[6170] in Kerberos
Re: How to make V5 and V4 work together
daemon@ATHENA.MIT.EDU (Ivan Milman 8-8152)
Wed Nov 8 08:56:36 1995
From: milman@austin.ibm.com (Ivan Milman 8-8152)
To: tytso@MIT.EDU, kerberos@MIT.EDU, jiewang@lieland.stanford.edu
Date: Wed, 8 Nov 1995 07:35:20 -0600 (CST)
Cc: milman@austin.ibm.com (Ivan Milman),
Mark_Sherman@transarc.com (Mark Sherman),
jec@isoft.com (Jonathan Chinitz)
Ted,
A couple of comments (Jonathan forwarded your note to me):
- Transarc offers an AFS/DFS gateway that lets your AFS 3.3 clients
talk to DFS servers
- I can't talk to what OSF uses DFS for, however, within IBM we store
quite a bit of mission critical stuff in DFS. We have about 200 people
using DFS as part of the DCE and IBM LAN Server development effort
everyday for storing source code, docs, etc. Works like a champ!
Our Austin site (5000 people) is piloting DFS right now, and will move
from AFS to DFS early next year.
Also, OSF just announced plans to put out a worldwide cell, including DFS,
for use by OSF sponsors and members.
- We've got a bazillion customers using DFS in production (OK, so I stretched
the number a bit). Seriously, though, we're beginning to see some rollouts
of DFS in large numbers within some of our customers (like the US Forest
Service).
Thanks, ==== ====== === ===
Ivan ==== ======= ==== ====
== == == === ===
Ivan M. Milman IBM/Austin == ====== =========
Distributed System Products == ====== == === ==
Internet: milman@austin.ibm.com == == == == === ==
Phone: (512)838-8152 Tie-line: 678-8152 ==== ======= === = ===
Fax: (512)838-8597 VNET: MILMAN at AUSTIN ==== ====== === ===
--------------------------------------------
>Date: Tue, 7 Nov 1995 23:39:26 -0500
>From: Theodore Ts'o <tytso@MIT.EDU>
>To: jec@isoft.com
>Cc: "Theodore Ts'o" <tytso@MIT.EDU>, Jie Wang <jiewang@leland.Stanford.EDU>,
> kerberos@MIT.EDU, walt@osf.org
>Subject: Re: How to make V5 and V4 work together
>Address: 1 Amherst St., Cambridge, MA 02139
>Phone: (617) 253-8091
>
> Date: Tue, 7 Nov 1995 21:42:35 -0400
> From: jec@isoft.com (Jonathan Chinitz)
>
> >Unfortunately, as far as I know --- you don't. When I complained to OSF
> >about this several months ago, they explained that they didn't think
> >there was enough of a market to worry about this kind of backwards
> >compatibility. Unfortunately, that means if you're Transarc customer,
> >or have your own Kerberos V4 realm, you're Sadly Out of Luck. The only
> >thing you can really do is complain to your vendors --- loudly. If
> >there's enough complaints, maybe OSF will change their mind.
> >
> Doug Engert from ANL gave a very inspiring presentation today at the DCE
> SIG about his work in this area. He has managed to put together some
> interesting interoperability scenarios involving V4, V5, AFS, DFS, and DCE.
> If you chat with him you will find that this whole area is not just as
> simple as it is made to sound in this note.
>
>As a matter of fact, I chatted with Doug Engert from ANL just this
>Monday afternoon (the day before he gave his presentation), and when I
>talked to him, he expressed frustration that OSF didn't provide Kerberos
>V4 backwards compatibility, and that he had to do all sorts of
>complicated things to get AFS to work while using a DCE security server.
>
>The sad fact of the matter if you have an existing user community using
>a Kerberos V4 database, trying to transition to using a DEC security
>server while preserving backwards compatibility with legacy systems is
>an extremely difficult task.
>
> >Unfortunately, that's not the way the world works, and so life is a lot
> >more complicated for people who actually care about keeping AFS and
> >other legacy Kerberos V4 apps running. (Besides, everyone is supposed
> >to use DFS, the greatest thing since sliced bread --- right? :-)
>
> Yeah, try it -- you actually might like it :-)
>
>Well, when I talked to some unnamed individuals within OSF not that many
>months ago, they told me that they didn't trust storing DCE source code
>on them. Other ex-DCE engineers told me that each DCE engeering had
>their own DCE cells, with their own DFS servers, and none of they stored
>anything important under DFS. Now, they may have been exagerating a
>bit, and things may have changed since then --- however, I have yet to
>hear many positive things said about DFS being used in production
>environments. I may, however, simply not heard the Good News from the
>appropriate OSF marketing organs.
>
>The last information I heard was that there also wasn't a terribly
>smooth transition path from AFS to DFS, either, other than "dump and
>restore", and that you had to perform a flag-day transition of all of
>your AFS clients and servers to DFS. Again, this may simply because I
>haven't heard the latest marketing scoop from OSF.
>
> - Ted
