[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MIT & Heimdal playing together?

To: heimdal-discuss@sics.se
Subject: Re: MIT & Heimdal playing together?
From: ms419@freezone.co.uk
Date: Wed, 6 Oct 2004 15:37:31 -0700
In-Reply-To: <FF3F2924-1635-11D9-A2CB-000A95CA746C@oxy.edu>
References: <B602530A-156B-11D9-A1A4-0003931DA24A@freezone.co.uk> <FF3F2924-1635-11D9-A2CB-000A95CA746C@oxy.edu>
Sender: owner-heimdal-discuss@sics.se

Thank you, Henry, for your precise & informative answer!

I found the hprop option you mention: --source=mit-dump

I think this kdb5_util dump option is necessary for compatibility: -b7

I transfered our database as follows:

ssh tor kdb5_util dump -b7 | hprop -d - --source=mit-dump -n | hpropd -n

Unfortunately, it's not quite working:

kadmin> list *
kadmin: get host/tor.lat@LAT: No correct master key
kadmin: get smtp/tor.lat@LAT: No correct master key
[...]

I suspect the problem is that the KDCs use different encryption types.  
Our MIT KDC uses des3-hmac-sha1:

kdc.conf: master_key_type = des3-hmac-sha1

While I guess our Heimdal KDC uses des-cbc-crc:

kdc.conf: #master_key_type = des-cbc-crc

I found this lone message concerning transferring Kerberos databases  
from MIT to Heimdal:  
http://www.stacken.kth.se/lists/heimdal-discuss/2001-10/msg00049.html

However I haven't succeeded in re-keying our database. I thought I need  
to create a new des-cbc-crc master key with which to re-key our  
database, but kdb5_util stash doesn't allow this.

Has anyone here any suggestions? Or should I ask on the MIT list?

Thanks very much everyone,

Jack

On Oct 4, 2004, at 11:48 AM, Henry B.Hotz wrote:

> Authentication and password changes (kinit and kpasswd) are compatible  
> (at least on the wire, and sometimes elsewhere).
>
> Administration and DB propagation (kadmin and {h,k}prop[d]) are not  
> compatible.
>
> There is an option for hprop (or is it hpropd?) to support importing a  
> MIT dump file.  Someone was asking a week or two ago about the other  
> direction, but AFAIK there's nothing implemented for that.
>
> On Oct 3, 2004, at 11:40 AM, ms419@freezone.co.uk wrote:
>
>> I'm running MIT Kerberos on one system & Heimdal on another. I tried  
>> transferring my Kerberos database from MIT to Heimdal using kdb5_util  
>> dump & kadmin: load, but I merely got a bunch of errors:
>>
>> error parsing created event
>>
>> Is there any way to transfer a Kerberos database from MIT to Heimdal?
>>
>> I also tried connecting to the MIT kadmind using the Heimdal kadmin.  
>> Unfortunately, kadmin hung indefinitely after prompting for my admin  
>> principle's password.
>>
>> Is there, perhaps, some documentation discussing MIT & Heimdal  
>> interoperation? What's possible & what's not?
>>
>> I found some related topics on Google & Gmane, but so far no answers.
>>
>> Thank you for any help!
>>
>> Jack
>>
>>
> ----------------------------------------------------------------------- 
> -----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
>

Follow-Ups:
- Re: MIT & Heimdal playing together?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

References:
- MIT & Heimdal playing together?
  - From: ms419@freezone.co.uk

Prev by Date: Re: heimdal pkinit compiling on debian
Next by Date: asn1 decode problem
Prev by thread: MIT & Heimdal playing together?
Next by thread: Re: MIT & Heimdal playing together?
Index(es):
- Date
- Thread