[1604] in Kerberos
Re: DCE kerberos vs. MIT
daemon@ATHENA.MIT.EDU (smb@ulysses.att.com)
Tue Oct 8 17:35:04 1991
From: smb@ulysses.att.com
To: pato@apollo.com (Joe Pato)
Cc: kerberos@Athena.MIT.EDU
Date: Tue, 08 Oct 91 16:48:48 EDT
If by the term "authenticate him/herself to a DCE system" you
mean that the client will be able to authenticate to any of the
basic DCE services (e.g., name service or file system or time
service or user registration service) or login to a machine,
then no - a client using a vanilla MIT V5 system will not be
able to authenticate itself. The DCE Security service
(privilege server component) is needed to fill in authorization
data in the tickets for these servers. A client presenting a
ticket without the proper authorization data is interpreted as
an unauthenticated client.
I'm not quite sure how to interpret what you just said. There are three
players -- the client, the service, and the KDC. Are you saying that
DCE services will only accept tickets prepared by DCE KDCs? Can a
vanillia client request a ticket from a DCE KDC? Can it do so through
inter-realm authentication? Can a DCE client request a ticket for
a vanilla service from a vanilla KDC? I'm trying to understand the
compatibility matrix here...
