About HP DCE/9000 Version 1.7

Interoperability and Compatibility

Neither DES nor DES-hidden versions of DCE are interoperable with any DCE version that has been built with the DES code omitted (instead of hidden). Some DCE ports from other vendors were built in this way in order to meet U.S. export requirements. If you are running a DCE port from another vendor, check with that vendor for details.

Kerberos Authentication Protocol

Compatibility

The DCE Security authentication service implements Kerberos Version

5.DCE Security does not provide backward compatibility support for Kerberos Version 4.

DCE Support for Kerberos Applications and Configuration Notes

HP DCE 1.7 makes available enhanced configuration features specific to Kerberos Version 5. Configuration with dce_config has been updated to do the following for either a security server or client:

Create a host principal, account and keytab entry for secure BSD remote utilities.

Create the file /etc/krb5.conf for use by Kerberos V5 Beta 5-7 and Release 1.0 applications.

Create the file /krb5/krb.realms for Kerberos V5 B4 applications.

Add the entries klogin, kshell, ekshell, and eklogin as well as kerberos5 and kerberos-secto /etc/services.

Link the /etc/krb5.keytab file, which is the default keytab used by Kerberos V5 Release 1.0 clients, to the /krb5/v5srvtab file, which is the default keytab used by DCE clients. The file /etc/v5srvtab, which is the default keytab file used by Kerberos V5 Beta clients, is also linked to the /krb5/srvtab file.

The host principal uses a fully qualified host name. To construct this name, dce_config appends the Internet domain name to the host name in the format: host_name.domain_name. For example, when the domain name is ch.hp.com, and the host name is fred, the fully qualified host name is fred.ch.hp.com.

Planning and Configuring HP DCE 1.7

1-13