[6164] in Kerberos
Re: How to make V5 and V4 work together
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Tue Nov 7 23:54:54 1995
Date: Tue, 7 Nov 1995 23:39:26 -0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: jec@isoft.com
Cc: "Theodore Ts'o" <tytso@MIT.EDU>, Jie Wang <jiewang@leland.Stanford.EDU>,
kerberos@MIT.EDU, walt@osf.org
In-Reply-To: Jonathan Chinitz's message of Tue, 7 Nov 1995 21:42:35 -0400,
<v02120d00acc5b834794c@[199.33.247.8]>
Date: Tue, 7 Nov 1995 21:42:35 -0400
From: jec@isoft.com (Jonathan Chinitz)
>Unfortunately, as far as I know --- you don't. When I complained to OSF
>about this several months ago, they explained that they didn't think
>there was enough of a market to worry about this kind of backwards
>compatibility. Unfortunately, that means if you're Transarc customer,
>or have your own Kerberos V4 realm, you're Sadly Out of Luck. The only
>thing you can really do is complain to your vendors --- loudly. If
>there's enough complaints, maybe OSF will change their mind.
>
Doug Engert from ANL gave a very inspiring presentation today at the DCE
SIG about his work in this area. He has managed to put together some
interesting interoperability scenarios involving V4, V5, AFS, DFS, and DCE.
If you chat with him you will find that this whole area is not just as
simple as it is made to sound in this note.
As a matter of fact, I chatted with Doug Engert from ANL just this
Monday afternoon (the day before he gave his presentation), and when I
talked to him, he expressed frustration that OSF didn't provide Kerberos
V4 backwards compatibility, and that he had to do all sorts of
complicated things to get AFS to work while using a DCE security server.
The sad fact of the matter if you have an existing user community using
a Kerberos V4 database, trying to transition to using a DEC security
server while preserving backwards compatibility with legacy systems is
an extremely difficult task.
>Unfortunately, that's not the way the world works, and so life is a lot
>more complicated for people who actually care about keeping AFS and
>other legacy Kerberos V4 apps running. (Besides, everyone is supposed
>to use DFS, the greatest thing since sliced bread --- right? :-)
Yeah, try it -- you actually might like it :-)
Well, when I talked to some unnamed individuals within OSF not that many
months ago, they told me that they didn't trust storing DCE source code
on them. Other ex-DCE engineers told me that each DCE engeering had
their own DCE cells, with their own DFS servers, and none of they stored
anything important under DFS. Now, they may have been exagerating a
bit, and things may have changed since then --- however, I have yet to
hear many positive things said about DFS being used in production
environments. I may, however, simply not heard the Good News from the
appropriate OSF marketing organs.
The last information I heard was that there also wasn't a terribly
smooth transition path from AFS to DFS, either, other than "dump and
restore", and that you had to perform a flag-day transition of all of
your AFS clients and servers to DFS. Again, this may simply because I
haven't heard the latest marketing scoop from OSF.
- Ted
