[6837] in Kerberos
Using DCE secd as a Kerberos 5 KDC
daemon@ATHENA.MIT.EDU (Doug Engert)
Wed Mar 6 18:14:02 1996
Date: Wed, 6 Mar 1996 16:58:25 -0600
From: Doug Engert <DEEngert@anl.gov>
To: edhill@strobe.weeg.uiowa.edu (Ed Hill)
Cc: kerberos@MIT.EDU, authtf@es.net
In-Reply-To: <x6wx4zb736.fsf@strobe.weeg.uiowa.edu>
Ed Hill writes:
> Hello,
>
> Short question. Has anyone actually done this?
Yes we have. As part of a DOE funded project, the Authentication Task
Force of ESnet has been researching this for some time.
> I am aware of the OSF RFC 92.0
> January 1996 that describes the intent to provide interoperability in DCE 1.2.2
> (and support berkeley r commands - yeah!).
Note the reference [John 95] in the RFC. It is to our paper. See the
http://www.es.net/pub/esnet-doc page under auth-and-security.
> But has anyone done it with
> existing DCE products. If so what DCE server product did you use (I have
> access to AIX, HP, and NT servers), and did you have to make any changes while
> building the Kerberos clients (I'm using the MIT 5b5 distribution).
We have used or are using the DCE secruity servers on Transarc
1.0.3a, 1.1, and the HP 1.1 (HPUX 10.01-DCE 1.4) Early versions of
the 1.0.3a had problems with forwarding. As far as I know none of us
has tried the AIX or NT servers.
We have gotten the Kerberos clients/daemons working on SunOS 4.1.3,
Solaris 2.3, 2.4, HP UX 10, AIX 3.2.5, 4.1.4, SGI 5.3, and Windows
3.1. (But, not all clients and daemons have been fully tested.)
>
> I realize that at this point it isn't something that is supported, but if I can
> get enough of it working until 1.2.2 comes up, I wil be quite happy...
>
The mods to the Kerberos 5 beta 5 code is available at
ftp://achilles.ctd.anl.gov/kerberos.v5. See the readme file. The diff
file is a combination of many of the fixes as reported to the
krb5-bugs@mit.edu list and fixes/changes as provided by the members of
the task force. (So keep sending in the bug reports to MIT.) You may
have see these referred to at the "ANL" modes. the "ESnet" mods or the
"authtf" mods.
In particular there are some incompatabilites in the area of the
choice of checksums, and in the cache type. Kerberos 5 beta 5 has a
new cache type of 3 which is not understood by DCE. A mod was added to
Kerberos to create a type 2 cache for backward compatibility. This was
needed when converting a forwarded ticket to a DCE context.
Hope this helps.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
