[7043] in Kerberos
DCE server on SP nodes
daemon@ATHENA.MIT.EDU (Doug Engert)
Tue Apr 9 16:11:47 1996
Date: Tue, 9 Apr 1996 14:45:25 -0500
From: Doug Engert <DEEngert@anl.gov>
To: hwang@sunvm1.corp.mot.com (Hao Wang)
Cc: sp-discussion@mcs.anl.gov, kerberos@MIT.EDU
In-Reply-To: <9604091747.AA23045@sunvm1.corp.mot.com.corp.mot.com>
Hao Wang writes:
> We are going to install DCE authentication and cell servers on two of the SP
> nodes. As I know of, the SP is running kerberos version 4 on control workstation
> and DCE is running kerberos version 5. My questions are can we have two kerberos
> servers in the same realm?
This should not be a problem. Since you can set this up as a DCE/K5
realm and a K4 realm for the SP, you can run then in parallel, each
does not need to know about the other, even thought they may have the
same name.
We have run a DCE test cell, called "anl.gov" and an AFS cell called
"anl.gov" for some time. (The SP was not involved in this.)
The DCE "anl.gov" cell was using the Transarc 1.0.3a security server,
and the K4 "anl.gov" was using the Transarc AFS kaserver as the KDC.
We now have a dce.anl.gov cell using HP security servers.
The one place you might have a conflict is with the "r" port numbers.
On some machines the krlogind is from the MIT Kerberos 5.x code, and
can respond to version 4 or version 5 requests. (DCE does not
currently provide the kerberized "r" commands.) Krlogind uses separate
krb*.conf files, and separate srvtab files.
The DCE has its own configuration files, in /krb5, while the K4 code
has a /etc/krb.conf or /etc/athena/krb.conf file. (I am not sure where
it is on the SP, but its not in /krb5.)
With the MIT Kerberos 5 distributions, it is possible to have the K5
KDC issue K4 tickets. But the DCE security server can not do that. So
they should be independent.
> Can the two versions of kerberos be co-exist. Anyone
> had experienced this kind of settings? Any suggestions and helps will be highly
> appreciated. Please directly send email to me at hwang@mot.com. Thanks.
>
Hope this helps.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
