[6183] in Kerberos
Re: How to make V5 and V4 work together
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed Nov 8 16:53:03 1995
Date: Wed, 8 Nov 1995 16:23:57 -0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: milman@austin.ibm.com
Cc: kerberos@MIT.EDU, jiewang@lieland.stanford.edu, milman@austin.ibm.com,
Mark_Sherman@transarc.com, jec@isoft.com
In-Reply-To: Ivan Milman 8-8152's message of Wed, 8 Nov 1995 07:35:20 -0600 (CST),
<9511081335.AA32491@dss1.austin.ibm.com>
Well, the real problem is that the DCE security server doesn't support
Kerberos V4 backwards compatibility. Doug Engbert has written a nice
hack which allows you to use AFS servers despite the fact that the DCE
security servers don't support V4 backwards compatibility. However, his
solution doesn't scale in an environment where you have a large number
of legacy Kerberos V4 applications which you need to support, and not
just AFS.
This reason alone has been enough to cause MIT to never seriously
consider runing DCE or DFS in production at our site, because of the
lack of backwards compatibility. Apparently there aren't enough
prospective customers to support making Kerberos V4 backwards
compatibility a priority.
It's nice to hear that there is a AFS/DFS gateway product available. At
least at one point Transarc had refused to make something like that
available. I'm glad to see that this position, at least, has been
reconsidered.
However, without backwards compatibility at the DCE security server
level, it still means that you have to force people to maintain separate
passwords for the AFS ka server and the DCE security server, thus
destroying single-signon, at the very minimum. And if there's no way to
import user's keys from the AFS ka server to the DCE security server,
then the you force the site to go through the user password
initialization process for all of their existing users. For a site with
20,000 users, this is not something which is undertaken lightly.
I would hope that in future releases of DCE, that more attention be paid
to the backwards compatibility issues. Transarc, in particular, should
keep in mind that igoring one's traditional customer base while trying
to make bold new moves in new markets is often a good way to both (a)
lose one's traditional market base, and (b) when word gets back to the
potential new customers, the potential new customers may decide that
they don't want cast their lot with a company that doesn't show much
loyalty to its existing customers.
- Ted
