Previous: Converting a version 4 database, Up: Kerberos 4 issues


7.3 kaserver

7.3.1 kaserver emulation

The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4 server with pre-authentication using Rx as the on-wire protocol. The kdc contains a minimalistic Rx implementation.

There are three parts of the kaserver; KAA (Authentication), KAT (Ticket Granting), and KAM (Maintenance). The KAA interface and KAT interface both passes over DES encrypted data-blobs (just like the Kerberos-protocol) and thus do not need any other protection. The KAM interface uses rxkad (Kerberos authentication layer for Rx) for security and data protection, and is used for example for changing passwords. This part is not implemented in the kdc.

Another difference between the ka-protocol and the Kerberos 4 protocol is that the pass-phrase is salted with the cellname in the string to key function in the ka-protocol, while in the Kerberos 4 protocol there is no salting of the password at all. To make sure AFS-compatible keys are added to each principals when they are created or their password are changed, ‘afs3-salt’ should be added to ‘[kadmin]default_keys’.

For more about AFS, see the section See AFS.

7.3.2 Transarc AFS Windows client

The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus does not need a kaserver. The Windows client assumes that the Kerberos server is on the same machine as the AFS-database server. If you do not like to do that you can add a small program that runs on the database servers that forward all kerberos requests to the real kerberos server. A program that does this is krb-forward (ftp://ftp.stacken.kth.se/pub/projekts/krb-forward).