[14520] in Kerberos
Re: Sun (SEAM) Kerberos
daemon@ATHENA.MIT.EDU (paul sangster)
Thu May 31 14:26:20 2001
Message-ID: <3B168C37.6537C498@sun.com>
Date: Thu, 31 May 2001 11:23:51 -0700
From: paul sangster <paul.sangster@sun.com>
Reply-To: Paul.Sangster@sun.com
MIME-Version: 1.0
To: Wyllys Ingersoll <Wyllys.Ingersoll@Eng.Sun.COM>
CC: kerberos@MIT.EDU, Richard.Jamieson@ntlworld.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Wyllys Ingersoll wrote:
>
> Sun's SEAM product is based on MIT's KRB5 release 1.0.
> It has been repackaged and some "Solaris-ized" in some places
> to make it fit better with the overall OS, but it is 100%
> compatible with MIT Krb5 (1.0 and later). The only difference
> is in the administrative protocol (used by things such as 'kadmin'),
> SEAM uses the RPCSEC_GSS protocol to communicate with the admin
> server and MIT uses OpenVision's RPC protocol.
Their is some value add such as: 64 bit support, PAM module,
integration with Solaris's BSM logging, and the Java-based GUI. It
also explicitly supports several versions of Solaris (2.6, Solaris 7,
8, & 9) so it was modified to address things like the prior thread on
utmp removal in S8. These are the "Solaris'ized" items that Wyllys
mentions above. We also have kernel components so that Kerberos can be
used to strongly authenticate and protect RPC and NFS via kernel based
GSS and krb5 mechanism. BTW, these bits are free in Solaris 8.
>
> Win2K clients "can" be made to work with SEAM (or MIT) KDCs but
> by doing so you lose some functionality on the Win2K side due to
> some proprietary extensions that Microsoft added to their Kerberos.
> However, you can go the other way quite easily (Win2K as the KDC
> and SEAM or MIT as the clients).
>
> Here is an MS link explaining Interoperability issues:
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
>
> -Wyllys
>
> >X-Authentication-Warning: ra.nrl.navy.mil: news set sender to <news> using -f
> >From: "Rich Jamieson" <Richard.Jamieson@ntlworld.com>
> >X-Newsgroups: comp.protocols.kerberos
> >Subject: Sun (SEAM) Kerberos
> >Date: Wed, 30 May 2001 00:37:56 +0100
> >To: kerberos@MIT.EDU
> >
> >Anyone out there got any experience of using Suns' kerberos - I believe its
> >called SEAM ?
> >Any comments ?
> >Why would I use SEAM instead of MIT ?
> >Are there any windows clients that are compatible with a SEAM KDC ?
> >Can the Win2000 clients use a SEAM KDC ?
> >Are the SEAM clients compatible with a Win2000 KDC ?
> >
> >regards
> >Rich J.
> >
