rpcsec_gss and Kerberos 5

Wyllys Ingersoll wyllys.ingersoll at sun.com
Mon Oct 14 10:28:00 EDT 2002 

Kevin -
      I just would like to say THANK YOU.   This has been a point
of confusion for our customers for a long time and we are glad
to see that you have a solution for the open source community.

-Wyllys Ingersoll
   Sun Microsystems

Kevin Coffman wrote:
> I just wanted to give you an update on this.
> 
> I've finally got a Linux version of the kadmin/kadmind which works 
> using our rpcsec_gss code.  These pgms also interoperate with the Sun 
> SEAM kadmin/kadmind.  My next step is to compile this on Windows, which 
> I don't forsee being a big deal.  At that point, I'd like to talk more 
> about how you'd like to see the code.
> 
> Kevin
> 
> 
> 
>>On 23 May 2002 18:45:00 -0400, Ken Raeburn wrote:
>>
>>We've already got other code with the "include this notice in
>>supporting docs" type license, so this would probably be fine.  We'd
>>also talked to Sun a while back about their implementation, but their
>>license adds some new restrictions we don't currently have, which
>>could be problematic for (for example) Linux distributions, and we
>>haven't talked to them much about trying to resolve the problem.  (The
>>blame for that belong on our end -- we don't have a clear notion of
>>just what restrictions are acceptable and what are not, and in order
>>to do that, we need to get some discussion going with those people and
>>companies using the MIT distribution.  This question is also holding
>>back our move to a newer Sleepycat database package.)
>>
>>So I think we'd definitely like to take a closer look at your code.
>>
>>Have you had anyone try to build it on Windows?
>>
>>Kadmin incompatibility we can probably cope with.  Around MIT, at
>>least, it's not a big deal; only a relatively few people can run
>>kadmin, and we can easily tell them "get the executables from over
>>here from now on".  At other sites, it may not be as easy, but kadmin
>>should still be available to relatively few people.
>>
>>
>>The other big proposal in the Kerberos admin space is LDAP.  While
>>it's attractive in some ways, I don't think we'll be anywhere near
>>ready for that leap for our next release.  And even if and when we do
>>make that change, that doesn't necessarily mean ditching the RPC-based
>>kadmin protocol at the same time.
>>
>>In other words, I don't know if an RPCSEC_GSS implementation will be
>>our long-term solution, but I am inclined to think we do want it in
>>the short term.
>>
>>Ken
>>

More information about the krbdev mailing list