rpcsec_gss and Kerberos 5

Ken Raeburn raeburn at MIT.EDU
Thu May 23 18:46:00 EDT 2002

We've already got other code with the "include this notice in
supporting docs" type license, so this would probably be fine.  We'd
also talked to Sun a while back about their implementation, but their
license adds some new restrictions we don't currently have, which
could be problematic for (for example) Linux distributions, and we
haven't talked to them much about trying to resolve the problem.  (The
blame for that belong on our end -- we don't have a clear notion of
just what restrictions are acceptable and what are not, and in order
to do that, we need to get some discussion going with those people and
companies using the MIT distribution.  This question is also holding
back our move to a newer Sleepycat database package.)

So I think we'd definitely like to take a closer look at your code.

Have you had anyone try to build it on Windows?

Kadmin incompatibility we can probably cope with.  Around MIT, at
least, it's not a big deal; only a relatively few people can run
kadmin, and we can easily tell them "get the executables from over
here from now on".  At other sites, it may not be as easy, but kadmin
should still be available to relatively few people.

The other big proposal in the Kerberos admin space is LDAP.  While
it's attractive in some ways, I don't think we'll be anywhere near
ready for that leap for our next release.  And even if and when we do
make that change, that doesn't necessarily mean ditching the RPC-based
kadmin protocol at the same time.

In other words, I don't know if an RPCSEC_GSS implementation will be
our long-term solution, but I am inclined to think we do want it in
the short term.


More information about the krbdev mailing list