[6150] in Kerberos
Re: How to make V5 and V4 work together
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Tue Nov 7 15:29:42 1995
Date: Tue, 7 Nov 1995 15:08:27 -0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: Jie Wang <jiewang@leland.Stanford.EDU>
Cc: kerberos@MIT.EDU
In-Reply-To: Jie Wang's message of Thu, 26 Oct 1995 19:18:42 -0700 (PDT),
<199510270218.TAA17500@elaine47.Stanford.EDU>
Date: Thu, 26 Oct 1995 19:18:42 -0700 (PDT)
From: Jie Wang <jiewang@leland.Stanford.EDU>
We will install DCE for our systems. Since we are
currently using Kerberos 4 for our AFS, we need to let DCE security
(which is of Kerberos 5 type) to work compatibly with our Kerberos 4.
Would you please tell me who is the best person to ask for
these information?
Unfortunately, as far as I know --- you don't. When I complained to OSF
about this several months ago, they explained that they didn't think
there was enough of a market to worry about this kind of backwards
compatibility. Unfortunately, that means if you're Transarc customer,
or have your own Kerberos V4 realm, you're Sadly Out of Luck. The only
thing you can really do is complain to your vendors --- loudly. If
there's enough complaints, maybe OSF will change their mind.
As far as I'm concerned, if OSF had but made two simple design
decisions, long ago, this situation would have been much simpler to deal
with. (1) DCE applications currently use the DCE RPC to get their
Kerberos tickets, and their Privelege Tickets. They should have used
the standard, RFC-1510-defined UDP port 88 protocol. (2) OSF should
have released the code necessary to cons up a Privlege ticket and made
it freely available. If both of this were true, it would have been
possible for someone who wanted V4 backwards compatibility to simple use
a MIT-supplied Kerberos V5 KDC, and it could serve as a drop-in
replacement for a DCE security server. (After all, OSF/DCE is
theoretically an open architecture, right?)
Unfortunately, that's not the way the world works, and so life is a lot
more complicated for people who actually care about keeping AFS and
other legacy Kerberos V4 apps running. (Besides, everyone is supposed
to use DFS, the greatest thing since sliced bread --- right? :-)
- Ted
