MAC OS 10.3 kerberos error

Philip Swanzy pss127 at psu.edu
Wed Jan 28 16:14:12 EST 2004


Hello,

         I am working on setting up a eMAC running OS 10.3 and using its 
built in kerberos 5 to authenticate through our sever dce.psu.edu. I am 
receiving an incorrect net address error when i try to grab a ticket from 
our server from the MAC. Now our server is only kerberos 4. I have read 
that kerb 4 servers cannot talk to kerb 5 clients. Is there anyway i can 
modify the MAC OS kerberos 5 to talk to the kerb 4 server so i can get a 
ticket from it or is this an issue i will have to address with the server 
manager and his group or am i just doing things wrong. I have an addon tool 
under my MAC utilities to help me grab a ticket when I want to and change a 
few functions of the kerberos. This I obtained from The University of Michigan.


Thank you for any help you can lend me.

Philip Swanzy
End User Computer Support Specialist
Penn State University
Hazleton Campus
(570)450-3139
pss127 at psu.edu  From news at ra.nrl.navy.mil Wed Jan 28 22:41:13 2004
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i0T3fCqb008251
	for <kerberos at PCH.mit.edu>; Wed, 28 Jan 2004 22:41:12 -0500 (EST)
Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121])
	i0T3fBTI016030
	for <kerberos at MIT.EDU>; Wed, 28 Jan 2004 22:41:12 -0500 (EST)
Received: (from news at localhost)
	by ra.nrl.navy.mil (8.11.7p1+Sun/8.11.7) id i0T3U5019799
	for kerberos at MIT.EDU; Wed, 28 Jan 2004 22:30:05 -0500 (EST)
From: Russ Allbery <rra at stanford.edu>
X-Newsgroups: comp.protocols.kerberos
Date: Wed, 28 Jan 2004 19:20:07 -0800
Organization: The Eyrie
Message-ID: <878yjro2zc.fsf at windlord.stanford.edu>
References: <366a42e3.0401280732.30484480 at posting.google.com>
To: kerberos at MIT.EDU
Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Thu, 29 Jan 2004 03:41:13 -0000

cyberp70 <cyberp70 at yahoo.com> writes:

> We currently use Kerberos for authentication for almost everything on
> our network.  Some people here are advocating switching to using LDAP
> for authentication (we already have a pretty well developed LDAP
> infrastructure).  This would of course require everyone to change their
> password as well the trauma of recoding applications that currently use
> Kerberos and haven't been converted to using PAM.

LDAP "authentication" is actually nothing more or less than using your
LDAP directory servers as a giant distributed /etc/shadow file.  You can
put the password checking in various places, but in the end you're
basically taking a step backwards towards something more like the
historical Unix authentication mechanism.

This means you lose all of the benefits of Kerberos (reusable credentials,
passwords never crossing the network encrypted or not, ticket forwarding,
etc.) in favor of something that's basically secure NIS.  If secure NIS is
something you're happy with, hey, great, but to me it feels like 1980s
security technology, long-since obsolete.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list