[6821] in Kerberos
Re: Using DCE secd as a Kerberos 5 KDC
daemon@ATHENA.MIT.EDU (Brian Reitz)
Tue Mar 5 19:30:29 1996
From: Brian Reitz <bdr@cray.com>
To: kerberos@MIT.EDU
Date: Tue, 5 Mar 1996 18:19:05 -0600 (CST)
>
> Hello,
>
> Short question. Has anyone actually done this? I am aware of the OSF RFC 92.0
> January 1996 that describes the intent to provide interoperability in DCE 1.2.2
> (and support berkeley r commands - yeah!). But has anyone done it with
> existing DCE products. If so what DCE server product did you use (I have
> access to AIX, HP, and NT servers), and did you have to make any changes while
> building the Kerberos clients (I'm using the MIT 5b5 distribution).
>
> I realize that at this point it isn't something that is supported, but if I can
> get enough of it working until 1.2.2 comes up, I wil be quite happy...
>
> Thanks...
>
> -Ed Hill (ed-hill@uiowa.edu)
> Systems Administrator - Information Technology Services - University of Iowa
> "I am Homer of Borg, prepare to be assim... Ooooooooh donuts!"
>
>
Yes this has been done. CRAY's DCE 1.1 product will include K5 login
utilities (Berkeley "r" commands and telnet/telnetd) bundled with
the product. I did the work for this and I did not have to make any
changes to the DCE server product.
We have a SUN running Transarc's 1.1 product as the DCE server. I have
also used a RS6000 running the OSF 1.1 reference code. This has also been
done by the ESnet people (talk to Doug Engert at Argonne National Laboratory:
DEEngert@anl.gov) and is talked about in their paper.
As far as Kerberos client changes, well there are a few.
You will want the fixes that ESnet provides as a starting point.
I did my work based on Kerberos 5 beta 5. I applied the
ESnet patches (by hand as their context diffs were for 5.4 at the time)
and then worked from that point. There is also a ANS.1 fix to K5.5 to
work with DCE that I needed to pick up. I also had to stitch in the
Leap Year mod that caused things to break in K5.5. If you simply wish
to use the DCE registry as a KDC this should be about all you have to do.
There are a few other bugs in the ticket forwarding code that you will
need to mess with but nothing terribly hard.
Now if you want to do what OSF's RFC 92 talks about you will need to
do a bit more work. Most of the pieces are there to work from but you
will have to determine a way to convert your Kerberos tickets into a DCE
context complete with a PAG on each of your platforms that you wish to
run this on. This work has not to my knowledge been done for any platforms
besides a CRAY.
If you want to use this on a CRAY without using our DCE 1.1 product you
are in for a bunch more work. The DES code is broken for 64 bit word
addressable machines, as are most of the k5 login utilities. There are a
few other areas that are broken for CRAY's as well that need to be looked at.
CRAY's DCE 1.1 product will provide K5 Kerberized login utilities and
underlying services to convert forwarded tickets to a DCE context complete
with a PAG. I could not wait till DCE's 1.2.2 product for this. I
wanted to have a Single Sign-On environment available on CRAY's
before that time.
If you have questions just ask.
------------------------------------------------------------------------------
Brian Reitz voice: (612) 683-5092
Cray Research Inc email: bdr@cray.com
655F Lone Oak Drive
Eagan, MN, 55121, USA
------------------------------------------------------------------------------
