[3434] in Kerberos
Re: Kerberos and DCE
daemon@ATHENA.MIT.EDU (Joseph N. Pato)
Fri Jun 17 11:52:39 1994
Date: Fri, 17 Jun 1994 10:49:49 -0400
To: eric@atrium.com (Eric J. Rothfus)
From: pato@apollo.hp.com (Joseph N. Pato)
Cc: kerberos@MIT.EDU, eric@atrium.com
At 19:22 6/16/94 -0500, Eric J. Rothfus wrote:
>Joe,
>
>First off, thanks for the input. I couldn't quite pull the answer
>I was looking for from your message (although it looks suspiciously
>like the answer is "yes"). Let me formulate the question a little
>better:
>
>Given that the DCE "includes" kerberos, the idea is NOT to have
>to install "another" kerberos server on my network. That is,
>I'd like to use the kerberos embedded in DCE with my programs
>which do not use DCE.
>
>Assuming that:
>
> - my non-DCE clients know how to talk to "a" kerberos server
> - that there are no (hopefully) incompatibility issues
> - the clients are smart enough to embed the kerberos info in their
> own protocols
>
>then is it possible to satisfy their kerberos needs with the kerberos
>embedded in DCE (and used by the Security server)? In other words,
>is the "DCE" kerberos also listening in the standard way to requests
>coming from the outside non-DCE world.
>
>Many issues come to mind, including "(if this works) does the "DCE"
>kerberos get the passwords from the registry?"...
>
>Eric
>
Sorry for not being clear. As Walt Tuvell later stated - the answer is YES.
An application that is unaware of the DCE and uses a client Kerberos
library can communicate with a DCE security server over UDP port 88 using
the protocol defined in RFC 1510. The DCE security server listens in the
"standard way" to requests coming from outside the DCE world.
DCE vendors do not currently advertize this since there isn't a validation
suite for the RFC 1510 protocol. We expect that subsequent releases of the
DCE will more fully test this protocol - fix any bugs found - and will then
advertize this support.
The answer to your next question is yes, the DCE AS and TGS services
maintain keys in the DCE Registry (which, in the current imlementation, is
the database co-located with the services).
- joe
