[3426] in Kerberos
Re: Kerberos and DCE
daemon@ATHENA.MIT.EDU (Walt Tuvell)
Thu Jun 16 18:59:07 1994
To: kerberos@MIT.EDU
Date: 16 Jun 1994 22:38:10 GMT
From: walt@lobster.osf.org (Walt Tuvell)
In article <199406161804.LAA05276@Mordor.Stanford.EDU>,
dcrocker@Mordor.Stanford.EDU (Dave Crocker) makes another of his
well-known, ill-begotten, and unsuccessful attempts to discredit DCE by
pretending to conclude:
> DCE Kerberos and MIT Kerberos are different and use non-interoperable
> protocols.
Wrong.
Mr. Crocker's "interesting" style of twisting words around in ways only
he can interpret may be entertaining, but readers of this newsgroup
should recall that the original query spawning this thread was simply:
"Can a DCE security server replace a Kerberos server, from the point of
view of Kerberos clients?" I.e., the question is: "Can an ordinary,
unmodified client make ordinary, unmodified Kerberos AS/TGS requests to
UDP port 88 on a machine running a DCE security server, and expect to be
issued tickets that are indistinguishable from the tickets issued by an
ordinary, unmodified MIT Athena Kerberos server?"
As Joe Pato correctly stated, the answer to this is "Yes" (very minor
bug and version skew problems in previous Athena and/or DCE releases
have been fixed in currently shipping product). OSF has not been
willing to "guarantee" this protocol compatibility/interoperability in
the past for the simple reason that Krb5 wasn't completely "cooked", in
the sense of being design-complete (i.e., RFC-ized), so we were afraid
it might change yet again. But now that the RFC has been published, we
anticipate adding this guarantee soon (i.e., testing it as part of our
release criteria).
- Walt
PS. I will not respond in this forum to any further attacks by Mr.
Crocker, as it is a waste of my time. He has consistently proven
himself to be more interested in doubletalk than in true information
exchange regarding DCE.
