f



Replacing the system Kerberos with MIT Kerberos (from ports)

Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD
base system with the MIT Kerberos libraries installed from the security/krb5
port?  I know about the KRB5_HOME make option.  I'm concerned about other
"Kerberized" applications not working properly because they use the wrong client
libraries, hence my desire to completely replace Heimdal with MIT Kerberos.

The Heimdal Kerberos libraries shipped with the FreeBSD base system don't
support TCP, so when a KDC replies to a client request with a response larger
than the maximum UDP packet size, the Kerberos libraries return an error to the
client instead of switching to TCP (which can handle large responses).  I
routinely encounter this problem when integrating FreeBSD servers and
workstations into Windows Active Directory domains, where the KDC responses
include additional authorization data derived from a security principal's group
memberships: Samba's "net ads join" command fails with a "response too big for
for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and
everything else works properly) when linked against MIT Kerberos.

(Note that I'm not willing to debate the semi-standard/non-standard inclusion of
authorization data in a Kerberos ticket's PAC, nor am I willing to argue the
applicability of the aforementioned operating systems to their assigned tasks.)

Best wishes,
Matthew

0
Matthew
11/12/2008 4:51:44 PM
comp.unix.bsd.freebsd.misc 13187 articles. 1 followers. Post Follow

0 Replies
1124 Views

Similar Articles

[PageSpeed] 51

Reply: