krb5 and krb524 without krb4-compat

Jeffrey Altman jaltman at MIT.EDU
Fri Apr 15 19:25:04 EDT 2005

I ran into an interesting situation at a client today that relies on a
modified krb524d which performs client principal name mapping as part of
their AFS infrastructure.   When discussing with them a world in which
we do not include krb4-compat as part of krb5, the question was raised?

	* are we still going to be able to use krb524d as part of our
          afs infrastructure?

well, the answer was "I'm not sure."  Currently, the
krb5_524_convert_creds() function is disabled when krb4 support is
disabled.  This is going to be a significant hardship for existing
deployments.  The krb524d can return an krb4 wrapped krb5 service
ticket for the purpose of constructing afs tokens.

Is it possible for us to maintain just enough krb4 support to allow
the processing of these special krb524 requests without providing a
public krb4 API?

If so, it will make transitions easier for administrators.  If not,
a 64-bit Windows release without krb4 support is going to be a challenge
for some deployments.

Jeffrey Altman

More information about the krbdev mailing list