Manualshelf

Planning and Configuring HP-UX DCE 1.9

ManualsBrandsHP ManualsSoftwareHP-UX DCE Software
11121314151617181920
Chapter 2
About HP-UX DCE Version 1.9
Interoperability and Compatibility
11
DCM can be run from any HP-UX DCE Version 1.9 system within the cell.
The HP version of dce_config is based on the OSF version, but contains enhancements specific to HP
systems.
Kerberos Authentication Protocol Compatibility
The DCE Security authentication service implements Kerberos Version 5. DCE Security does not provide
backward compatibility support for Kerberos Version 4.
DCE Support for Kerberos Applications and Configuration Notes
HP-UX DCE 1.9 makes available enhanced configuration features specific to Kerberos Version 5.
Configuration with dce_config has been updated to do the following for either a security server or client:
Create a host principal, account and keytab entry for Secure Internet Services (SIS) remote utilities.
Create the file /etc/krb5.conf for use by Kerberos version V5 applications.
Create the file /krb5/krb.realms for Kerberos V5 B4 applications.
Add the entries klogin, kshell, ekshell, and eklogin as well as kerberos5 and kerberos-sec to
/etc/services.
Link the /etc/krb5.keytab file, which is the default keytab used by Kerberos V5 clients, to the
/krb5/v5srvtab file, which is the default keytab used by DCE clients.
NOTE DCE Client and KRB5 Client files are not compatible with each other.
The host principal uses a fully qualified host name. To construct this name, dce_config appends the Internet
domain name to the host name in the format: host_name.domain_name. For example, when the domain name
is ch.hp.com, and the host name is fred, the fully qualified host name is fred.ch.hp.com.
When configuring either a security server or client, dce_config checks the file /etc/resolv.conf for the
Internet domain name. If the domain name is not found in this file, then the user is prompted to enter a
domain name.
Before running dce_config, you can choose to set the environment variable DOMAIN_NAME to provide the
domain name during configuration. Other environment variables used by dce_config are described
in“Component Scripts and Environment Variables for dce_config” on page 62.
An example of a standard domain name is ch.apollo.hp.com.
A DCE principal name takes the form:
/.../cellname/host/fully_qualified_hostname
Configuration for secure remote utilities may require the additional step of adding entries to inetd.conf.
Remote Services File
The following describes the service and port settings in /etc/services for the different versions of Kerberos.
Kerberos V5 expects the service "kerberos" to use port 88. However, older versions of Kerberos (V4) expect the
"kerberos" service to use port 750. For this reason, dce_config does not set/reset the service "kerberos" in
/etc/services. dce_config does set the following in /etc/services:
kerberos5 88 udp kdc for V5 applications
kerberos-sec 88 udp kdc for V5 applications