1.8 and 1.4 compatibility
Greg Hudson
ghudson at MIT.EDU
Fri Oct 11 10:41:15 EDT 2013
On 10/11/2013 04:01 AM, Tom_Krauss wrote:
> It is a fix condition that the KDCs will run MIT 1.4 since the OS vendor`s
> release must be used.
> The principal DB will be in LDAP.
LDAP KDB support was added in 1.6, so unless your OS vendor backported
support for it to 1.4 (which would not have been easy), I don't see how
this is possible.
> I am considering to use MIT 1.8 on the admin server since I would like to
> have certain features
> from the beginning (multirealm kadmind, norandkey, account lockout,
> masterkey rollover).
We still don't have a multirealm kadmind. Account lockout will not work
unless the KDCs are all are running at least 1.8 (and preferrably at
least 1.9, which adds disable_last_success and propagation of modprinc
-unlock).
> - is the information in the database written by 1.8 fully downward
> compatible to be read by 1.4 krb5kdc daemons ?
I would expect so. We generally expect KDCs to be upgraded in stages,
so we worry about downward compatibility of KDB information when we add
new features. But we don't have great test coverage for this kind of
scenario, so it's possible there might be mistakes.
> - how about kadmin used from clients ?
We have tried to maintain wire compatibility across all kadmin and
kadmind versions back to 1.0.
> - strictly from a Kerberos point of view and leaving the OS aside - is this
> an acceptable setup to be run for a while or only advisable for a shorter
> transition phase ?
The LDAP KDB module has some serious scalability issues which were fixed
in 1.9. Each time a principal is fetched, its policy is also fetched,
and each time a policy is fetched, all principals are scanned to set a
reference count. So if you use password policy objects at all, the KDC
and kadmind will bog down when you have a lot of principals.
There have also been a handful of KDC vulnerabilities which affect 1.4
and 1.8, which were discovered after those releases hit their end of
support lifetime from our perspective. Your OS may have backported the
fixes. http://web.mit.edu/kerberos/advisories/ has a list of advisories
if you want to check. Some of them affect only newer releases, but not
all of them.
> I tested a bit with it and except for 1.4 kadmin.local (which segfaults
> reading a principal written from 1.8) it seems to work fine.
I'm a little curious what causes this seg fault, but it's unlikely that
we would fix a bug in 1.4, so it's probably not important.
More information about the Kerberos
mailing list