[6638] in Kerberos
Re: Kerveros v5 and DCE 1.0.3
daemon@ATHENA.MIT.EDU (Sean Mullan)
Mon Feb 12 14:26:52 1996
To: kerberos@MIT.EDU
Date: Mon, 12 Feb 1996 18:34:28 GMT
From: mullan_s@apollo.hp.com (Sean Mullan)
>Hi,
>
>a question on the interoperability of Kerberos v5 (or v4) clients with
>DCE.
>
>In our department we have a cell installed (HP DCE 1.2 which is
>release level equivalent to OSF DCE 1.0.3). Now assume we want to
>compile a program written for Kerberos v4 (or v5) and use this program
>on the machines that participate in the DCE cell.
>
>How can we do this?
>
>Since DCE does not contain the necessary header files and libraries to
>compile the program, we would like to install the original Kerberos
>versions of these files, but what's then?
>
>Will it work? As far as I know the secd of DCE works as Kerberos
>ticket server and listens on the will know Kerberos port. Is secd
>compatible with plain Kerberos?
>
>What we currently want to do is make Kerberos programs talk to each
>other, not mixture between Kerberos and DCE for the moment.
The DCE Security server does not interoperate with Kerberos 4 clients.
The DCE Security server can act as a KDC for Kerberos 5 clients, though
*this is neither formally supported or tested at this time*. DCE 1.2.2 will
provide support and testing for Kerberos 5 clients with a DCE Security
Server as a KDC.
Here is what's known to work as far as the DCE Security Server being
able to authenticate vanilla krb5 clients:
DCE 1.0.3 DCE 1.1
CLIENT
------
KRB V4 NO NO
KRB V5 Beta 1 YES YES
KRB V5 Beta 2 YES YES
KRB V5 Beta 3 YES YES
KRB V5 Beta 4 YES YES
KRB V5 Beta 5 ? YES, with patch from Argonne Ntl Labs
(FTP://ftp.es.net/pub/esnet-doc/auth-and-security/)
MIT Kerberos V4: The DCE Security Server does not listen to port 750
(used by MIT Kerberos V4) and does not support the MIT Kerberos V4
protocol. For this reason, the DCE Security Service does not
interoperate at all with MIT Kerberos V4 clients or servers.
MIT Kerberos V5: DCE clients use only the RPC interface by default;
however, Kerberos V5 clients are free to use the UDP interface to the
DCE Security Service.
DCE Servers prior to DCE 1.1 do not support Kerberos clients that make
use of the proxiable, forwardable, or renewable ticket options in
Kerberos ticket-granting tickets.
There are DCE-specific configurable security policies that impact
Kerberos V5 applications, such as DCE 1.1 third-party
preauthentication. Administrators will have to understand and work
with such policies as necessary.
Hope this helps,
Sean
