1 files changed, 53 insertions, 6 deletions

diff --git a/crypto/heimdal/doc/kerberos4.texi b/crypto/heimdal/doc/kerberos4.texi
index 2e4f92c..92614c8 100644
--- a/crypto/heimdal/doc/kerberos4.texi
+++ b/crypto/heimdal/doc/kerberos4.texi
@@ -1,13 +1,19 @@
-@node Kerberos 4 issues, Windows 2000 compatability, Things in search for a better place, Top
+@c $Id: kerberos4.texi,v 1.12 2001/01/30 17:07:03 assar Exp $
+
+@node Kerberos 4 issues, Migration, Things in search for a better place, Top
 @comment  node-name,  next,  previous,  up
 @chapter Kerberos 4 issues
 
 If compiled with version 4 support, the KDC can serve requests from a
 Kerberos 4 client. There are a few things you must do for this to work.
 
+You might also want use the built in kaserver emulation in the kdc
+when you have AFS-clients that use @code{klog}.
+
 @menu
 * Principal conversion issues::  
 * Converting a version 4 database::  
+* kaserver::
 @end menu
 
 @node Principal conversion issues, Converting a version 4 database, Kerberos 4 issues, Kerberos 4 issues
@@ -51,7 +57,7 @@ principal exists in the database. The KDC will use
 @code{krb5_425_conv_principal_ext} to convert principals when handling
 to version 4 requests.
 
-@node Converting a version 4 database,  , Principal conversion issues, Kerberos 4 issues
+@node Converting a version 4 database, kaserver , Principal conversion issues, Kerberos 4 issues
 @section Converting a version 4 database
 
 If you want to convert an existing version 4 database, the principal
@@ -153,13 +159,19 @@ the @samp{[libdefaults]} section.
 
 @subsection Converting a database
 
-The database conversion is done with @samp{hprop}. Assuming that you
-have the @samp{kadmin/hprop} key in the keytab @file{hprop.keytab}, you
-can run this command to propagate the database to the machine called
+The database conversion is done with @samp{hprop}. You can run this
+command to propagate the database to the machine called
 @samp{slave-server} (which should be running a @samp{hpropd}).
 
 @example
-hprop -4 -E -k hprop.keytab slave-server
+hprop --source=krb4-db -E slave-server
+@end example
+
+This command can also be to use for converting the v4 database on the
+server:
+
+@example
+hprop -n --source=krb4-db -d /var/kerberos/principal -E | hpropd -n
 @end example
 
 @section Version 4 Kadmin
@@ -177,3 +189,38 @@ version 4 uses port 751, not 749).
 
 @emph{And then there are a many more things you can do; more on this in
 a later version of this manual. Until then, UTSL.}
+
+@node kaserver, , Converting a version 4 database, Kerberos 4 issues
+@section kaserver
+
+@subsection kaserver emulation
+
+The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4
+server with pre-authentication using Rx as the on-wire protocol. The kdc
+contains a minimalistic Rx implementation.
+
+There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
+Granting), and KAM (Maintenance). The KAA interface and KAT interface
+both passes over DES encrypted data-blobs (just like the
+Kerberos-protocol) and thus o not need any other protection.  The KAM
+interface uses @code{rxkad} (Kerberos authentication layer for Rx) for
+security and data protection, and is used for example for changing
+passwords.  This part is not implemented in the kdc.
+
+Another difference between the ka-protocol and the Kerberos 4 protocol
+is that the pass-phrase is salted with the cellname in the @code{string to
+key} function in the ka-protocol, while in the Kerberos 4 protocol there
+is no salting of the password at all. To make sure AFS-compatible keys
+are added to each principals when they are created or their password are
+changed, @samp{afs3-salt} should be added to
+@samp{[kadmin]default_keys}.
+
+@subsection Transarc AFS Windows client
+
+The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus
+does not need a kaserver. The Windows client assumes that the Kerberos
+server is on the same machine as the AFS-database server. If you do not
+like to do that you can add a small program that runs on the database
+servers that forward all kerberos requests to the real kerberos
+server. A program that does this is @code{krb-forward}
+(@url{ftp://ftp.stacken.kth.se/pub/projekts/krb-forward}).