[4471] in Kerberos
Re: DCE / Kerberos Comparison
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Tue Jan 10 11:09:12 1995
To: kerberos@MIT.EDU
Date: 10 Jan 1995 15:57:59 GMT
From: jik@cam.ov.com (Jonathan I. Kamens)
In article <1995Jan9.221653.7717@hfsi.hfsi.com>, goertzek@hfsi.com (karen mercedes) writes:
|> MIT's Kerberos *is* the Security Service in the OSF Distributed
|> Computing Environment Version 1.1. So by installing Kerberos, you are
|> actually installing part of the DCE.
This is not entirely accurate. If you install MIT Kerberos instead of DCE
Kerberos, and then you later decide that you want to use other DCE services
that depend on DCE Security, you will *not* be able to just install those
services and tell them to use your MIT Kerberos installation.
I can think of at least two reasons for this that I can think of off the top
of my head. First of all, the naming scheme that DCE uses for Kerberos
principals and realms is somewhat different than the naming scheme generally
used by MIT Kerberos installations. Second, and much more important, all of
the DCE services which use DCE Security do so through a DCE RPC interface to
the DCE Security server, *not* by talking the Kerberos protocol directly.
Since the MIT Kerberos server talks the Kerberos protocol but doesn't talk DCE
RPC, DCE services can't talk to an MIT Kerberos server.
As far as I know, none of the vendors of DCE technology or of MIT Kerberos
technology provide software for easily converting an MIT Kerberos installation
into a DCE Kerberos installation. Therefore, if you start with an MIT
Kerberos installation and later decide that you want to use other DCE services
and therefore need to convert to a DCE Security installation, you're going to
either have to invest a lot of effort into figuring out how to import your MIT
Kerberos database into the DCE Security system (not a small feat), or have a
flag day in which all your users' passwords change, you have to reinstall
keytab files on all machines, etc.
--
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com
