[ Team LiB ] |
8.2 Using Kerberos 4 Services with Kerberos 5Those who have Kerberos 4 services that need to be integrated into a Kerberos 5 realm need to implement the Kerberos 5-to-4 ticket translator daemon. Both MIT and Heimdal include support for this protocol, the krb524 protocol. As discussed in Chapter 3, the only limit on where the krb524 daemon can run is that the daemon must have access to the service keys for the Kerberos 4-based services for which it translates tickets. The MIT Kerberos 5 distribution includes a separate krb524 daemon, krb524d. There are two different modes of operation that krb524d supports: master and keytab. The master mode is meant to be run on a KDC in the Kerberos realm, and reads the necessary service keys directly from the Kerberos database. If it is not possible to run the krb524d directly on the KDC, then the second mode of operation can be used: keytab. Keytab mode requires that a Kerberos keytab be installed on the machine running krb524d that includes the service keys for all of the Kerberos 4 services in the realm. The command-line arguments to krb524d are summarized below: # krb524d Usage: krb524d [-k[eytab]] [-m[aster] [-r realm]] [-nofork] Either the -k or the -m options are required. The -m option enables the master mode, as described above, where krb524d reads the necessary service keys directly from the Kerberos database on the local disk. The -k option requires an argument, namely, the keytab where the keys are stored for the Kerberos 4 services located in the Kerberos 5 realm. As an example, let's create a service principal for a popular Kerberos 4-based service, the AFS network filesystem. We first create a service principal for AFS, ensuring that the only encryption type associated with the new principal is single DES. With MIT Kerberos, the kadmin commands to create this principal would be similar to the following: > kadmin Authenticating as principal jgarman/admin@UNIX.SAMPLE.COM with password. Enter password: kadmin: addprinc -randkey -e des-cbc-crc:v4 afs/unix.sample.com@UNIX.SAMPLE.COM WARNING: no policy specified for afs/unix.sample.com@UNIX.SAMPLE.COM; defaulting to no policy Principal "afs/unix.sample.com@UNIX.SAMPLE.COM" created. After the principal has been created, the keytab can be extracted to a file, which can be placed on the machine running the krb524d daemon. kadmin: ktadd -k /tmp/afs.keytab -e des-cbc-crc:v4 afs/unix.sample.com@UNIX.SAMPLE.COM Entry for principal afs/unix.sample.com@UNIX.SAMPLE.COM with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/afs.keytab. Heimdal Kerberos also includes the Kerberos 5-to-4 ticket translator daemon, but it is integrated with the rest of the KDC and does not require running a separate daemon. |
[ Team LiB ] |