The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4 server with pre-authentication using Rx as the on-wire protocol. The kdc contains a minimalistic Rx implementation.
There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
Granting), and KAM (Maintenance). The KAA interface and KAT interface
both passes over DES encrypted data-blobs (just like the
Kerberos-protocol) and thus do not need any other protection. The KAM
interface uses rxkad
(Kerberos authentication layer for Rx) for
security and data protection, and is used for example for changing
passwords. This part is not implemented in the kdc.
Another difference between the ka-protocol and the Kerberos 4 protocol
is that the pass-phrase is salted with the cellname in the string to
key
function in the ka-protocol, while in the Kerberos 4 protocol there
is no salting of the password at all. To make sure AFS-compatible keys
are added to each principals when they are created or their password are
changed, ‘afs3-salt’ should be added to
‘[kadmin]default_keys’.
For more about AFS, see the section See AFS.
The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus
does not need a kaserver. The Windows client assumes that the Kerberos
server is on the same machine as the AFS-database server. If you do not
like to do that you can add a small program that runs on the database
servers that forward all kerberos requests to the real kerberos
server. A program that does this is krb-forward
(ftp://ftp.stacken.kth.se/pub/projekts/krb-forward).