1 \input texinfo @c -*-texinfo-*-
2 @c Note: the above texinfo file must include the "doubleleftarrow"
3 @c definitions added by jcb.
6 @setfilename krb425.info
7 @settitle Upgrading to Kerberos V5 from Kerberos V4
8 @c @setchapternewpage odd @c chapter begins on next odd page
9 @c @setchapternewpage on @c chapter begins on next page
10 @c @smallbook @c Format for 7" X 9.25" paper
20 * krb425: (krb425). Upgrading to Kerberos V5 from V4
23 @include definitions.texinfo
25 @set UPDATED May 22, 2003
27 @finalout @c don't print black warning boxes
30 @title Upgrading to @value{PRODUCT} from Kerberos V4
31 @subtitle Release: @value{RELEASE}
32 @subtitle Document Edition: @value{EDITION}
33 @subtitle Last updated: @value{UPDATED}
34 @author @value{COMPANY}
37 @vskip 0pt plus 1filll
41 @node Top, Copyright, (dir), (dir)
44 This document describes how to convert to @value{PRODUCT} from Kerberos V4.
50 * Configuration Files::
52 * Upgrading Application Servers::
53 * Upgrading Client machines::
54 * Firewall Considerations::
57 @node Copyright, Introduction, Top, Top
59 @include copyright.texinfo
61 @node Introduction, Configuration Files, Copyright, Top
64 As with most software upgrades, @value{PRODUCT} is generally backward
65 compatible but not necessarily forward compatible. The @value{PRODUCT}
66 daemons can interoperate with Kerberos V4 clients, but most of the
67 Kerberos V4 daemons can not interoperate with Kerberos V5 clients. This
68 suggests the following strategy for performing the upgrade:
72 @strong{Upgrade your KDCs.} This must be done first, so that
73 interactions with the Kerberos database, whether by Kerberos V5 clients
74 or by Kerberos V4 clients, will succeed.
77 @strong{Upgrade your servers.} This must be done before upgrading
78 client machines, so that the servers are able to respond to both
79 Kerberos V5 and Kerberos V4 queries.
82 @strong{Upgrade your client machines.} Do this only after your KDCs and
83 application servers are upgraded, so that all of your Kerberos V5
84 clients will be talking to Kerberos V5 daemons.
87 @node Configuration Files, Upgrading KDCs, Introduction, Top
88 @chapter Configuration Files
90 The Kerberos @code{krb5.conf} and KDC @code{kdc.conf} configuration
91 files allow additional tags for Kerberos V4 compatibility.
98 @node krb5.conf, kdc.conf, Configuration Files, Configuration Files
101 If you used the defaults, both when you installed Kerberos V4 and when
102 you installed @value{PRODUCT}, you should not need to include any of
103 these tags. However, some or all of them may be necessary for
104 nonstandard installations.
108 * realms (krb5.conf)::
109 * AFS and the Appdefaults Section::
112 @node libdefaults, realms (krb5.conf), krb5.conf, krb5.conf
113 @subsection [libdefaults]
115 In the [libdefaults] section, the following additional tags may be used:
119 Specifies the location of the Kerberos V4 srvtab file. Default is
120 @value{DefaultKrb4Srvtab}.
123 Specifies the location of the Kerberos V4 configuration file. Default
124 is @value{DefaultKrb4Config}.
127 Specifies the location of the Kerberos V4 domain/realm translation
128 file. Default is @value{DefaultKrb4Realms}.
131 @node realms (krb5.conf), AFS and the Appdefaults Section, libdefaults, krb5.conf
134 In the [realms] section, the following Kerberos V4 tags may be used:
136 @itemx default_domain
137 Identifies the default domain for hosts in this realm. This is needed
138 for translating V4 principal names (which do not contain a domain name)
139 to V5 principal names. The default is your Kerberos realm name,
140 converted to lower case.
142 @itemx v4_instance_convert
143 This subsection allows the administrator to configure exceptions to the
144 default_domain mapping rule. It contains V4 instances (tag name) which
145 should be translated to some specific hostname (tag value) as the second
146 component in a Kerberos V5 principal name.
149 This relation allows the administrator to configure a different
150 realm name to be used when converting V5 principals to V4
151 ones. This should only be used when running separate V4 and V5
152 realms, with some external means of password sychronization
157 @node AFS and the Appdefaults Section, , realms (krb5.conf), krb5.conf
158 @subsection AFS and the Appdefaults Section
160 Many Kerberos 4 sites also run the Andrew File System (AFS).
162 Modern AFS servers (OpenAFS > 1.2.8) support the AFS 2b token format.
163 This allows AFS to use Kerberos 5 tickets rather than version 4
164 tickets, enabling cross-realm authentication. By default, the
165 @file{krb524d} service will issue the new AFS 2b tokens. If you are
166 using old AFS servers, you will need to disable these new tokens.
167 Please see the documentation of the @code{appdefaults} section of
168 @file{krb5.conf} in the Kerberos Administration guide.
172 @node kdc.conf, , krb5.conf, Configuration Files
175 Because Kerberos V4 requires a different type of salt for the encryption
176 type, you will need to change the @code{supported_enctypes} line in the
180 supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
183 This is the only change needed to the @code{kdc.conf} file.
185 @node Upgrading KDCs, Upgrading Application Servers, Configuration Files, Top
186 @chapter Upgrading KDCs
188 To convert your KDCs from Kerberos V4 to @value{PRODUCT}, do the
193 Install @value{PRODUCT} on each KDC, according to the instructions in
194 the @value{PRODUCT} Installation Guide, up to the point where it tells
195 you to create the database.
198 Find the @code{kadmind} (V4) daemon process on the master KDC and kill
199 it. This will prevent changes to the Kerberos database while you
200 convert the database to the new Kerberos V5 format.
203 Create a dump of the V4 database in the directory where your V5 database
204 will reside by issuing the command:
207 % kdb_util dump @value{ROOTDIR}/var/krb5kdc/v4-dump
211 Load the V4 dump into a Kerberos V5 database, by issuing the command:
214 % kdb5_util load_v4 v4-dump
218 Create a Kerberos V5 stash file, if desired, by issuing the command:
225 Proceed with the rest of the @value{PRODUCT} installation as described
226 in the @value{PRODUCT} Installation Guide. When you get to the section
227 that tells you to start the @code{krb5kdc} and @code{kadmind} daemons,
228 first find and kill the Kerberos V4 @code{kerberos} daemon on each of
229 the KDCs. Then start the @code{krb5kdc} and @code{kadmind} daemons as
230 You will need to specify an argument to the @code{-4} command line option to enable Kerberos 4 compatibility.
231 See the @code{krb5kdc} man page for details.
232 directed. Finally, start the Kerberos V5 to V4 ticket translator
233 daemon, @code{krb524d}, by issuing the command:
236 % @value{ROOTDIR}/sbin/krb524d -m > /dev/null &
239 If you have a stash file and you start the @code{krb5kdc} and
240 @code{kadmind} daemons at boot time, you should add the above line to
241 your @code{/etc/rc} (or @code{/etc/rc.local}) file on each KDC.
244 @node Upgrading Application Servers, Upgrading Client machines, Upgrading KDCs, Top
245 @chapter Upgrading Application Servers
247 Install @value{PRODUCT} on each application server, according to the
248 instructions in the @value{PRODUCT} Installation Guide, with the
249 following exceptions:
253 In the file @code{/etc/services}, add or edit the lines described in the
254 @value{PRODUCT} Installation Guide, with the following exception:
260 kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC
261 kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC
270 kerberos-sec @value{DefaultPort}/udp kdc # Kerberos V5 KDC
271 kerberos-sec @value{DefaultPort}/tcp kdc # Kerberos V5 KDC
276 Convert your Kerberos V4 srvtab file to Kerberos V5 keytab file as
281 @b{#} @value{ROOTDIR}/sbin/ktutil
282 @b{ktutil:} rst /etc/krb-srvtab
283 @b{ktutil:} wkt /etc/krb5.keytab
290 @node Upgrading Client machines, Firewall Considerations, Upgrading Application Servers, Top
291 @chapter Upgrading Client machines
293 Install @value{PRODUCT} on each client machine, according to the
294 instructions in the @value{PRODUCT} Installation Guide.
296 Tell your users to add the appropriate directory to their paths. On
297 UNIX machines, this will probably be @code{@value{BINDIR}}.
299 Note that if you upgrade your client machines before all of your
300 application servers are upgraded, your users will need to use the
301 Kerberos V4 programs to connect to application servers that are still
302 running Kerberos V4. (The one exception is the UNIX version of
303 @value{PRODUCT} telnet, which can connect to a Kerberos V4 and Kerberos
304 V5 application servers.) Users can use either the Kerberos V4 or
305 @value{PRODUCT} programs to connect to Kerberos V5 servers.
307 @node Firewall Considerations, , Upgrading Client machines, Top
308 @chapter Firewall Considerations
310 @value{PRODUCT} uses port @value{DefaultPort}, which is the port
311 assigned by the IETF, for KDC requests. Kerberos V4 used port
312 @value{DefaultSecondPort}. If your users will need to get to any KDCs
313 outside your firewall, you will need to allow TCP and UDP requests on
314 port @value{DefaultPort} for your users to get to off-site Kerberos V5
315 KDCs, and on port @value{DefaultSecondPort} for your users to get to
316 off-site Kerberos V4 KDCs.
319 @c second page break makes sure right-left page alignment works right
320 @c with a one-page toc, even though we don't have setchapternewpage odd.
321 @c end of texinfo file