(heimdal.info.gz) Principal conversion issues
Info Catalog
(heimdal.info.gz) Kerberos 4 issues
(heimdal.info.gz) Kerberos 4 issues
(heimdal.info.gz) Converting a version 4 database
7.1 Principal conversion issues
===============================
First, Kerberos 4 and Kerberos 5 principals are different. A version 4
principal consists of a name, an instance, and a realm. A version 5
principal has one or more components, and a realm (the terms "name" and
"instance" are still used, for the first and second component,
respectively). Also, in some cases the name of a version 4 principal
differs from the first component of the corresponding version 5
principal. One notable example is the "host" type principals, where the
version 4 name is `rcmd' (for "remote command"), and the version 5 name
is `host'. For the class of principals that has a hostname as instance,
there is an other major difference, Kerberos 4 uses only the first
component of the hostname, whereas Kerberos 5 uses the fully qualified
hostname.
Because of this it can be hard or impossible to correctly convert a
version 4 principal to a version 5 principal (1). The biggest problem is
to know if the conversion resulted in a valid principal. To give an
example, suppose you want to convert the principal `rcmd.foo'.
The `rcmd' name suggests that the instance is a hostname (even if there
are exceptions to this rule). To correctly convert the instance `foo'
to a hostname, you have to know which host it is referring to. You can
to this by either guessing (from the realm) which domain name to
append, or you have to have a list of possible hostnames. In the
simplest cases you can cover most principals with the first rule. If you
have several domains sharing a single realm this will not usually work.
If the exceptions are few you can probably come by with a lookup table
for the exceptions.
In a complex scenario you will need some kind of host lookup mechanism.
Using DNS for this is tempting, but DNS is error prone, slow and unsafe
(2).
Fortunately, the KDC has a trump on hand: it can easily tell if a
principal exists in the database. The KDC will use
`krb5_425_conv_principal_ext' to convert principals when handling to
version 4 requests.
---------- Footnotes ----------
(1) the other way is not always trivial either, but usually easier
(2) at least until secure DNS is commonly available
Info Catalog
(heimdal.info.gz) Kerberos 4 issues
(heimdal.info.gz) Kerberos 4 issues
(heimdal.info.gz) Converting a version 4 database
automatically generated byinfo2html