(heimdal.info) kaserver
Info Catalog
(heimdal.info) Converting a version 4 database
(heimdal.info) Kerberos 4 issues
kaserver
========
kaserver emulation
------------------
The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4
server with pre-authentication using Rx as the on-wire protocol. The kdc
contains a minimalistic Rx implementation.
There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
Granting), and KAM (Maintenance). The KAA interface and KAT interface
both passes over DES encrypted data-blobs (just like the
Kerberos-protocol) and thus do not need any other protection. The KAM
interface uses `rxkad' (Kerberos authentication layer for Rx) for
security and data protection, and is used for example for changing
passwords. This part is not implemented in the kdc.
Another difference between the ka-protocol and the Kerberos 4 protocol
is that the pass-phrase is salted with the cellname in the `string to
key' function in the ka-protocol, while in the Kerberos 4 protocol there
is no salting of the password at all. To make sure AFS-compatible keys
are added to each principals when they are created or their password are
changed, `afs3-salt' should be added to `[kadmin]default_keys'.
Transarc AFS Windows client
---------------------------
The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus
does not need a kaserver. The Windows client assumes that the Kerberos
server is on the same machine as the AFS-database server. If you do not
like to do that you can add a small program that runs on the database
servers that forward all kerberos requests to the real kerberos server.
A program that does this is `krb-forward'
(<ftp://ftp.stacken.kth.se/pub/projekts/krb-forward>).
Info Catalog
(heimdal.info) Converting a version 4 database
(heimdal.info) Kerberos 4 issues
automatically generated byinfo2html