Using Kerberos 4 Services with Kerberos 5
Those who have Kerberos 4 services that need to be integrated into a Kerberos 5 realm need to implement the Kerberos 5-to-4 ticket translator daemon. Both MIT and Heimdal include support for this protocol, the krb524 protocol. As discussed in Chapter 3, the only limit on where the krb524 daemon can run is that the daemon must have access to the service keys for the Kerberos 4-based services for which it translates tickets.
The MIT Kerberos 5 distribution includes a separate krb524 daemon, krb524d. There are two different modes of operation that krb524d supports: master and keytab. The master mode is meant to be run on a KDC in the Kerberos realm, and reads the necessary service keys directly from the Kerberos database. If it is not possible to run the krb524d directly on the KDC, then the second mode of operation can be used: keytab. Keytab mode requires that a Kerberos keytab be installed on the machine running krb524d that includes the service keys for all of the Kerberos 4 services in the realm.
The command-line arguments to krb524d are summarized below:
# krb524d Usage: krb524d [-k[eytab]] [-m[aster] [-r realm]] [-nofork]
Either the -k or the -m options are required. The -m option enables the master mode, as
described above, where krb524d reads the necessary service keys directly
from the Kerberos database on the local disk. The -k option requires an argument, namely, the keytab where the keys are stored for the Kerberos 4 services located ...
Get Kerberos: The Definitive Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
