[OpenAFS] kaserver -> Heimdal where cell name != REALM and using Windows (krb4) AFS client

Daniel Joseph Barnhart Clark dclark@pobox.com
Mon, 07 Jun 2004 14:28:02 -0400

I'm trying to migrate to Heimdal Kerberos 0.6.2 from AFS kaserver. The
Heimdal servers are on separate machines from the AFS servers, and the
Kerberos 5 realm name is different from the AFS cell name. My goal is
that no immediate client-side changes be required due to the change in
Kerberos servers (at least on Windows, on Unix there's cfengine :-)

At the moment I'm trying to get this to work with the Windows AFS client
(krb4). To simplify testing at this point I'm not using krb-forwarder,
instead I just changed my Windows client to point to the Heimdal master
KDC as the only database server. 

In the below files the AFS cell name is old.domain.com and the new
Kerberos 5 realm name is NEW.DOMAIN.COM. The problem is that I can't
figure out how to get Heimdal to force the OLD.DOMAIN.COM v4 REALM that
the Windows AFS client uses to NEW.DOMAIN.COM before doing the
authentication. I have verified that when I create a "fake" AFS cell
new.domain.com on the Windows client everything seems to work from the
perspective of the KDC logs, so the conversion does look like it's the

Anyone know how to fix this (ugly hacks gratefully accepted :-)?

Relevant lines from the log file

2004-06-07T12:49:29 AS-REQ (krb4) dclark.@OLD.DOMAIN.COM from
IPv4: for afs.@NEW.DOMAIN.COM
2004-06-07T12:49:29 Lookup dclark@OLD.DOMAIN.COM failed: No such entry in
the database
2004-06-07T12:49:29 Client not found in database: dclark.@OLD.DOMAIN.COM:
Failed to convert v4 principal
2004-06-07T12:49:29 sending 42 bytes to IPv4:

These are the principals that are in the kdc

kadmin> list afs*
kadmin> list dclark*

Here is my /etc/krb5.conf

        default_realm = NEW.DOMAIN.COM
        clockskew = 5 minutes
        v4_instance_resolve = false
        kdc_timeout = 3 seconds
        ticket_lifetime = 30 hours
        forwardable = true

        .domain.com = NEW.DOMAIN.COM
        domain.com = NEW.DOMAIN.COM
        .new.domain.com = NEW.DOMAIN.COM
        new.domain.com = NEW.DOMAIN.COM

        kdc = kdc1.domain.com
        kdc = kdc2.domain.com
        kdc = kdc3.domain.com
        admin_server = kdc1.domain.com
        default_domain = new.domain.com
        v4_domains = domain.com new.domain.com

        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

        require-preauth = false
        enable-kerberos4 = true
        afs-cell = old.domain.com
        v4-realm = NEW.DOMAIN.COM
        enable-kaserver = true
        enable-524 = true
        kdc_warn_pwexpire = 14 days

        default_keys = v4 v5 des:afs3-salt:old.domain.com
        password_lifetime = 90 days

Here is my /var/lib/heimdal-kdc/kdc.conf

logging = FILE:/var/log/heimdal-kdc.log
require-preauth = no

kdc_ports = 88,750

  database_name = /var/lib/heimdal-kdc/heimdal
  admin_keytab = /var/lib/heimdal-kdc/kadmind.keytab
  acl_file = /var/lib/heimdal-kdc/kadmind.acl
  dict_file = /var/lib/heimdal-kdc/kadmind.dict
  key_stash_file = /var/lib/heimdal-kdc/m-key
  kadmind_port = 749
  max_life = 30h 0m 0s
  max_renewable_life = 21d 0h 0m 0s

Daniel Joseph Barnhart Clark