rpcsec_gss and Kerberos 5
Kevin Coffman
kwc at citi.umich.edu
Mon Oct 14 09:15:01 EDT 2002
I just wanted to give you an update on this.
I've finally got a Linux version of the kadmin/kadmind which works
using our rpcsec_gss code. These pgms also interoperate with the Sun
SEAM kadmin/kadmind. My next step is to compile this on Windows, which
I don't forsee being a big deal. At that point, I'd like to talk more
about how you'd like to see the code.
Kevin
> On 23 May 2002 18:45:00 -0400, Ken Raeburn wrote:
>
> We've already got other code with the "include this notice in
> supporting docs" type license, so this would probably be fine. We'd
> also talked to Sun a while back about their implementation, but their
> license adds some new restrictions we don't currently have, which
> could be problematic for (for example) Linux distributions, and we
> haven't talked to them much about trying to resolve the problem. (The
> blame for that belong on our end -- we don't have a clear notion of
> just what restrictions are acceptable and what are not, and in order
> to do that, we need to get some discussion going with those people and
> companies using the MIT distribution. This question is also holding
> back our move to a newer Sleepycat database package.)
>
> So I think we'd definitely like to take a closer look at your code.
>
> Have you had anyone try to build it on Windows?
>
> Kadmin incompatibility we can probably cope with. Around MIT, at
> least, it's not a big deal; only a relatively few people can run
> kadmin, and we can easily tell them "get the executables from over
> here from now on". At other sites, it may not be as easy, but kadmin
> should still be available to relatively few people.
>
>
> The other big proposal in the Kerberos admin space is LDAP. While
> it's attractive in some ways, I don't think we'll be anywhere near
> ready for that leap for our next release. And even if and when we do
> make that change, that doesn't necessarily mean ditching the RPC-based
> kadmin protocol at the same time.
>
> In other words, I don't know if an RPCSEC_GSS implementation will be
> our long-term solution, but I am inclined to think we do want it in
> the short term.
>
> Ken
>
More information about the krbdev
mailing list