[7462] in Kerberos
Re: DCE and terminal servers
daemon@ATHENA.MIT.EDU (Chris Cowan)
Tue Jun 11 18:31:38 1996
To: kerberos@MIT.EDU
Date: 11 Jun 1996 17:01:59 -0500
From: cc@mantis.austin.ibm.com (Chris Cowan)
Reply-To: cc@austin.ibm.com
>>>>> "Rich" == Rich Salz <rsalz@osf.org> writes:
Rich> In <4mvnp2$kde@news.fsu.edu> houle@zeppo (Art Houle) writes:
>> Multiple other
>> terminal server vendors also support kerberos but to my knowledge none
>> support DCE.
Rich> You will probably be able to use your DCE security server as your Krb5
Rich> server. OSF has never tested this, but the Kerberos code is there and
Rich> at least some folks have it working. This will be tested and "guaranteed"
Rich> in DCE 1.2.2.
>> Please correct me if wrong, but kerberos only authenticates, does not
>> authorize and also uses the TCP/IP wire protocol. DCE however does both
>> authentication and authorization and uses RPC on UDP (?) to exchange packets.
Rich> I assume the Kerberized terminal server maps the krb-provided name as an
Rich> index into the terminal server's authorization database.
>> Any suggestions for a terminal server that can integrate in the DCE
>> environment is greatly apreciated.
Rich> Short answer: any Kerberos server will probably "just work."
Rich> /r$
In the interim between now and DCE 1.2.2 is it possible that kprop could
be used to make run an MIT K5 slave from a DCE master? I realize that
DCE uses RPC for replication, etc.
I haven't studied how kprop works, but is there any chance this could fly?
Is the Kerberos core of secd "normal" enough to support propagating to a
K5 server?
Still hoping that there's some way I can have a K4 client pull a TGT from
a DCE KDC,
--
Chris Cowan
ISSC (DCE/DSM Architecture)
-------------------------------------------------------------------------
Phone: 512-823-0113 FAX: 512-823-0727
--
"Writing about music is like dancing about architecture."
Thelonious Monk
