[6864] in Kerberos
SUMMARY - Using DCE secd as a Kerberos 5 KDC
daemon@ATHENA.MIT.EDU (Ed Hill)
Mon Mar 11 12:52:52 1996
To: kerberos@MIT.EDU
Date: 11 Mar 1996 10:56:33 -0600
From: edhill@strobe.weeg.uiowa.edu (Ed Hill)
Date: March 11th, 1996
Recently I asked if anyone was actually using a DCE secd server as a Kerberos
V5 KDC server. OSF claims that it will be supported in DCE 1.2.2, but I was
wondering if anyone has done it with products that are available now. Here is
a summary of the responses that I got back.
* The DCE Security server will not interoperate with Kerberos 4 clients.
* The DCE Security server can act as a KDC for Kerberos 5 clients through *this
is neither formally supported or tested at time*. DCE 1.2.2 will provide
support for this.
* The DOE ESnet Authentication Task Force has demonstrated that this works,
with the chief guru being Douglas E. Engert.
http://www.es.net/hypertext/authtf/authtf.html
http://www.es.net/pub/esnet-doc/auth-and-security/
As part of a DOE funded project, the Authentication Task Force of ESnet has
been researching this for some time. They are using Transarc 1.0.3 and 1.1,
as well as HPUX DCE 1.4 as DCE servers. They have gotten Kerberos
clients/daemons working on SunOS 4.1.3, Solaris 2.3, 2.4, HP UX 10, AIX
3.2.5, 4.1.4, SGI 5.3, and Windows 3.1
The mods to the Kerberos 5 beta 5 code is available at
ftp://achilles.ctd.anl.gov/pub/kerberos.v5/
* DCE Servers prior to DCE 1.1 do not support Kerberos clients that make
use of the proxiable, forwardable, or renewable ticket options in Kerberos
ticket-granting tickets.
* Other vendors are testing this functionality and commented to me personally
about that functionality on their platforms. I won't mentioned specific
vendors, as I do not know if that information is publically available.
Although I will say it looks like some vendors are aware that this is a nice
feature to have and are making it part of their versions of DCE.
As a side note, I found responses from folks at HP and a person from Cray to be
extremely helpful. Although we won't be buying any Crays anytime soon (sorry)
- the information I got from the HP folks makes their DCE offering a lot more
attractive the then AIX package we are currently using...
Thanks to everyone who responded to my question, hopefully this little summary
will be useful to others looking into the same problem.
-Ed Hill (ed-hill@uiowa.edu)
Systems Administrator - Information Technology Services - University of Iowa
"I am Homer of Borg, prepare to be assim... Ooooooooh donuts!"
