[7020] in Kerberos
Kerberos & DCE
daemon@ATHENA.MIT.EDU (Doug Engert)
Fri Apr 5 08:23:39 1996
Date: Fri, 5 Apr 1996 07:08:18 -0600
From: Doug Engert <DEEngert@anl.gov>
To: tmwang@srv.PacBell.COM (Miu Wang)
Cc: kerberos@MIT.EDU
In-Reply-To: <4k2066$ph2@gw.PacBell.COM>
Miu Wang writes:
> We have Kerberos client installed on a HPUX 9.04 box. When
> someone installed DCE onto the same box, the /krb5/krb.conf
> file was overwritten by the DCE cell info.
I believe that DCE is updating this file from time to time. It
will use this as a last resort to find the security servers.
> Is there a way to tell DCE to use some other config file?
I don't think so, but if you use Kerberos 5 beta 5 or later, there is
a new /krb5/krb5.conf which has a different name, different format and
different contents.
Kerberos 5 beta 5 also will use the KRB5_CONFIG environment variable
to find the krb5.conf file, which allows a user to install the minimum
number of files (krb5.conf, kinit, rlogin) in his own directory
without root authority, and still use Kerberos.
> Or can both the Kerberos and DCE server info be in the same
> file?
Since the first line has the default realm/cell name, the Kerberos
realm and DCE cell would have to use the same name. If you are using
the DCE security server as a KDC, as we are, then this is what you
want, since it IS the same cell. If you are trying to keep them
separate, with different names, then you have a problem.
Both DCE and Kerberos can use the v5srvtab as well. DCE looks for it in
/krb5/v5srvtab, as did older versions of Kerberos 5.
See also the OSF RFC 92.0, DCE Interoperability with Kerberos -
Functional Specification, S. Mullan(HP), January 1996. It discuses the
interoperability of DCE and Kerberos 5, including some of the "r"
commands. It also talks about the krb.conf file.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov