[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Remapping old Kerberos 4 realm name to new Kerberos 5 realm name
Is there a Heimdal equivalent to MIT Kerberos + Ken Hornstein's
monster-patch krb524d [1] --with-krb524-remapping option? I'm trying to
remap an old Kerberos 4 realm name to a new Kerberos 5 realm name as
described in the migration scenario here [2]. If there isn't I assume I
could use krb524d to replace some Heimdal functionality, but I'd like to
stick with pure Heimdal if at all possible. Specific Heimdal error I am
getting now is:
2004-06-07T12:49:29 AS-REQ (krb4) dclark.@OLD.DOMAIN.COM from
IPv4:69.90.152.149 for afs.@NEW.DOMAIN.COM
2004-06-07T12:49:29 Lookup dclark@OLD.DOMAIN.COM failed: No such entry
in the database
2004-06-07T12:49:29 Client not found in database: dclark.@OLD.DOMAIN.COM:
Failed to convert v4 principal
2004-06-07T12:49:29 sending 42 bytes to IPv4:69.90.152.149
I need to map OLD.DOMAIN.COM to NEW.DOMAIN.COM in all above instances.
dclark@NEW.DOMAIN.COM and afs@NEW.DOMAIN.COM exist in the KDC.
Here is an explanation of what --with-krb524-remapping does:
+ --with-krb524-remapping
+
+ This enables code in the 524 ticket converter to map principals
+ in foreign realms to principals in the local realm when getting
+ tickets for the AFS service. This is used to solve the problem
+ of foreign cross-realm users having PTS IDs that don't match
+ their Unix userid. Note that this code has a number of
+ interesting security implications, so do not enable it unless
+ you know what you're doing!
[1] Kerberos FAQ: 2.19. What does krb524d do? Do I need to run it?
http://www.faqs.org/faqs/kerberos-faq/general/section-52.html
[2] [OpenAFS] kaserver -> Heimdal where cell name != REALM and using
Windows (krb4) AFS client
https://lists.openafs.org/pipermail/openafs-info/2004-June/013758.html
Thanks,
--
Daniel Joseph Barnhart Clark
http://www.pobox.com/users/dclark