Kerberos 5-to-4 ticket conversion (aklog with Heimdal?)
Assar Westerlund
assar at stacken.kth.se
Fri May 25 18:53:53 CEST 2001
"Economou, Matthew [EESUS]" <MEconom at EESUS.JNJ.com> writes:
> > Do you forward v5 packets fro your Unix server to the Windows KDC also?
>
> I should, but I don't. I haven't bothered with figuring out how to set
> up port forwarding on Linux with ipchains, and kinit and friends don't
> complain when they can't contact the fake KDC.
Since it tries all the KDCs, that should work fine.
> Perhaps the Heimdal client software cannot find the 524 service? I don't
> know how to specify it in krb5.conf (it's not documented in the manual
> page),
> and "krb524_server=eco-afs1.cinci.irtnog.org" doesn't work. In lieu of
> that,
The code that you're running doesn't support specifying the 524
service different from the KDC(s), but the next release will.
> | eco-web1# afslog -d
> | afslog: Failed getting tokens for cell (local cell) in realm (local
> realm).
> | eco-web1# afslog -d -c irtnog.org
> | afslog: Failed getting tokens for cell irtnog.org in realm (local realm).
> | eco-web1# afslog -d -c irtnog.org -k IRTNOG.ORG
> | afslog: Failed getting tokens for cell irtnog.org in realm (local realm).
>
> afslog doesn't even obtain a V5 afs service ticket.
So it sounds like it fails before doing the 524 step? Could you try
running tcpdump on your machine and see what host/ports it tries to
communicate with?
> The AFS Migration Kit's configure complains that it can't find
> libkrb524:
>
> | eco-mx1# ./configure
> | ...various messages, including "Setting compilation parameters for pre-AFS
> 3.5"...
> | checking directories for -lkrb524... not found
> | Cannot find 524 library, exiting
Since I think that the needed function is implemented in libkrb5, the
configure.in would probably have to be modified to look for it in
-lkrb5 instead.
/assar
More information about the Arla-drinkers
mailing list