xref: /freebsd/crypto/heimdal/doc/kerberos4.texi (revision d6b92ffa) 
1@c $Id$
2
3@node Kerberos 4 issues, Windows compatibility, Things in search for a better place, Top
4@comment  node-name,  next,  previous,  up
5@chapter Kerberos 4 issues
6
7Kerberos 4 KDC and KA server have been moved.
8
9For more about AFS, see the section @xref{AFS}.
10
11@menu
12* Principal conversion issues::
13* Converting a version 4 database::
14@end menu
15
16@node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues
17@section Principal conversion issues
18
19First, Kerberos 4 and Kerberos 5 principals are different. A version 4
20principal consists of a name, an instance, and a realm. A version 5
21principal has one or more components, and a realm (the terms ``name''
22and ``instance'' are still used, for the first and second component,
23respectively).    Also, in some cases the name of a version 4 principal
24differs from the first component of the corresponding version 5
25principal. One notable example is the ``host'' type principals, where
26the version 4 name is @samp{rcmd} (for ``remote command''), and the
27version 5 name is @samp{host}. For the class of principals that has a
28hostname as instance, there is an other major difference, Kerberos 4
29uses only the first component of the hostname, whereas Kerberos 5 uses
30the fully qualified hostname.
31
32Because of this it can be hard or impossible to correctly convert a
33version 4 principal to a version 5 principal @footnote{the other way is
34not always trivial either, but usually easier}. The biggest problem is
35to know if the conversion resulted in a valid principal. To give an
36example, suppose you want to convert the principal @samp{rcmd.foo}.
37
38The @samp{rcmd} name suggests that the instance is a hostname (even if
39there are exceptions to this rule). To correctly convert the instance
40@samp{foo} to a hostname, you have to know which host it is referring
41to. You can to this by either guessing (from the realm) which domain
42name to append, or you have to have a list of possible hostnames. In the
43simplest cases you can cover most principals with the first rule. If you
44have several domains sharing a single realm this will not usually
45work. If the exceptions are few you can probably come by with a lookup
46table for the exceptions.
47
48In a complex scenario you will need some kind of host lookup mechanism.
49Using DNS for this is tempting, but DNS is error prone, slow and unsafe
50@footnote{at least until secure DNS is commonly available}.
51
52Fortunately, the KDC has a trump on hand: it can easily tell if a
53principal exists in the database. The KDC will use
54@code{krb5_425_conv_principal_ext} to convert principals when handling
55to version 4 requests.
56
57@node Converting a version 4 database, , Principal conversion issues, Kerberos 4 issues
58@section Converting a version 4 database
59
60If you want to convert an existing version 4 database, the principal
61conversion issue arises too.
62
63If you decide to convert your database once and for all, you will only
64have to do this conversion once. It is also possible to run a version 5
65KDC as a slave to a version 4 KDC. In this case this conversion will
66happen every time the database is propagated.  When doing this
67conversion, there are a few things to look out for. If you have stale
68entries in the database, these entries will not be converted. This might
69be because these principals are not used anymore, or it might be just
70because the principal couldn't be converted.
71
72You might also see problems with a many-to-one mapping of
73principals. For instance, if you are using DNS lookups and you have two
74principals @samp{rcmd.foo} and @samp{rcmd.bar}, where `foo' is a CNAME
75for `bar', the resulting principals will be the same. Since the
76conversion function can't tell which is correct, these conflicts will
77have to be resolved manually.
78
79@subsection Conversion example
80
81Given the following set of hosts and services:
82
83@example
84foo.se          rcmd
85mail.foo.se     rcmd, pop
86ftp.bar.se      rcmd, ftp
87@end example
88
89you have a database that consists of the following principals:
90
91@samp{rcmd.foo}, @samp{rcmd.mail}, @samp{pop.mail}, @samp{rcmd.ftp}, and
92@samp{ftp.ftp}.
93
94lets say you also got these extra principals: @samp{rcmd.gone},
95@samp{rcmd.old-mail}, where @samp{gone.foo.se} was a machine that has
96now passed away, and @samp{old-mail.foo.se} was an old mail machine that
97is now a CNAME for @samp{mail.foo.se}.
98
99When you convert this database you want the following conversions to be
100done:
101@example
102rcmd.foo         host/foo.se
103rcmd.mail        host/mail.foo.se
104pop.mail         pop/mail.foo.se
105rcmd.ftp         host/ftp.bar.se
106ftp.ftp          ftp/ftp.bar.se
107rcmd.gone        @i{removed}
108rcmd.old-mail    @i{removed}
109@end example
110
111A @file{krb5.conf} that does this looks like:
112
113@example
114[realms]
115        FOO.SE = @{
116                v4_name_convert = @{
117                        host = @{
118                                ftp = ftp
119                                pop = pop
120                                rcmd = host
121                        @}
122                @}
123                v4_instance_convert = @{
124                        foo = foo.se
125                        ftp = ftp.bar.se
126                @}
127                default_domain = foo.se
128        @}
129@end example
130
131The @samp{v4_name_convert} section says which names should be considered
132having an instance consisting of a hostname, and it also says how the
133names should be converted (for instance @samp{rcmd} should be converted
134to @samp{host}). The @samp{v4_instance_convert} section says how a
135hostname should be qualified (this is just a hosts-file in
136disguise). Host-instances that aren't covered by
137@samp{v4_instance_convert} are qualified by appending the contents of
138the @samp{default_domain}.
139
140Actually, this example doesn't work. Or rather, it works to well. Since
141it has no way of knowing which hostnames are valid and which are not, it
142will happily convert @samp{rcmd.gone} to @samp{host/gone.foo.se}. This
143isn't a big problem, but if you have run your kerberos realm for a few
144years, chances are big that you have quite a few `junk' principals.
145
146If you don't want this you can remove the @samp{default_domain}
147statement, but then you will have to add entries for @emph{all} your hosts
148in the @samp{v4_instance_convert} section.
149
150Instead of doing this you can use DNS to convert instances. This is not
151a solution without problems, but it is probably easier than adding lots
152of static host entries.
153
154To enable DNS lookup you should turn on @samp{v4_instance_resolve} in
155the @samp{[libdefaults]} section.
156
157@subsection Converting a database
158
159The database conversion is done with @samp{hprop}. You can run this
160command to propagate the database to the machine called
161@samp{slave-server} (which should be running a @samp{hpropd}).
162
163@example
164hprop --source=krb4-db --master-key=/.m slave-server
165@end example
166
167This command can also be to use for converting the v4 database on the
168server:
169
170@example
171hprop -n --source=krb4-db -d /var/kerberos/principal --master-key=/.m | hpropd -n
172@end example
173
174