for cell (local cell) in realm (local realm).
| eco-web1# afslog -d -c irtnog.org
| afslog: Failed getting tokens for cell irtnog.org in realm (local realm).
| eco-web1# afslog -d -c irtnog.org -k IRTNOG.ORG
| afslog: Failed getting tokens for cell irtnog.org in realm (local realm).


afslog doesn't even obtain a V5 afs service ticket.


> I don't see why aklog wouldn't work.  It should use the same pioctl
> syscall to install the token.  What 524 functions are you missing?
> krb524_convert_creds_kdc is in Heimdal's libkrb5.


The AFS Migration Kit's configure complains that it can't find
libkrb524:


| eco-mx1# ./configure
| ...various messages, including "Setting compilation parameters for pre-AFS 3.5"...
| checking directories for -lkrb524... not found
| Cannot find 524 library, exiting


But I would prefer to use Heimdal, as replacing it on NetBSD would be
labor-intensive.


#\Matthew

More information about the Arla-drinkers mailing list