rpcsec_gss and Kerberos 5

Kevin Coffman kwc at citi.umich.edu
Fri May 24 10:02:00 EDT 2002

> We've already got other code with the "include this notice in
> supporting docs" type license, so this would probably be fine.  We'd
> also talked to Sun a while back about their implementation, but their
> license adds some new restrictions we don't currently have, which
> could be problematic for (for example) Linux distributions, and we
> haven't talked to them much about trying to resolve the problem.  (The
> blame for that belong on our end -- we don't have a clear notion of
> just what restrictions are acceptable and what are not, and in order
> to do that, we need to get some discussion going with those people and
> companies using the MIT distribution.  This question is also holding
> back our move to a newer Sleepycat database package.)
> So I think we'd definitely like to take a closer look at your code.
> Have you had anyone try to build it on Windows?

We haven't built on Windows.  But I'll take that on as part of
the work I'll be doing with the code.

> Kadmin incompatibility we can probably cope with.  Around MIT, at
> least, it's not a big deal; only a relatively few people can run
> kadmin, and we can easily tell them "get the executables from over
> here from now on".  At other sites, it may not be as easy, but kadmin
> should still be available to relatively few people.

We are in the same position here.  Our uniqname server does almost
all the kerberos administration, so only that would have to change.
Very few users use the kadmin program, mainly for creating keytabs.

> The other big proposal in the Kerberos admin space is LDAP.  While
> it's attractive in some ways, I don't think we'll be anywhere near
> ready for that leap for our next release.  And even if and when we do
> make that change, that doesn't necessarily mean ditching the RPC-based
> kadmin protocol at the same time.
> In other words, I don't know if an RPCSEC_GSS implementation will be
> our long-term solution, but I am inclined to think we do want it in
> the short term.
> Ken

I'm working right now to see what it takes to link kadmin/kadmind with
our version of the rpc.  I'll let you know how that goes...


More information about the krbdev mailing list