On 10/11/2013 04:01 AM, Tom_Krauss wrote: > It is a fix condition that the KDCs will run MIT 1.4 since the OS vendor`s > release must be used. > The principal DB will be in LDAP.
LDAP KDB support was added in 1.6, so unless your OS vendor backported support for it to 1.4 (which would not have been easy), I don't see how this is possible. > I am considering to use MIT 1.8 on the admin server since I would like to > have certain features > from the beginning (multirealm kadmind, norandkey, account lockout, > masterkey rollover). We still don't have a multirealm kadmind. Account lockout will not work unless the KDCs are all are running at least 1.8 (and preferrably at least 1.9, which adds disable_last_success and propagation of modprinc -unlock). > - is the information in the database written by 1.8 fully downward > compatible to be read by 1.4 krb5kdc daemons ? I would expect so. We generally expect KDCs to be upgraded in stages, so we worry about downward compatibility of KDB information when we add new features. But we don't have great test coverage for this kind of scenario, so it's possible there might be mistakes. > - how about kadmin used from clients ? We have tried to maintain wire compatibility across all kadmin and kadmind versions back to 1.0. > - strictly from a Kerberos point of view and leaving the OS aside - is this > an acceptable setup to be run for a while or only advisable for a shorter > transition phase ? The LDAP KDB module has some serious scalability issues which were fixed in 1.9. Each time a principal is fetched, its policy is also fetched, and each time a policy is fetched, all principals are scanned to set a reference count. So if you use password policy objects at all, the KDC and kadmind will bog down when you have a lot of principals. There have also been a handful of KDC vulnerabilities which affect 1.4 and 1.8, which were discovered after those releases hit their end of support lifetime from our perspective. Your OS may have backported the fixes. http://web.mit.edu/kerberos/advisories/ has a list of advisories if you want to check. Some of them affect only newer releases, but not all of them. > I tested a bit with it and except for 1.4 kadmin.local (which segfaults > reading a principal written from 1.8) it seems to work fine. I'm a little curious what causes this seg fault, but it's unlikely that we would fix a bug in 1.4, so it's probably not important. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos