rpcsec_gss and Kerberos 5

Kevin Coffman kwc at citi.umich.edu
Mon Oct 14 09:15:01 EDT 2002

I just wanted to give you an update on this.

I've finally got a Linux version of the kadmin/kadmind which works 
using our rpcsec_gss code.  These pgms also interoperate with the Sun 
SEAM kadmin/kadmind.  My next step is to compile this on Windows, which 
I don't forsee being a big deal.  At that point, I'd like to talk more 
about how you'd like to see the code.


> On 23 May 2002 18:45:00 -0400, Ken Raeburn wrote:
> We've already got other code with the "include this notice in
> supporting docs" type license, so this would probably be fine.  We'd
> also talked to Sun a while back about their implementation, but their
> license adds some new restrictions we don't currently have, which
> could be problematic for (for example) Linux distributions, and we
> haven't talked to them much about trying to resolve the problem.  (The
> blame for that belong on our end -- we don't have a clear notion of
> just what restrictions are acceptable and what are not, and in order
> to do that, we need to get some discussion going with those people and
> companies using the MIT distribution.  This question is also holding
> back our move to a newer Sleepycat database package.)
> So I think we'd definitely like to take a closer look at your code.
> Have you had anyone try to build it on Windows?
> Kadmin incompatibility we can probably cope with.  Around MIT, at
> least, it's not a big deal; only a relatively few people can run
> kadmin, and we can easily tell them "get the executables from over
> here from now on".  At other sites, it may not be as easy, but kadmin
> should still be available to relatively few people.
> The other big proposal in the Kerberos admin space is LDAP.  While
> it's attractive in some ways, I don't think we'll be anywhere near
> ready for that leap for our next release.  And even if and when we do
> make that change, that doesn't necessarily mean ditching the RPC-based
> kadmin protocol at the same time.
> In other words, I don't know if an RPCSEC_GSS implementation will be
> our long-term solution, but I am inclined to think we do want it in
> the short term.
> Ken

More information about the krbdev mailing list