krb5_set_password from 1.10alpha1 fails with 1.6 server

[Russ Allbery]

Russ Allbery <rra at stanford.edu> writes:

> Is it expected that the krb5_set_password call from a 1.10-alpha1 client
> library would fail when going against a 1.6.4-beta1 kadmind?  (The
> former being the current Debian unstable version, and the latter being
> the version released with lenny.)  The result is the error:

> Wrong protocol version: Request contained unknown protocol version number 65408

> I was pretty sure that this used to work with an older client library,
> although I could be wrong, since I normally test against a Heimdal KDC.
> Changing the API to krb5_change_password causes it to work.

> If this is expected, since this is a new protocol, does that mean that a
> Kerberos PAM module should really be using the krb5_change_password API,
> not the krb5_set_password API, for maximum KDC compatibility?

I think I was mistaken and this never worked.  Looking at the source code,
the APIs are bound directly to the wire protocols, and I'm guessing 1.6.4
is just too old to have implemented the set password protocol.

Heimdal has deprecated krb5_change_password and its krb5_set_password
tries both protocols in turn.  I try to avoid using functions deprecated
on Heimdal, but in this case it looks like the APIs are indistinguishable
to Autoconf but one should use krb5_change_password on MIT and
krb5_set_password on Heimdal for maximum compatibility.  Sigh.  I was
really trying to get rid of all the implementation-specific #ifdefs.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>