1.8 and 1.4 compatibility

Greg Hudson ghudson at MIT.EDU
Fri Oct 11 10:41:15 EDT 2013 

On 10/11/2013 04:01 AM, Tom_Krauss wrote:
> It is a fix condition that the KDCs will run MIT 1.4 since the OS vendor`s
> release must be used.
> The principal DB will be in LDAP.

LDAP KDB support was added in 1.6, so unless your OS vendor backported 
support for it to 1.4 (which would not have been easy), I don't see how 
this is possible.

> I am considering to use MIT 1.8 on the admin server since I would like to
> have certain features
> from the beginning (multirealm kadmind, norandkey, account lockout,
> masterkey rollover).

We still don't have a multirealm kadmind.  Account lockout will not work 
unless the KDCs are all are running at least 1.8 (and preferrably at 
least 1.9, which adds disable_last_success and propagation of modprinc 
-unlock).

> - is the information in the database written by 1.8 fully downward
> compatible to be read by 1.4 krb5kdc daemons ?

I would expect so.  We generally expect KDCs to be upgraded in stages, 
so we worry about downward compatibility of KDB information when we add 
new features.  But we don't have great test coverage for this kind of 
scenario, so it's possible there might be mistakes.

> - how about kadmin used from clients ?

We have tried to maintain wire compatibility across all kadmin and 
kadmind versions back to 1.0.

> - strictly from a Kerberos point of view and leaving the OS aside - is this
> an acceptable setup to be run for a while or only advisable for a shorter
> transition phase ?

The LDAP KDB module has some serious scalability issues which were fixed 
in 1.9.  Each time a principal is fetched, its policy is also fetched, 
and each time a policy is fetched, all principals are scanned to set a 
reference count.  So if you use password policy objects at all, the KDC 
and kadmind will bog down when you have a lot of principals.

There have also been a handful of KDC vulnerabilities which affect 1.4 
and 1.8, which were discovered after those releases hit their end of 
support lifetime from our perspective.  Your OS may have backported the 
fixes.  http://web.mit.edu/kerberos/advisories/ has a list of advisories 
if you want to check.  Some of them affect only newer releases, but not 
all of them.

> I tested a bit with it and except for 1.4 kadmin.local (which segfaults
> reading a principal written from 1.8) it seems to work fine.

I'm a little curious what causes this seg fault, but it's unlikely that 
we would fix a bug in 1.4, so it's probably not important.

More information about the Kerberos mailing list