Proprietary Extension to Kerberos in W2K

st.n. writes "Heise News is reporting that Microsoft made its own proprietary extension (and incompatibility) to the Kerberos authentication protocol, which was developed at MIT as an open standard. Supposedly a W2K client will only work with a W2K server, not any other kerberos server, because MS uses a yet unused data field and the W2K client relies on that field being present. For those of you who don't speak German, I found it also at Yahoo."

Small correction

you forgot a closing quote in that example it would be [a href="www.blah.com/blahblah"] Underlined Link [/a]

Re:This was discussed on NTBugTraq

What does DNSSEC have to do with proprietary uses for unnused fields in Kerberos?

Also, the problem is not necessarily that Microsoft went ahead doing something strange with those fields (they may have had legitimate needs and it's still better than using a different layout for the record), but that they haven't documented it so far.

Re:Extend and embrace?

"and yes, I know that the DMCA is supposed to permit that for purposes of "interoperability", but the court's already thrown that part out.)" I don't think that is true. There has been one judge that decided in the CESS thing. But that is just one judge, in a pre-trial injunction. There has not yet been a final decision, much less any appeal. Until then, the 'Courts' have not thrown out anything.

Twat.

Taking an open standard and deliberately fucking with it to make it effectively proprietary is an awful good reason to bitch about a company. If Sun had done this, we'd be bitching about them, too.

Re:NOT dumb by M$ standards - MLM

It's not dumb at all. They can laugh all the way to the bank. So do all the MSCE and various other support people. Think of Microsoft as one giant MLM scheme, supporting people with happy faces. Study for your license, learn the rote of what patch to apply and what order, pay your fee, get your certification, sell to others who buy it because everybody ELSE runs it. Hmmmm, that argument is getting soft, perhaps time for MS-Linux? Runs on NT.....

Re:And this is surprising because...?

Not to give you a hard way to go about it, but honestly, I'm pretty sure that if you can demonstrate some of this code that compiles on gcc but not on ANSI C, and explain *why* that it will get fixed. It does no good to complain about a problem unless you're willing to *do* something about it, man.

Re:Apparrently Microsoft disagrees (correctly)

Well said. There may be a heavy performance overhead for 2 calls for windows; or some evil person tampering with packet #2. Comes down to a transport problem. Bundling it in means *nix code now needs to crack, and become ms aware. so be it. So *nix fraternity needs to write a translator that says 'field not blank - ms alert', strip the gunk out, and make the first call, then do a second call with the gunk and vice versa. I see flaws in this approach too. However the MS token/key lives for a non-standard 24 hours, i believe, so there is lots of scope, and go in and change the sids/permissions, when this howto becomes available. Next, one needs an engine, which sees the gobbelty gook ms sids, and translates these into real, standard security commands. See the threat: A *nix utility that understands ms tokens, and allows one to remotely administer a doze box.

legality issues

I wasn't clear from reading the article what the legality issues were for this. The guy from VA linux says that there's no question that what MS has done is illegal. How, exactly? What is the licensing covering Kerberos? Or is it an unlicensed spec. I'm curious how it's illegal and the possible legal remedies.

Re:legality issues

[brandond]

Microsoft has done nothing illegal. The Kerberos license is very open ended about what you can do with the source. As I read it, you can do anything you want as long as you include the MIT copyright notice. There are some other issues, like the fact that "Kerberos" is a trademark of MIT, so you need permission to use it in certain promotional materials, etc.

Re-read Ted T'so's comment with the above information in mind. Also, it may be more clear if you replace "arguing" with "claiming" "No one is arguing Microsoft has done something illegal," said Ts'o, now a principal engineer at VA Linux Systems. "But no one else uses the data authorization field this way. It's no longer an open standard."

The real problem is that this type of behavior defeats the purpose of open standards. It would not be a problem if someone small made a proprietary change to the protocol, because they would get ignored. However, Microsoft has enough clout in the industry that other products MUST interoperate with Windows. They have used that clout to impose an extension to the standard on the rest of us, who would prefer to go through the regular standards review process.

-----

Re:legality issues

[big_a]

The guy from VA linux says that there's no question that what MS has done is illegal.

Actually, he's saying just the opposite: If you read that sentence again you'll find that Ts'o is prefacing his remarks by saying that, no one is questioning that Microsoft has done something illegal in regard to the Kerberos spec.

Which is quite different then saying that there is no question...

Re:Do you have proof?

Actually, I work in a *really* big office and I see this sort of thing all the time. The bigger the office it seems the more the IT people are overworked (and undertrained because there is *no time* to keep up with advances) and so people start throwing money at problems just to keep the number of fires to a minimum. I mean, how many MSCE's do you know whose primary solution technique is to go out and buy a shrink-wrapped box, and then modify the problem to work with the software. In this case, Microsoft has pretty much ensured that unless the Unix people really jump up and make some changes fast (and I'm sorry but Unix folk are not very nimble when it comes to changing standards. They are very slow and cautious, with good reason.) their Windows2000 client base is going to be howling at the doors of the office managers for a Win2K server to be set up so they can print out their oh-so-important emails. Yes, it sucks.

Re:This is not new, secret, or prohibited by the s

I think that this is really what it boils down to. The whole point of having the specifications is to allow interoperability between vendors. Most RFCs have so many mentions of what should be done to create interoperability that they should just define certain sections as "CHORUS" and repeat liberally. Personally I would have been impressed if MS had simply said outright "We want to include Kerberos-5 support but we need to be able to pass certain extra data items back and forth. Here's what we're going to do and how we're going to do it and if anyone can come up with a better way, we'd like to hear it because this is the best we've come up with. We can't promise we'll believe you, but we'd like to hear it anyway." What they've done appears to be an ugly kludge that's going to take an even uglier kludge to work around. Of course, I also occasionally have dreams of nuclear disarmament that don't involve all the bombs going away by being used up on each other. Call me an idealist.

Re:Obviously Kerberos is not implemented in W2k

Right on! Sue the Microsoft. It's not standard of it can't interoperate! I'm sure M$ is gonna change it to comply given enough pressure from the community/business/government

why you cant

You shouldnt be able to do that because when defining an array you MUST use a constant, not a variable. The compiler must know the value at compile time.

Re:This is not new, secret, or prohibited by the s

What's an MSCE?

HEIL JON KATZ!

IIIIIIII| HEIL JON KATZ!
IIII|
IIIIIIIIII|The Fourth Reich is Upon Us!
IIII|
IIIIIIII| jonkatz@slashdot.org

Re:Story here as well

Hahahahahahaha, like say what? Dumbass.

Re:Story here as well

You can use < to escape a less-than sign...

Yes, but there's a bug in ./ previewing that incorrectly initialises the TEXTAREA; such entities degenerate into ordinary characters if you edit and submit/preview from a preview. (Hmm. Or at least they used to... It seemed to work this time, but I can't tell right off if it's actually been repaired or if I kludged my browser to work around it...)

Re:Whitespace doesn't matter.

It's not whitespace. The Standard requires arrays to have a constant size, but gcc doesn't.

Re:And this is surprising because...?

Try something along the line of int main() { int n = 10; int temp[n]; .... } This should not even compile. VC++ gives the approiate error message and g++ compiles it just fine...

Re:And this is surprising because...?

Intriguing why exactly can't you do something like that it seems to be correct? Is there something like lint for linux nowadays or something that does something similar?

--------------------Configuration: test - Win32 Debug--------------------
Compiling...
test.cpp
c:\program files\microsoft visual studio\myprojects\test\test.cpp(4) : error C2057: expected constant expression
c:\program files\microsoft visual studio\myprojects\test\test.cpp(4) : error C2466: cannot allocate an array of constant size 0
c:\program files\microsoft visual studio\myprojects\test\test.cpp(4) : error C2133: 'temp' : unknown size
c:\program files\microsoft visual studio\myprojects\test\test.cpp(5) : warning C4508: 'main' : function should return a value; 'void' return type assumed
Error executing cl.exe.

test.obj - 3 error(s), 1 warning(s)

Re:legal?

Only 27 apps available for W2k?

Gads, you're fscking clueless. Shut the fsck up when we're talking about something you obviously don't know sh*t about.

By you definition of the word there are NO apps for Linux.

Go back to class and get your HS diploma, kid.

Re:Even dumb by M$ standards

Yikes!

You mean the modified connector wasn't made in that fashion just to sell cables??? You mean the connector was customized to prevent clueless computer operators from plugging in the wrong cable?

Hold on. You didn't contribute anything productive to our Microsoft/Proprietary HW hatefest.

Go away, Troll!

Re:UCITA test?

According to the guy next door, Sun's current Kerberos 5 implementation is compatible (under duress, it defaults to real Krb5) with the MS mangling.

Re:Yes and No....

They're probably sending the password in plaintext in that field :-)

Henceforth the official language of the Empire ...

"will be Esperanto with all place names transliterated into Norsk - this will be strictly enforced on all networked voice transmissions".

A totalitarian edict such as this would be stuff for rebellion or absurdist theatre. In the free market economy though you have "the choice" not to consume products of "quasi-monopolists". Or so it is thought - how much longer until you don't have a choice? When will public networks and their technology be viewed as important enough to merit protection from this kind of rapacious crap?

Pot Kettle Black

check the discussion in the above thread.

Microsoft is like Caldera

Yeah, they both include proprietary extensions into their 'product'.

Caldera will be the first Linux IPO to crash and burn.

Re:Open Source License Addendum Suggestion

Anyone who "knows" that is mistaken. If you don't adhere to the GPL, my only recourse is to sue you for infringing the copyright on my code. IIRC, I can restrain you from continuing to distribute my code or derived works, and demand the larger of your profits or my lost profits, but there's no way for me to compel you to publish your source.

Time to take your guts in your hands

and tell MS to kiss your ass. Do not buy win2k.
Do not buy win2k apps.
Go to whatever lengths are necessary to break the monster's cash flow.

Sure, it's gonna hurt at first. But then it will feel SO GOOD!!!

-- The answer of the oracle is always "death"...

Re:This is not new, secret, or prohibited by the s

MSCE = Mostly Stupid Clueless Egotist

MIT students flunked Greek Mythology

> Kerberos, named for the mythological three-headed dog that guards the gates of Hades,

WRONG!!! The dog is called 'Cerebrus', not 'Kerberos'.

SAMBA project proves it

Look in this thread.

Re:Whitespace doesn't matter.

Wow. You are really dumb. I need to start a page of nothing but links to absolutely clueless Slashdot posts.

Re:Henceforth the official language of the Empire

Actually, Esperanto is cool. Try learning it sometime.

Bonan Tagon! Sennoma Malbravo

Re:Embrace, Extend, Extinguish

heyyyy, I think it's funny, even if /. police don't...(!)

Re:legal?

"By you definition of the word there are NO apps for Linux." Hmmm, pretty emotional post man, something other than your head die up you ass?

This is not true

I've installed MS Proxy several times and haven't had any problems using Netscape through it. What setting are you speaking of? -gatki, too lazy to log in.

Re:legal?

fucking ms lackey, know that with any w2k authenticated user account i can root (i mean administrator) that machine

Do you have proof?

Where is your proof of these statements? I have proof that they are not trying to hide this. Where is yours?

Re:Do you have proof?

[fsck]

Take what he is saying, and consider: Is he making all this up? If so, why is he making all this up? He must have a pretty active imagination, or he is a paranoid schizophrene.

What about proof by exhaustion. The alternatives to what he is saying simply is not true. He is right. The proof is what you don't see.
Q: Where do you want to go today?

Re:legal?

There are only 27 win2k CERTIFIED apps out, you freaking morons. So technically, there are only 27 MS-approved apps, guarunteed to run on win2k. And don't think that 'most' win32 apps will run on w2k. Exchange admin, a rather important little app for tose of us in exchange enviroments, had known bugs on w2k. Who knows what other serious bugs will come out as w2k creeps across the land

Re:Slashdot predjudice

Look, everyone knows that /. is just a Microsoft hating forum. So stop bitching!

Re:This is not new, secret, or prohibited by the s

Hey moderator ! How about marking this one funny !!

Re:This is not new, secret, or prohibited by the s

So let's recap here...

MS says they followed the spec.

The people who designed the spec says they didn't.

The Samba team says they didn't.

Pretty much everyone else says they didn't.

The spec says they didn't. (W2K clients won't work with non-W2K servers, so by definition, it's broken.)

But as long as MS says they followed the spec, you'll believe them...

Let's try something on for size here:

The specification is written to allow all products which adhere to the spec to work together. MS's version doesn't work with other's, so (again) by definition, they didn't follow the spec.

Re:GPL....

Yeah sure. Just like Mozilla is ripping off microsoft's componentized browser idea - what about that eh ?

Check the glossary of that book..

They CAN always improve on a standard... check your copies glossary..

"improve: to change something so that it only works with MS products."

Re:And this is surprising because...?

the difference: gcc extensions are documented,
and can even be turned off alltogether with flags

the main menu of the gcc info file:

* G++ and GCC:: You can compile C or C++ programs.
* Invoking GCC:: Command options supported by `gcc'.
* Installation:: How to configure, compile and install GCC.
* C Extensions:: GNU extensions to the C language family.
* C++ Extensions:: GNU extensions to the C++ language.

Re:Slashdot predjudice

Just typical. This is appauling behaviour is rampant on /. Post flamebait and get more karma from the Open Source dweebs.

Re:Totally off topic

Calm down. It's not slamming people with Multiple Sclerosis, it's slamming people who use Micro$oft products. Yeah, I know people with Multiple Sclerosis too. They laugh at MS/Micro$oft confusions all the time too; one of my best friends even has a terribly tongue-in-cheek "Where to you want to go today?" poster with a guy on crutches.

Re:DEC MMJ connectors

Thats the first time that was ever explained to me. Makes sense.

Re:This is obviously an attempt to break Samba

Not quite right; what I was saying is we should refuse to buy Win2K _clients_ until Microsoft fixes them so we don't have to use Win2K as the _server_. Sure, for you own use, go ahead and run Linux. But in real world, commercial environments, people may refuse to be retrained on Unix or it may be too expensive to retrain them or their may be legacy applications which run only under Windows (which may not run under Win2K either, but that's a different thread) so they insist on still running Windows.

At the point where cost purchasing, supporting, retraining, and porting to the latest, greatest incarnation of Microshaft's "embrace and extend" philosphy exceeds the cost of switching everybody over to open source, then I'd say definately, go for it! You've nothing to lose but your BSoDs!

Re:Time to implement Samba on NT

Is it just me, or does going through an NT server to access files residing on your Unix server sound particularly inefficient? Yeah, mounting them as shares on NT and resharing them works, but man, it's an ugly solution.

Re:And this is surprising because...?

#include int cube(int x) { int square() { return x*x; } return x * square(); } main() { printf("%d\n",cube(3)); } block@closure lexical_scoping]$ ./a.out 27

Re:Apparrently Microsoft disagrees (correctly)

Your a hell of a lot better connected than I am on this one but it dosent jibe with my memory. Can you link to any hard data?

btw, hows SAMBA-Kerb

I still say...

The easiest solution is for the standards group to define what's supposed to be in the data authorization field.

That way, it won't matter what MS has in there, either they'll come around or they won't.

Re:I still say...

[carlfish]

They should be made to stick to standards, or to submit their ideas into the standard. There should be some kind of "Open Standards Licence", like the GPL, so that if you take a standard and make some changes to it, you have to release the changed to that standard.

This is a Very Bad Idea. If you allow for licenses on how standards are implemented, Microsoft could kill samba, and then demand royalties on any program that can interpret MS Word documents.

What you can do, is trademark the name of the standard, and require that any product bearing that mark pass your test suite. Of course, as soon as you do that, the Open Source community will try to beat you to death with big sticks because your standard isn't open enough. (Consider the Java(tm) or Unix(tm) marks)

And then the embracer and extender just implements their broken version anyway, and quite legally calls it "J", or "Unix-like operating system".

On the other hand, if the DOJ forced Microsoft to publish all their APIs and network protocols, in a similar vein to what was done to IBM, then the problem in this instance would be moot, and few other companies are powerful enough to use embrace and extend in this way.

Charles Miller
--

Re:I still say...

[hattig]

I agree. Define what the data authorisation field should contain, and release the standard as "Kerberos 6 - the more secure and updated version!" and then implement the changes in all of the other implementations. Windows 2000 will be stuck with "Kerberos 5 - the old and duffed up and abused version".

They should be made to stick to standards, or to submit their ideas into the standard. There should be some kind of "Open Standards Licence", like the GPL, so that if you take a standard and make some changes to it, you have to release the changed to that standard.

Re:Story here as well

Here is the Link

Well, i could tell you how to make the link, but then the html tags would be interpreted as html tags. basically, use [a href="www.blah.com/blahblah] Underlined Link [/a] but change the square brackets to greater than/less than signs.

Re:You don't know what you're talking about.

youre a moron and you know it - especially when you use words like "someone with a clue". clueless dimwit.

Re:And this is surprising because...?

And the evil GCC people even went as far as not documenting these so no one could use them but they will sneak into programs by themselves so that other compilers can't use gcc code? Or are they twisting your arm forcing you to use them?

Every compiler I've used (Borland and GCC primarly) has additions--the standards only say what a compiler does with conforming code. The fact that the additions don't get caught by -ansi is a problem and even wrong if it was done on purpose.

Compiler conformance is an apple to MS's Kerberos ugly fruit.

./ ignores anti-linux news-posts only anti-MS news

"Linux still not ready for desktop, says SuSE CEO"

http://www.infoworld.com/articles/pi/xml/00/03/0 1/000301pilinuxdesk.xml

I wonder why they didn't post this story?
Could it be that newssuggesting linux isn't ready for the desktop would hurt VA Linux sales?

Rob wouldn't want to tarnish the value of his 300,000+ shares of LNUX, now would he?

Laugh while you can.

Its no laughing matter ( .. Score:3 - Funny). This ladies and gentlemen is called monopolisation of computerised / network services. Whether or not you'll be administering a linux network or a MS one in 2004 is directly dependant on Billy Boy's 'success'. You know what to do. Print off the Halloween Document and actually encourage people to read it (at least highlighted parts). Its no good just keeping it as an HTML file on your own computer. You've already read it! I bet your boss hasn't.

Count yourself lucky

.. that you will only FEEL like a sucker later. Most people I know have BEEN suckered.

Re:And this is surprising because...?

[C.Lee]

>Try something along the line of int main() { int n = 10; int temp[n];
>.... } This should not even compile. VC++ gives the approiate error
>message and g++ compiles it just fine...

That's because VC++ is a pile of shit designed for morons like yourself.

Re:legal?

[C.Lee]

>The reference implementations of Kerberos 4 & 5 are available under a
>BSD-style license, so there's nothing wrong with what Microsoft has
>done, even if they do use Kerberos code in Windows. (I'm not sure if
>they've said they use any MIT code or if they did a ground-up
>implementation based on the specs)

The only good thing in all this is that this stunt by Mircosoft is pretty much going to kill BSD-style licenses for things like Kerberos in the future, as well as causing people to refuse to get involved with any sort of project Microsoft is involved in which doesn't have a GPL or a GPL-style license.

Wonder how Brett Glass and the rest of those losers is going to defend this kind of bullshit by Microsoft?

Re:This is not new, secret, or prohibited by the s

[C.Lee]

>It is my understanding that this sort of extension is allowed in the
>kerberos spec and that MS is not the first implementation to take advantage of it.

>If you are going to bash MS, don't bash them for following the rules.
>With W2K, Microsoft is finally making a fair attempt at following and
>using the standards.

Are you really this stupid, or has your Microsoft employment rotted your brain? Microsoft by this stunt has proven beyond a shadow of a doubt that one again they *HAVE NO INTENTION* of following and using the standards as they exist. I really hope that the DOJ and Judge Jackson is playing attention to this particular story. I bet the EU is also going to be looking at this issue also.

Story here as well

[el_guapo]

http://www.zdnet.com/intweek/stories/win2000/news/ 0,9493,2449668,00.html?chkpt=entne ws-win 2000 -(how do I make this a link? Sorry that it's not) No surprise of course, these guys do this to EVERYTHING they possibly can.

Re:Story here as well

[Shanep]

Can the preformatted tag be used in /. to do this?

Here is the Link

Re:Story here as well

[Shanep]

Apparently not. :)

Re:Story here as well

[Tau+Zero]

You mean, like / news/0,9493,2449668,00.html?chkpt=entne> ?

You can use < to escape a less-than sign (and & to escape an ampersand). You can also post in plain text instead of HTML formatted if you want to post a code fragment.
--

Re:Apparrently Microsoft disagrees (correctly)

Specification and source are online:
http://www.opengroup.org/pubs/catalog/c311.htm
http://www.opengroup.org/dce/download/

Re:And this is surprising because...?

But heaven forbid anyone, and especially Microsoft, finds that the "standards" don't meet their needs.

Indeed. All those meetings of the C Standards committee that the GCC maintainers ignore and/or boycott... It just wouldn't do to waste time at meetings when there's embracing and extending of the C language to be working on. (non compatible 'features' of GCC, that aren't even reported with the 'ansi' and 'pedantic' switches on, which causes programmers to write C code for GCC that won't build on any other compiler)

And the Bash shell... which purports to be backwards compatible with the POSIX standard for /bin/sh.... Thank goodness the Bash maintainer is on record as not having access to a copy of the POSIX standard....

Yep. It's a big cruel world out there. And the GNU and the Microsoft "embracers and extenders" are at it again...

More articles (in english)

This was posted in this article on Linux Today. The ZDNet article referenced within can be found here.

Re:UCITA test?

I get the distinct impression that the word "interoperability" has a different definition for MS... basically: "All of MS's products work with MS products... how much more do you want?

The Microsoft Dictionary

interoperability: The ability of a Microsoft product to operate with another Microsoft product.

multi-platform: Works with both Windows NT Workstation and Windows 2000 Professional.

Standards: The way Microsoft does something. However if you do it the same way we will sue you.

legacy: Any product that competes with a Microsoft product or a Microsoft produt that a newer version is available or planned.

Security: Asks for a password. Example: Windows 95 has a high level of security because it asks for a password.

Monopoly: Unknown.

Re: "proprietary" trade secret

The article submitter and this poster (and just about everyone else in Linuxland) are misusing "proprietary". This poster quotes the word as if it shouldn't apply to "trade secret", when, in fact, it is completely superfluous. All trade secrets are proprietary as governements give companies the right limit other's use of trade secrets. Something is proprietary if someone has the power (normally by law) to control other's use it. That makes anything that is copyrighted, patented, or a trade secret (and probably a few other things) proprietary. Proprietary doesn't mean "secret" or "not open". It means "not in the public domain". M$'s modification of the K. protocol may or may not be considered by a court to be a trade secrets. I would doubt it very much.

What can we do?

[brandonp]

What can we do to about this?

We aren't talking about some application that does something differently than everyone else, we're talking about messing with a standard to gain and maintin control of the market.

I just can't beleive this is ethically or legally right. What can we do to deal with this ongoing problem with Microsoft? Class action lawsuit? What are our options?

Brandon Petersen

Re:What can we do?

[beagle]

What can we do to about this?

Don't use Win200. Windows 2000 is insignificant anyway. Linux and other Unices have made significant inroads into the original target market for W2k, and they will continue to do so because Microsoft was so late in delivering the (very buggy - 63,000-defects buggy) product, and because Microsoft still insists on lack of interoperability, and this time it's in a market in which they do not have the power to dictate specs. We now get to watch 'em die!

Don't worry this is already happening...

[Eg0r]

In my uni, there's a feeling that upgrading to win1900 will give more hassle than it's worth...

Unless there's a timebomb in SP6a, we're not likely to change the NT servers to 1900 anytime soon. Anyway, dual P333/256Mb RAM may probably not be enough to cope with the 1900 OS overhead....

Us changing the server to Linux probably has a higher chance than betting on us going for win1900.

Actually, the same happened with 3.51 .... took us some time to decide NT4 was safe enuf... and then we regretted the change for some time :-) Not likely we'll do the same mistake twice!

---

And this is surprising because...?

[Phaid]

They do this to _every_ protocol they get their hands on. IPP, LPD, DHCP, Java, hell even their version of traceroute isn't right.

Bah.

Re:And this is surprising because...?

[Phaid]

This is annoying in that it's not documented. But heaven forbid anyone, and especially Microsoft, finds that the "standards" don't meet their needs.

Well, that's what standards bodies are for. You have to realize that the IETF (and other standards bodies) committees aren't just composed of some sort of godlike beings who hand down edicts, they're composed of people from the various companies that actually implement the standards. So if MS really has a beef with a standard that they want changed, they should take it up with the standards body and get their modifications documented.

Re:And this is surprising because...?

[MatanZ]

23:40:07:~$ cat a.c
int main() { int n = 10; int temp[n]; exit(1); }
23:40:53:~$ g++ -Wall -pedantic -ansi -o a a.c
a.c: In function `int main()':
a.c:1: warning: ANSI C++ forbids variable-size array `temp'
a.c:1: warning: unused variable `int temp[((n - 1) + 1)]'

Re:And this is surprising because...?

[Hammer]

May I recommend The Halloween Documents by ESR. There you will get an understanding of why M$ does this....

Re:And this is surprising because...?

[SEWilco]

Don't forget the MS Proxy security setting that makes it only work with IE.

Re:And this is surprising because...?

[Score+Whore]

This is annoying in that it's not documented. But heaven forbid anyone, and especially Microsoft, finds that the "standards" don't meet their needs.

Re:And this is surprising because...?

[Zurk]

bullshit. they didnt even TRY to comply even though the standards were changed to accomodate them slightly. read the kerberos FAQ.

Re:And this is surprising because...?

[slashdot-terminal]

Indeed. All those meetings of the C Standards committee that the GCC maintainers ignore and/or boycott... It just wouldn't do to waste time at meetings when there's embracing and extending of the C language to be working on.
(non compatible 'features' of GCC, that aren't even reported with the 'ansi' and 'pedantic' switches on, which causes programmers to write C code for GCC that won't build on any other compiler)

I am currently working on programming projects for C++ could you show me an example of code that will pass gcc/g++ that will not pass any other compiler.

And the Bash shell... which purports to be backwards compatible with the POSIX standard for /bin/sh.... Thank goodness the Bash maintainer is on record as not having access to a copy of the POSIX standard....

Unfortunately on linux systems sh is a symlink to bash so even a programmer can't tell the difference.

Re:And this is surprising because...?

[DeK]

Speaking of things only working through IE, have you ever noticed problems reaching certain parts of the www.microsoft.com site? Especially the download area? I've noticed that their server reads the User-Agent field and if it doesn't match IE's then it give you errors. I've tested this by modifying that field to match IE's through a program called Proxomitron and all the downloads then work fine... I'd be interested to hear someone else's comments on this...

Re:And this is surprising because...?

[HP+LoveJet]

Regardless, it really ins't [sic] microsoft's job to ensure compatability [sic] with anyone but themselves.

That sentence lends itself to another reading, which is that it's in MS's interest not to interoperate with anyone else's stuff, except at a minimal level insofar as you need to (say) speak TCP/IP. This is the same sort of thinking that helped IBM sew up 90+% of the mainframe market well into the 70's, and earned them (a) widespread enmity from customers and competitors, (b) a federal antitrust investigation, and (c) carte blanche to unilaterally carry the state of the art in whatever direction they wished. There's a gray area between intentional incompatibility and actual anticompetitive behavior when you have the market share IBM did then (or Microsoft does now).

If they really care about increasing the utility of technology in the larger sense, which I'd argue they must if they know what's good for them long-term, they should participate reasonably in standards definition processes. I know that a lot of what you decry as "interorganizational posturing" involves companies being inflexible on just these sorts of issues, and that Microsoft is as bad an offender as any--when they deign to participate at all.

Anecdote: My friend was the Lucent delegate to an IETF Working Group. For three consecutive meetings no work at all was completed, because every time the Microsoft rep opened his mouth it was to say "I move that the entire text of the proposed section be stricken and replaced with: 'Bla bla bla....'." That is not what I would call playing well with others.

I am not a blindly Microsoft-hating zealot. I do take exception to many of their business practices.

Re:And this is surprising because...?

[Score+Whore]

GCC has typeof which nobody else does. It also has builtin functions for alloca, abort, exit, and _exit. Which by the standards should be in a library allowing for a linktime replacement of the standard C versions. In g++ there is the headof extension. And those are just the obvious.

Re:And this is surprising because...?

[Score+Whore]

That's not really an answer. It may be a use that is related to a property that only W2K has. It also may have been the sort of thing that was developed in 6-12 months rather than 6-12 years. Some of these standards take way too damned long to settle, often because of interorganizational posturing.

Regardless, it really ins't microsoft's job to ensure compatability with anyone but themselves. How many vendors will authenticate users for a VMS system? When you have a different paradigm it is often useless and futile to try and maintain 100% compatability with every little OS under the sun. Really documentation is the only issue here.

Stupid...

[pb]

That's completely braindead, but why am I not surprised?

Microsoft shows its commitment to embracing and extending open standards once again. Let's see what new and wonderful ideas they don't share with the people working on LDAP, Directory Protocols, etc., etc.

My only reassuring thought is that Microsoft couldn't secure a paper bag, so their implementation of Kerberos should be humorous, at least. :)
---
pb Reply or e-mail; don't vaguely moderate.

Re:Apparrently Microsoft disagrees

[djKing]

> I'm not sure who to believe.

Well in my experiance, beliveing MS makes you feel like a sucker later.

-Peace
Dave

Translation..

[Ih8sG8s]

"DNSSEC - which is a public key infrastructure unto itself - is very complex. In our judgment, at the time, it was not ready for implementation and deployment. It followed that RFC 2137 was also not ready for implementation and deployment."

What this really means:

"We conducted a think-tank session that included the brightest minds in Microsoft Research Labs, including the famous team that invented the sybbloic link just in time for Windows2000. It was determined that patch-build-1,234,567 broke when we tried to implemt it becuase of inconsistencies between patch-122,239, and patch 569,496, which were, consequently patches for patch 1223,456, which patched patch 22,134. Surely this standard is wrong."

nnnext:

TSIG and TKEY alone do not solve the key distribution problem inherent in any secret key system. However, both mechanisms allow for extension, which permitted us to publish a third complementary draft, "GSS Algorithm for TSIG (GSS-TSIG)"."

This one is not as funny. Seems like they use IETF protocol protocol and process to their advantage, fulfilling process requirements while breaking the spirit of the guidelines.

nnnext:

"Microsoft would be happy to assist any vendors who wish to develop an independent, interoperable implementation."

No doubt. Maybe that's why your draft has been in since 1997 and noone outside of Microsoft is interested in going forward with it.

Guys, they were saying this YEARS ago at a seminar

[Feoh]

I went to a seminar at the otherwise _lame_ SNAC conference where they discussed what's coming in NT 5.

They said back then that the Borg had co-opted kerb and were doing horrible things to it, and would then use it in their marketing jibberish and tout their 'support of open protocols!'.

Film at 11.

*yawn*

Re:This is not new, secret, or prohibited by the s

[Dagmar+d'Surreal]

That is where you are dead wrong.

What Microsoft clearly intends is that no matter what users want, they're going to do everything in their power to make sure admins have to put up a Windows2000 server on their network. The majority of people using computers (including the administrators of most networks) are not technically competent enough to understand why the incompatibility occurs, and they're almost certainly not competent enough to run around making changes to a lot of their production systems, so they're going to wind up being forced to simply pay someone else to fix it so that the Win2k users can "take advantage" of this wonderful thing called Kerberos. This is the kind of crap that Microsoft lives off of. Make sure all the users are morons, and some of them will eventually be promoted to administrators, and then flood the market with other morons trained in the efficient sales and marketing of Microsoft products, and call them technicians anyway.

...which is about the same time that the local MSCE's will be undoing their belts, ready to deliver the Microsoft "solution".

Frankly, at this point I would rather shove my hands up to the shoulders into a wood chipper than to use Microsoft products anymore.

Re:MIT uses NT source code to fix it

[dmaze]

AFAIK, nobody at MIT has plans to migrate any important services to a Windows-based platform any time soon. Kerberized POP, krb5-authenticated print services, Kerberized Zephyr, AFS, an so forth will all continue to run on Unix-based machines.

This means that the issue is (mostly) irrelevant to Athena. Since every service is going to run on Unix, we don't care about Windows "extensions" to Kerberos; if Windows machines can access Unix services using a Unix-based Kerberos server, then everything Just Works (TM).

Personally, I think Pismere is just a lost cause. Even if Win2K is "a new standard of reliability", I suspect a test cluster of 10 Windows-based machines would have much more serious problems than the 10 beta Linux-Athena machines currently available for public use in W20-575. Just about everything we need is available now (and has been for several years) on Unix, and people with personal PCs have been able to install SIPB's Linux-Athena to get Athena on their desktop. With an official supported MIT I/S Linux-Athena coming soon, it's clear that MIT isn't planning on pushing Windows as their Intel-based OS of choice.

is this really an issue?

[SuperGeek]

Maybe I'm not understanding the politics or technical intensity of this. But if this is going to cause such a huge issue with compatibility, and we know that it is... then it seems to me that an appropiate solution would be NOT to implement Win2K in an environment where you know it's going to be a bitch..

and with the sudden surge of popularity in free stuff, the solution seem kind of obvious.. but this isn't one of those "USE LINUX, LINUX RULES" rants.. there are several other solutions out there.. roll your own.

"Embrace and extend" LIVES!?

[Cardinal+Biggles]

And what about Active Directory? Another brilliant innovation that's actually a standard technology with some unnecessary (IMHO) changes, so that a Windoze box can access a directory with LDAP but existing LDAP-clients can't easily use a Micros~1 directory server 'cause the schema is wrong.

Would they really still be working like this, even with the way their trial is going? I know they're not stupid, but maybe they just can't help themselves...

First it was Apple, now M$. Balkanizing the 'Net

[crovira]

I wrote in [it was rejected] about how M$ was going to follow Apple's lead [yet again] and have client services available (like site visibility ?) ONLY to its desktops connecting to its IIS servers.

Now you'll have to pay a tithe to M$ to list you site on a (M$) DNS and you may or may not be able to see anyone else's site.

Running /. on IIS guys? Then there goes half your readership.

Re:DEC MMJ connectors

[KyleCordes]

The company which installed the wiring for our PBX and network appeared to be competent up-front. Then they put in RJ-45s for both phone and network throughout the building... even though the phone system they sold us used RJ-11 (only one wire pair for that matter).

When asked, they said "oh, the little plugs fit OK in the big sockets". Then they labelled the jacks as "1" and "2", not as "phone" and "computer".

We explained the idiocy to them, and insisted the replace all the phone jacks with RJ11s. They agreed after some cajoring.

been known for awhile

[voodoo]

This has actually been known for awhile. The only reason it is receiving press now is because people will finally be forced to deal with this issue -- along with the many other gotchas that come with W2K. Until cross compatibility comes along for the two different versions of kerberos, windows users will be left isolated and in an uncomfortable position. --voodoo

Re:Kerberos? This isn't Kerberos

[Athos]

The problem is if you don't talk to a W2K Kerberos Server you don't get your sercurity [sic] permisions [sic] so it reverts to netlogon.

And this is a pretty good job?

--

Whitespace doesn't matter.

[Sangui5]

Yes it should compile. Whitespace shouldn't matter. The compiler shouldn't care if you use a [CR], a [TAB], a [SPACE], the number or combination of such characters you use, or whatever, just so long as there is at least one whitespace character where a whitespace character needs to be.

You don't know what you're talking about.

[Zico]

It uses Kerberos as defined by the standard. If people are going to bitch and moan about Microsoft doing this, then stop writing ambiguities into the standards. Of course, there's a reason why this field was left open, and that's so that vendors (apparently, only vendors other than Microsoft, haha) could could use it for things like vendor-specific or application-specific data. Now that Microsoft uses it to their advantage, everyone's in tears. Well Boo-frickin'-hoo.

Whoops, now that I see your comment that Win2K has only 27 apps avaiable for it, I realize that you have no idea what you're talking about. My post would've been better spent replying to someone with a clue.

Cheers,
ZicoKnows@hotmail.com

Does the Honorable Thomas Penfield Jackson know?

[IQ]

I thind we should tell it to the Judge! Just in the form of an open letter. The games continue! The Monopolist is Still behaving badly.

Oh Well. Our company has 1 application left that runs on NT. And it is a 3rd party app. We have put that 3rd party on notice that we will not be using any new versions of Windows in the future and they have a Linuxified version of this service in test... Just like IBM in the early 80s. You just have to be diligent. Don't use M$ products for your IT solutions.

Re:Totally off topic

[IQ]

Please moderate the above post down. Sorry but it is offtopic and if you know anyone with MS it is just not funny.

This is not new, secret, or prohibited by the spec

[Frey]

Microsoft has not tried to hide this in any way. I learned about it last April in a W2K class and it is in numerous whitepapers on their site.

It is my understanding that this sort of extension is allowed in the kerberos spec and that MS is not the first implementation to take advantage of it.

If you are going to bash MS, don't bash them for following the rules. With W2K, Microsoft is finally making a fair attempt at following and using the standards.

Cables

[Raven667]

This is totally off-topic but you wouldn't know where I could find these "MMJ" cables and a MMJ-->9 pin RS-232 adapter. I just happend to buy an old VT420 for pennies, I intend to connect it to one of my Linux boxen. Unfortunately I have no cable. Learning that the cable type is "MMJ" is a big help. If you have any more info I would love to hear it.
Mark Tinberg

Re: Cables

[Raven667]

Email is supposed to by Mark Tinberg mtinberg@compuserve.com

Re: Cables

[Zurk]

try :
http://catalog.blackbox.com/BlackBox/Templates/b lackbox/class84itemgroup567guest.asp?param =89&ig_id=567&title=DEC+423+MMJ+Cable+%26%238226%3 B+MMJ+Connector&related=

Re:Yes and No....

[jgibson]

It is MS being their usual "we work with them (almost)" self, but in this case, they're not hiding anything. They just happen to use more of the spec than the reference one.

from ZDNet's article:

Shanen Boettcher, Windows 2000 product manager at Microsoft, said last week that the company has only made use of an existing feature of Kerberos and is not undercutting an existing standard. But he acknowledged the change is not documented, noting that some developers may believe they need to know the details of Microsoft's change before they will be able to get their software to work with it.

....

When asked how developers will work with the specifics of Microsoft's implementation, Boettcher said: "The contents of the field are currently not available. We have been asked to document them, and we are trying to figure out what to do with that request."

Sounds to me like they're hiding something...

Re:Open Source License Addendum Suggestion

[netgod]

The most popular Linux license doesn't need the addendum -- the GNU GPL already makes evil corporations run screaming. Some forbid their employees from even looking at GPL-protected code. :)

Cause they know if they use it, or modify it, without giving the source back, they can be sued -- not just for money, but for the public release of the code for that product (and thus the loss of any profit from it).

Few would take that risk.

Re:Totally off topic

[meridian]

as far as your off topic theory goes, i smoke pot and use also windows except ive run out of pot and am yet again considering deleting windows. so that seems to go with your theory quite well. ill have to let you know if when i get my hands on some more smoke if i decide i really couldnt be bother deleting windows after all. probably when mozilla is as nice as ie and i finish this job (which requires me to use mssql argh!)ill end up deleting my windows.dsk but ill probably end up keeping it on there anyways, cause i sure intend to get some more smoke soon :)

Re:You can access unix/linux, but....

[sharkey]

Actually, it looks like they're trying to leverage their desktop dominance to sell more servers.

No, first it was Intel and MS, then Apple, now ms.

[Evro]

See Intel's WebOutfitter, which requires you to use a Pentium III and Windows. This predated Apple's iTools by a quite a while (at least a year, I think). I think iTools was Apple's response to weboutfitter.

While I think the web should be open, if there are applications that only run on certain platforms, why not web services?

_________________

Re:Apparrently Microsoft disagrees

[Kiaser+Zohsay]

From the MS page:

Since a Kerberos realm is not a Windows 2000 domain, the computer must be configured as a member of a workgroup. This is automatic when you set the Kerberos realm and add a KDC server as follows:

IIRC, the workgroup vs domain distiction is all-or-nothing. So a work station can be setup to authenticate against real Kerberos servers OR be a domain member and authenticate against Windows enhanced Kerberos servers. Again, this kills any real interoperability, that being using Windows and UNIX servers in the same environment.

Re:Yes and No....

[Kiaser+Zohsay]

The hitch is that you have an installed base that needs to be upgraded, which is kinda a bummer.

Welcome to Redmond. This is how MS got where it is today, by "leveraging" the installed base of Windows users into purchasing "upgrades". Remember the Word 6.0->Word 95->Word 97 file format feeding frenzy?

Re:You can access unix/linux, but....

[Kiaser+Zohsay]

Make that "Embrace, Extend, and Exinguish". Straight out of the Halloween documents. What's next, a propietary "ping"? That'll be useful as all hell.

Not so fast, batfink.....

[gruntvald]

The article doesn't claim you can't authenticate against MIT Kerberos servers, it states that if you do so, you can't use that authentication for other W2000 resources, such as printing. I.e. the authentication is not "passed along" unless you use W2000 Kerberos throughout.

selective amnesia

[gruntvald]

Either you have piss-poor memory, or you are a newbie here, /. has always had lively discussions peppered with moronic, meaningless posts. That's what happens when the world sits down and chats. And many of us work in mixed shops, so we need technical info. like this. Most IT professionals are more interested in *solving* problems introduced by M$ and others, than reading brochureware stories. That's why ever major freeware/open source story *is* news, and why proprietary s/w bugs are news.....

Re:Open Source License Addendum Suggestion

[gruntvald]

>>If joeblow@eggsucker.microsoft.com wants to submit a patch, or tweak it to his personal liking, he should be able to. Judging him a 'lying scumbag' based on the exploits of his employer are wrong..
........Well, ordinarily you'd be right, but this is a special case here!

It only took 3 years for this to get printed

[ceez]

I've been using every iteration of Kerberos (V4, the AFS variant, V5, and DCE). Why is this a surprise? This went rippling through the comp.protocols.kerberos newsgroup and several mailing lists at least 2 years ago, when MS published their first White Paper. It was discussed at length by a small group of people interested in not seeing yet another bifurcation of the protocol. (Of course, the MIT and OpenGroup people dilly dallied around for years before getting V5 and DCE back in synch!) The only thing more frustrating than the time, is to see it finally acknowledged now.

Re:Obviously Kerberos is not implemented in W2k

[HermDog]

It's not really a standard if nobody else is doing it. It's just another protocol.
--

Re:Better standards

[HermDog]

Let's start by not calling what Microsoft did kerberos. Since it doesn't work with established conforming kerberos servers and clients, it's obviously something else.

Anybody got a good idea for a suitable name?
--

wrong

[BeanThere]

All of MS's products work with MS products

I've worked with enough MS crap (for my work) now to know that this is clearly not the case. Many MS products do not work with each other at all (For example I tried installing Visual Studio service pack 3 onto Visual Studio with the Windows CE Toolkit installed, and it popped up a message box which stated very explicitly something like "This product conflicts with the Windows CE Toolkit and cannot be installed" - bam, you can either have the CE toolkit, or you can have the bugfixes, but not both.) There are literally hundreds more examples of this sort of braindamaged crap pouring out of Redmond every day. Moreover, much of what they design, if not incompatible, is just plain "broken". For example the ActiveSync program for communicating with CE devices makes incredibly ludicrous assumptions such as that you are only ever going to want to connect one CE device to your computer at one time. Whoever decided that in the software design phase, I can only imagine, was on crack. The documentation for the CE toolkit quite literally does not correspond at all to the actual API distributed with the product either. Of course, the CE emulator only works on NT as well. NT only understands NTFS. Windows98 only understands FAT32. The upshot of all this is that I have to have two development hard disks, one with NT for CE and one with 98 for the other stuff i do (I can't use Win2000 because nvidias directx drivers for tnt2 aren't quite ready yet) and literally plug in a different hard disk depending on what I have to work on.

I could probably write several pages here for each piece of MS software I've ever used (SourceSafe, NT, Windows2000, Windows 98, Visual C++ to name a few) but I'm sure most of you know the drill.

Re:More information

[elbobo]

granted they may have implemented something useful. but I think the thing that people are worked up about is that this is out there in the wild, it breaks previous implementations, and it's not documented. of course, correct me if I'm wrong.

el bobo

Re:Join the club ...

[mircea]

Sorry, I couldn't help...[2000-02-28 16:12:00 E,E&E at work again (articles,microsoft) (declined) ]

Re:You can access unix/linux, but....

[Bob-K]

>> you can use W2K kerberos to access Unix/Linux kerberos

Hey, it's simple then. Use Unix/Linux servers, and whatever you want on the desktop.

Still, I find it odd to think MS would intentionally limit the usefulness of their servers and of their directory. Unlike the desktop, they have a lot of competition in the server and directory space. This can't be a monopolistic move because it implies that they're leveraging server dominance to sell more desktops.

It'll be interesting to see how this develops. It'll probably just be reverse-engineered, saving MS the trouble of making a decision.

So what can we do about it?

[Lotek]

Aside from boycotting Win2K, is there anything the open-source community can do about this?

Its infuriating that Microsoft gets away with doing underhanded things like this. How long until we start seeing MS-TCP/IP?

I can only hope that the oft-rumored goverment sanctions come down soon and hard and help to discourage this kind of stupidity.

Re:So what can we do about it?

[Tau+Zero]

Aside from boycotting Win2K, is there anything the open-source community can do about this?

I think we'd be boycotting W2K on general principles.

I am no lawyer, but forcing W2K clients to rely on W2K servers for authentication sounds like illegal product-tying to me. It might be worth making a complaint to the Federal Trade Commission about it. The remedy, of course, would be to force Microsoft to use the established Kerberos data fields if they are adequate to the task, and document the extensions if they are not. Packet formats are not "intellectual property" or trade secrets, they are communications which are intended to be received and understood (by the intended receiver).
--

Re:So what can we do about it?

[scumdamn]

I'm afraid we've been seeing MS-TCP/IP for a while now. No version of Windows currently supports the full TCP/IP spec. In fact, Linux only got full support recently.

Re:Totally off topic

[SendBot]

Sarcasm: on
There should be a moderation option for "might offend someone". Perhaps that statement should be censored harming people with MS. There's no way that it might be really amusing and informative at the same time. And there's absolutely no way that it might bring more awareness to MS. Please don't breed

Re:Kerberos? This isn't Kerberos

[mberkow]

Actually MS did a pretty good job implementing Kerberos....maybe to good of a job. The problem is if you don't talk to a W2K Kerberos Server you don't get your sercurity permisions so it reverts to netlogon.

Re:Kerberos? This isn't Kerberos

[mberkow]

If you consider that Kerberos's function is to say with authority that "yes you are who you say you are and here is a ticket to prove it."

Re:Obviously Kerberos is not implemented in W2k

[mberkow]

Jeez, what is a standard? A standard is something you are compatable with not something you adhere to strictly. If every web sever was strictly to standard then where would the web be.

It can sorta work

[macros]

From what I remember you can have a w2k client authenticate against a MIT Kerberos server, but, it won't be able to access any w2k server resources. In that field they embed something like the SID/UID, but the format for it isn't documented. So there will not be real interoperability until they do.

p.s. If you think this is evil, look into how they do their DynDNS updating

Re:You can access unix/linux, but....

[Wah]

it's called leverage. You own the desktop, you don't own the servers. Make the desktop *HAVE* to use your servers. Ta-da, you've own the server.

--

Now there's a shocker...

[a9db0]

Gee, Microsoft has once again "extended" an open standard with proprietary extentions, which it is so far refusing to document to the standards body.

If this comes as a surprise to you, then you haven't been paying attention.

Re:LDAP?

[SedentaryZ]

I don't know about the back-end implementation of Active Directory, but I have worked with their client side API (ADSI) and found it to be lacking. One of the problems I ran across was that it was unable to successfully read the schema information from my LDAP directory. Without access to the schema, ADSI became useless as it would then fail to provide access any of the attributes/classes that it failed to retrieve from the schema.

I just love standards

[Giraffit]

from the introduction to a DCOM book I read lately:

"microsoft believes it can allways improve on a standard"

Nuff said.

Re:./ ignores anti-linux news-posts only anti-MS n

[brandond]

Or maybe it's because we already knew that Linux is not ready for prime time desktop use. There's a lot of work going on to get Linux ready, but it's not quite there yet. It's still more appropriate in the server/workstation environment.

Funny that you mention VA Linux. I look at their product list and it seems to hit right where Linux works best... high end servers and workstations. I don't think the fact that linux is not ready for the desktop is hurting VA at all.

-----

Join the club ...

[Stavr0]

2000-02-28 20:56:51 Microsoft Embrace-and-cripples Kerberos (articles,microsoft) (declined)
---

Re:GPL....

[smutt]

Why wasn't the Spec GPLed, it would have prevented this whole problem. Microsoft would have been forced to publish their changes.
Just like when Mickeysoft ripped off php and made asp. The syntax for the two languages is virtaully identical. Where's the asp source code?
Just like when Mickeysoft ripped off Mozilla and made Internet Explorer. MS sure did release a browser fast when Mr. Gates realized the internet was important. Where's the IE source code?
I don't have any proof, but I bet there's all kinds of GPL'd source in Microsoft products. Now where's all that MS source code?

It's just business

[csbruce]

This is just the way that Microsoft operates. Adhearing to open standards means creating a commodity product, and commodity products are nowhere near as profitable as owning a de-facto standard. Also, commodity products create a level playing field, and Microsoft isn't particularly competitive on a level playing field, and they are well aware of this.

Frankly, I'm surprised that they chose to start with an open standard rather than starting with a completely proprietary standard, as they would be able to lock out competitors longer with the latter. Of course, this way they get to leverege the work done by the Kerberos people and are able to feign compliance with a recognized and (heretofore) respected standard.

legal?

[Masloki]

Just wondering what license Kerebros is under? Or if it is licensed? It seems to me that one should not say it uses a certain protocol unless it uses that protocol as spec'd. On the other hand, is this a case of (feigned surprise) M$ taking something, adding one change and calling it theirs?

On the third hand, there are only 27 apps available for W2k, so noone is going to buy it and realize this heinous feature. Or was that noone will buy it because there are thousands of undocumented features? Or was that noone is going to buy it because it is slower than any other version of Windows? Oh, crud, i forgot this is Corporate America (tm) and therefore we must buy it.

Re:legal?

[Desco]

Those 27 apps are guarenteed to run on win2k? Does that mean if any of those 27 apps crashes an win2k box, I can sue M$ for false advratising / monitary loss / etc? (Getting evil ideas of setting up a win2k box, and envoking a specific 27 applications at the same time.. Lets see ya guarentee this, fucker!)

Re:legal?

[logicTrAp]

The reference implementations of Kerberos 4 & 5 are available under a BSD-style license, so there's nothing wrong with what Microsoft has done, even if they do use Kerberos code in Windows. (I'm not sure if they've said they use any MIT code or if they did a ground-up implementation based on the specs)

Re:legal?

[rm+-rf+/etc/*]

I thought pretty much any Win32 app other than games would run on Win2k fine, is that not true?

They are...

[Leghorn]

They are truly evil, aren't they...

Re:Slashdot predjudice

[Desco]

Reading a lot of slashdot comments makes me wonder which is worse... Those who post pro-linux-anti-microsoft messages on a pro-linux-anti-microsoft forum, or those who have nothing better to do then post anti-pro-linux-anti-microsoft messags on a pro-linux-anti-microsoft forum...

And don't worry, I'm sure there are plenty of forums that are equally pro-windows-anti-linux.

Re:Using more of the spec?

[Phallus]

If this stuff is supposedly in the spec, why are people complaining about it being undocumented and therefore not able to be rolled into, say, Samba?

Because while the unused field is in the specification as a field you can use, Microsoft have not released any details of how they use this field, hindering interoperability efforts.

I heard...

[strombrg]

...that:

• Microsoft was unwilling to divulge the specifics of their proprietary extensions, making it potentially very difficult for an opensource server to present all required information to a microsoft client.
  
• A unix KDC could be used by microsoft clients, if an adjunct database of some sort was set up on a microsoft server to provide the proprietary bits to the microsoft clients. This appears to be in contradiction with what's in the kerberos FAQ, so I have to wonder how accurate this really is.
  

These are just rumors though, and I don't recall where I heard these.

Payback

[cwhicks]

Hopefully, their day of retribution is coming soon. I am just baffled by the mindset of the people working there when this sort of thing appears, again.
Maybe they can't help themselves, like children that see something good created by someone else and they just get the urge to knock it over.
I await the day when they are force to sit quietly in the corner because they can't play well with others.

Re:This is COMPLETELY untrue...

[Tom+Stivers]

The funny thing is, everyone has already read this article and assumed the worst... Slashdot spreading FUD? You betcha...

Re:ZDnet had this story a few days ago.

[KeckOS]

Both the Yahoo link and the ZDNet link are to copies of the original Inter@ctive Week story.

Re:This was discussed on NTBugTraq

[The+Musician]

Yeah, I read NTBugTraq, too, and this is completely different issue. What are you just trolling for Karma or something?

--

Re:Why Stallman created the GPL

[Ded+Bob]

Irrelevant. Microsoft would probably have just rewritten it all--they have enough developers--to get around the GPL.

Re:sigh... here we go again.

[Nailer]

I don't want to stop anyone, including Microsoft, from extending the standards. Specifically, I want to stop them from exploiting the work of others and harming interoperability.

It unfortunate that I have to put a disclaimer here that I'm not a Linux zealot. My work is half divided between Linux and NT, and I have an MCSE and MCP+I [though I share the opinion of others that these qualifications mean very little]. I believe those performance charts which show BSD ahead of Linux for certain services. Nevertheless, I'm trying to prevent the flame war when a Windows zealot brands me a Linux zealot, or vice versa.

The GPL would be a perfect solution to this problem. Proprietary extensions are fine, as long as at the end of the day, those extensions can have their code released, auditied, made interoperable, and returned to the community from which that code sprang. Yes, the BSD license is more `free' than the GPL [if you define free as ebing able to do what you want with something]. But the GPL makes more sense from both an engineering [Raymond] and ethical [Stallman] point of view. It's harder to exploit the work of others, and increases the pace of development and tightness of the code via a stringent peer-preview process.

Kerberos might be as widely used as possible, but is the use of the sort you want? A non-interoperable standard [through no fault of the developers, but the license used].

Compare, for example, to rsync. The rsync algorithm is one of the most significant advancements in data transfer for a very long time. besides file transfer, what about database replication? Streaming? The ramifications of rsync being applied to common remote data transfer operation are enormous. But the algorithm and implementation only got as tight as it did via its license. BSDing it would slow development and fracture the standard, at the same time as maing its use more widespread. I'm confortbale with MySQL, the GNU tools, and other open-source projects reaping the benefit and giving back, rather than Oracle, MS SQL, and others trying to leg-up their competition.

The vast quantity of Slashdot readers mostly understand this. There's afew who don't. That was my audience.

(OT) Slashdot HTML preview

[Tau+Zero]

< & I just previewed this to be certain; it isn't doing it any more. (For which I am grateful.)
--

OT: Alpha / Proprietary Debug Port

[G27+Radio]

You mean the modified connector wasn't made in that fashion just to sell cables??? You mean the connector was customized to prevent clueless computer operators from plugging in the wrong cable?

In the case of the debug port, which is really just a serial port, it prevents the clueless and clueful alike from repairing the flashrom--unless they want to shell out for a proprietary cable, or spend an insane amount of money to have Compaq do it. Unfortunately, apparently no one at Compaq seems to know anything at all about the motherboard. Fortunately there are third parties that have a clue. BTW, someone from Harddata contacted me in response to a Usenet post and helped me determine the pin-outs for the port. No charge, and I wasn't even a customer. Gotta like that. Unfortunately my homebrew cable didn't do the trick (it was pretty ugly looking so I'm not suprised.) I also found rumors that some of the revisions of my mb have a defective debug monitor which could account for the problem. Thus the search for a cheap/free cable to do it with. It sucks watching those Alpha boards just sitting there and rotting.

Hold on. You didn't contribute anything productive to our Microsoft/Proprietary HW hatefest.

Hmm. I admit, I don't have anything productive to contribute today. -1.

numb

Re:Even dumb by M$ standards

[G27+Radio]

Yes, that's extremely annoying. I spent a bunch of time filing down RJ connectors for an Alpha motherboard with a blown flash rom. In the end I couldn't get it to work. You don't happen to have any of those cables for the debug port on at 275mhz MB? I'm looking for one cheap or free.

numb

Re:Extend and embrace?

[DebtAngel]

I think that the real problem here is one of ego. We should not have to adapt to Microsoft. Microsoft should have to adopt to us.

The real question is whether or not the extra stuff they throw in is really worth it; personally, I think it was just a cheap workaround. The typical NT authorization stuff sends the equivilent of a cookie to the client holding the "I belong to this group, that group, and the other group." M$ had to stick that info somewhere (or rewrite the whole authorization scheme, which is never a good thing, even if it's broken), and there was a place in the Kerberos ticket to do that.

Open Standards Public License

[Nicodemis]

Perhaps an Open Standards Public License is in order. You would not be able to officially say you support an open standard unless you meet the criteria set forth by the standards committee.

Extending an open standard would be allowed, but only if you disclosed your modifications to the committee. This way, others who support the real standard can choose to interoperate with your modifications.

What Microsoft continues to do is the equivalent of building cars that are too wide, then complaining that the roads are too narrow.

Is there already something like this available? If so, where could I find more information about it?

Re:First it was Apple...? Bad analogy, dude.

[TummyX]

So lets see, you would be happier if Microsoft developed their own propprietry protocol?

Besides, this is no more embracing and extending than as if Microsoft created their own XML schema for word documents. It's allowed in kerberos to do this, it's just 'unaware' servers won't be able to handle it, no problem if someone decides to implement this on a Unix KDC tho.

Re:UCITA test?

[kevinank]

Uh.

That isn't a joke. At microsoft, interoperability *does* mean between MS products. Kind of like at Sun where open means open to anyone who isn't competing with Sun.

Seriously. I've got several friends who used to work at or with microsoft engineers, and that *is* how they define interoperability.

NEWS: /. readers not fond of Microsoft

[god_of_the_machine]

NEWS: /. readers not fond of Microsoft Posted by emmett on Thursday March 02, @10:37AM
from the who-would-have-thought dept.

LtBurrito writes, "According to a recent poll, /. readers are not happy with the recent activities of Microsoft. Major areas of concern: protocol bending, patent enforcing, non-open-sourcing, and profit making. This shocking news item means that most /. readers may not have bothered to switch over to Win2k as previously reported"

( Read More... | 456 of 468 comments

I'm surprised everyone's so upset...

[TopShelf]

After all, didn't they invent Kerboros, along with the whole concept of network security? This is just another great innovation from The Great Leader, like the story from this morning about Micro$oft inventing symbolic links.

All Hail the Great Leader!

Re:I'm surprised everyone's so upset...

[crmartin]

Wasn't that Al Gore?

Make whatever change you like...

[Wolfier]

Just DON'T call it Kerberos. If its aim is not to confuse people then what else?

Maybe we should call the truely open Kerberos something else, like "True-Kerberos", "Kerberos-Open" - just to make sure any dumb Joe can distinguish between the open and the proprietary from just one look.

this is old news

[fearfactr]

Microsoft told everyone this back at Beta 1. Apparently they got away with it and still called it Kerb is because Kerb is an open standard that allows extensions. Anyway, you can use a Win2K server to auth Kerb clients that don't require the MS specific field. Being a student at NCSU, I know this is going to be a big problem with upgrading our NT4 machines. The university doesn't want to turn over their Kerb machine running Solaris to a PC running Win2K. We'll probably end up with two different Kerb servers that somehow try to stay synched up as we do now for Kerb and Novel authentications.

License Kerebros

[drnomad]

According to my information, Kerebros was developed by MIT as an Open Standard. Microsoft used an normally unused field, this is implemented in W2K and it is unsure whether they want to collaborate on this, they were a member of the development group.

Side effect is that Unix and Linux boxes could get their connection to printers refused because of this.

I also heard that the open-source movement is very irritated by this thing... I have been surfing for hours, but I couldn't get any confirmation on this.

Re:License Kerebros

[bmetzler]

Side effect is that Unix and Linux boxes could get their connection to printers refused because of this.

No, it's actually the other way around. Windows clients could get their connections to printers and files refused because of this. Kerebros is supposed to authenticate once, and the let you have access to all resources you have permission to, without continually reauthenticating. However, It'll end up that Windows clients will only have access to resources on Windows servers. So you can't have Samba running as your server. Microsoft profusely apologizes for the inconvinience. (Yeah, right!)

-Brent

Win2K Kerberos

[Bakeneko]

This has been a known issue for a long long time. I remember attending a "researcher preview" in Redmond of NT 5 in '97 at which the MIT Kerberos people attended and watching the "discussions" about the proprietary extensions. My understanding that the resolution at the time was that MS was going to give MIT the details of the tag extension field so that it could be folded back into the standard Kerberos distribution. I am not sure whether I should be surprised that this is still an issue 3 years later. Then again, it may be that somebody that isn't directly involved in the issue found out about something that hasn't been an issue for years and decided to blow it out of proportion. Sometimes that does happen on Slashdot.

Tim Gaastra

Re:Win2K Kerberos

[Jeremy+Allison+-+Sam]

No, actually it is still an issue. I have been requesting that Microsoft document this extension (Hi Peter :-) ever since I heard about Win2k (then WinNT5) being kerberos based back in '97. I was porting MIT Kerberos 5 to Windows NT 4.x at the time for Cygnus (now RedHat).

Every time I ask (and I've asked *many* times, publically as well as privately) Microsoft have said "yes we are committed to documenting this". I believe them. I just want to *see* the documentation first....

Regards,

Jeremy Allison,
Samba Team.

the worlds a changing

[dms0]

were in interesting times here

big corporations trying to squash the little people (we havent paid our royalites on the patent for thinking, so we shouldnt be thinking at all) and the little people telling the corporations to shove it up their collective orifaces.

its fantastic :)

its a pity that a good 90% of the population has no idea about issues like this. With the way business is embracing the whole e(*cough*BULLS#$@*cough*)commerce thing the internet is gonna be around, and used widely by your average joe, and these sorts of 'innovative' strategies by these sorts of companies lay down the road that the 'general' (sic) population will use. yet most people are completly oblivious to the toing and froing that goes on behind the big murky cloud that has become the net as we know it.
but what can we do? who knows.. i just know im sick to the back fscking teeth of corporations fscking over the general population who are too occupied with their 500 channels of nothing to notice.

stop the f*@#$ing planet.. i want to bust a few heads

ill stop now before i start sounding like a certain /. personality :)

Dms0
- START THE RIOT -

Kerberos? This isn't Kerberos

[jmd!]

Is Kerberos Windows 2000's only option for authentication? I really only see this as weakening their OS if it isn't. Extending and embracing may work with a 90% desktop share, but on network servers, they don't have the share to get away with this.

As far as I am conserned, *WINDOWS 2000 DOES NOT SUPPORT KERBEROS*. It supports some lame "Kerberos-like" protocol, which is useless.

Why does MS want to make my job harder?

[klyX]

So, Microsoft is the devil and such but why must they do these "smart" moves to make every IT professional's job harder? Our PC group is enraged! Can't MS stop with the monopolyesque moves for once?

Re:LDAP?

[aunitt]

Last time I looked they added loads of junk to the definition of the "top" object class - not a very sensible thing to do.

Being charitable, I believe they just didn't understand. If I was being uncharitable... well what better way to break interworking with everybody else's implementation of LDAP.

Re:This is obviously an attempt to break Samba

[TwizzlerMan]

Ummm...so you're saying the way to deal with this is to not buy Win2K until MS enables Samba to have the same capabilities, thereby getting rid of our need to buy Win2K? I'm sure Bill will take care of that immediately!

Re:Apparrently Microsoft disagrees (correctly)

[YU+Nicks+NE+Way]

Well, on the one hand, you're right that Microsoft needs to publish the specs, but not for the reason you've been stating. I don't think that anybody here has recognized the clear perf and security consequences of the DCE approach to paired user/workstation authentication through Kerb. Microsoft's implementation may be ugly, but it solves two vexing problems with the DCE approach.

The DCE based system requires two calls to autheticate a workstation/user pair. The Microsoft version uses a single, self-contained call to present the ACL data. If the Kerb server is heavily loaded, as they almost always are, then this is a significant perf improvement on a real network.

More importantly, the standard DCE approach admits of a nasty race condition, where a second user uses a first user's workstation token to get at his or her user ACL entry. I have never believed the argument from "well, it doesn't happen any more". Like it or not, the MS hack completely resolves this problem, since the act of authenticating a workstation also, a fortiori, gives back a token which is labelled by its user, and this operation is atomic.

Why is this _ONLY_ 2-informative?

[Otis_INF]

This is the only Informative article in this thread. It shows a lot about the 'real nerds' and 'computer specialists' here.:

• all people posting 'they're evil' etc, lie, at least about this topic: you don't know anything about the matter.
• /. is not about real news for nerds but about 'how to make our readers hate (va)Linux competitors the most'. Like that will save the world. Get a life.
• Every slightly MS bashing posting with some zdnet links will be moderated higher than this posting by altair1. How suprising.

People here should be more aware of the fact that programming in a language is just programming in a language and not practicing politics, to give an example. If something is bad about MS, say it. If something is GOOD, say it too. Not all visitors here use linux, allthough, if /. goes on like this, within a year the only people left are trolls and zealots.

Flame all you want. I don't care. It's just my concerns about a site that seems to post sometimes interesting subjects but more and more becomes a propaganda site for a special kind of OS. Clearly legal but please state that on the front page: 'News For Linuxnerds, stuff that matters for Linux'.

--

Embrace, Extend, Extinguish

[msaulters]

March 1, 2001 - AP Wire
Microsoft announced today that its new operating system product, HAL01, will have full support of the recently adopted IPv6 protocol. "Six teams of R&D programmers contributed to this innovation, after over four years of work," said a MS spokesman. "We are ready to take the internet by storm. IPv6 is an extension of the TCP/IP protocol which computers on the internet currently use to communicate. It will allow the internet the freedom to grow exponentially as time goes on."

The HAL01 operating system is the successor to Microsoft's highly-touted Windows2000 product. After years of manipulating hardware vendors in order to ensure the pc platform was optimized to work with Microsoft's code, they decided to name the new product in honor of the now defunct 'Hardware Abstraction Layer' component of the Windows NT product, which was no longer needed. (After their purchase of Transmeta, Microsoft designed their OS to be embedded directly in the chip, thus negating the need for an HAL).

Unfortunately, the new support of IPv6 is not without a dark side. Said an anonymous source, "What MS isn't telling you is that they've mucked heavily with the protocol. In fact, no computer running HAL01 can communicate over IP(v6) now except with another computer also running HAL01. This means that if you want to use their new features like the DirectThought(tm) interface (an extension of DirectDraw which allows display directly to the visual centers of your brain) you'll only be able to play QuakeV6 against other HAL01 computers." When asked to comment, the Microsoft spokesman would only say "Hey, it's a Win-Win scenario!"

Re:First it was Apple...? Bad analogy, dude.

[aka+Snowman]

Your analogy is flawed.

Apple's online services are NOT 'embracing and extending' an existing standard... they're OS-specific 'extras', but exist outside standards and do not interfere in the implementation of any of them... unlike MSKerberos.

Calling Apple's iTools a balkanization of the web is like calling GameSpy a balkanization of the gaming community because it's WinTel only... when Mac gamers have an equal alternative with the same functionality in GameRanger.

akaSnowman

Time to implement Samba on NT

[tony+clifton]

Since 3rd parties have already written ways to mount NFS shares on NT as drive letters, this seems like a great opportunity to package the Samba code to mount Win2k/NT/**And** Samba shares.

Re:Better standards

[Farq+Fenderson]

You have a point. Although, I haven't seen anything specifying exactly how 'makes' are supposed to function (possibly because I haven't looked).

I'll add that simply because one implementation of a standard isn't compatable with another, doesn't mean it's nonstandard -- just like we have with micros~1's implementation of Kerberos.

---
script-fu: hash bang slash bin bash

Re:Better standards

[Farq+Fenderson]

That's the problem. It still conforms to the standard. That's why the standards must change. I'm calling it 'an implementation of Kerberos' because that's technically what it is.

That's why I'm buggin' over it. They can call it Kerberos and no one can say boo. I /wish/ I could simply say "it's not /really/ kerberos", but I can't. Sigh.

---
script-fu: hash bang slash bin bash

Another story on this

[tj8]

http://www.developer.com/news/news1.html

Re:Extend and embrace?

[Anonymous+Covard]

Heh. Don't get too worried: we've got 'em under control. Be happy they're using the core of kerberos so it won't be hard to detect and fix the changes they made.

Wouldn't that be "reverse-engineering an access control" under the DMCA?

(and yes, I know that the DMCA is supposed to permit that for purposes of "interoperability", but the court's already thrown that part out.)

When did "innovate" become a synonym for "suppress competition"?

GPL....

[ILikeRed]

Why wasn't the Spec GPLed, it would have prevented this whole problem. Microsoft would have been forced to publish their changes.

Re:GPL....

[Ded+Bob]

MS sure did release a browser fast when Mr. Gates realized the internet was important.

In Microsoft's defense, they do have lots of monkeys and keyboards (typewriters did not crash enough). :)

looks like...

[snail_talk]

there will be trouble because one of hte advantages of using keberos was that it's an open standard, so it's not jsut some crappy protocol that's reserved for one piece of software only. now that they changed the protocol to make it _proprietary_ (urgh.), developers may find it hard to make their apps work, since remember, the protocol's closed. even if they release it, it would be interesting to see if they might put restrictions on it/only disclose part of hte specifications? creating a proprietary protocol defeats the purpose of interoperability, but i'm sure that's what microsoft wants anyway. the chief software architect does not seem to know what interoperability means, nor does he want to know or care. so for those folks out there who want to take full advantage of ms windows 2000, looks like you will have to trash your unix servers. tough luck.

Re:This is obviously an attempt to break Samba

[|guillaume|]

What's the point of boycotting Win2K?

I'm pretty sure you won't buy it anyway if you have a good altenative running under a free OS.

guillaume

Re:This is not new, secret, or prohibited by the s

[not+Bruce+Perens]

That little rant showed that you don't like Microsoft's way of doing business. It did not show that Microsoft is violating any legal contracts.

It may surprise you (and relieves me) to know that the force of your will is not yet law.

ZDnet had this story a few days ago.

Here it is.

Re: "proprietary" trade secret

[Patrik+Nordebo]

Trade secrets have very limited legal protection compared to copyrights or patents. As I understand it, as long as you haven't actually had access to the secret information, you can divulge it all you want. So reverse engineering would be perfectly legal. That's why there are both trade secrets and patents. With a patent, you get protection for a limited time. With a trade secret, the protection lasts until someone figures the secret out (as opposed to ferreting it out).
I am not a lawyer. I do not actually know American law. This is just a bunch of uneducated guesses.

That sucks hard.

[Wakko+Warner]

Thing is, I have a crimper with an MMJ adaptor -- but that's the only adaptor it has. So all I can crimp are MMJ cables. I've used the damned thing exactly once -- when I was running a cable down to the basement to connect a linux box in my room to a VT420 in the basement. It worked fine, too, but you have to realize that DEC's MMJ DECConnect cables also had a couple of wire twists in them. A multimeter helped me figure out which ones they'd switched around. Unfortunately, I can't remember offhand which ones those were, and the terminal _will not work_ properly without those cables switched (and it didn't work with a straight cable and a null modem, either.)

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Reverse engineer?

[jbrw]

Anyone wanna take bets on how long it'll take for someone to reverse engineer the MS extensions?

IIRC, doesn't Australia (and possible elsewhere) speicifically allow reverse engineering to mainting interopribility (or somesuch)?

Do the reverse-engineering in the US, or wherever, and get an Aussie friend to publish the results on an Australian web server.

What, you mean the rest of the world can see that web server? Oh well, too bad...

...j

Why Stallman created the GPL

[Mike+Greaves]

Not wishing to speak for RMS, but isn't this *exactly* why he created the GPL - because the MIT license allowed companies to try these stupid tricks.

MIT (as well as every other educational institution) should release all code under the GPL, or similar licenses with protection against proprietary extensions.

False Advertising

[Effugas]

Windows 2000 either supports Kerberos authentication or it doesn't.

Kerberos is a well defined standard. If they misimplemented it in such a way that their product will not interoperate with existing Kerberos domains, then they didn't implement Kerberos.

If Microsoft chooses to lie to their customers, no amount of IP whining is going to help--oh, unless this UCITA thing happens to pass...oh.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Apparrently Microsoft disagrees (correctly)

[Jeremy+Allison+-+Sam]

> More importantly, the standard DCE approach
> admits of a nasty race condition, where a second
> user uses a first user's workstation token to
> get at his or her user ACL entry.

Huh ? This doesn't make sense. All the packets used in kerberos are integrity and privacy protected. The scenario you describe is simply not possible. Also, there is no such thing as a 'workstation token'. Kerberos principals are users and services, not machines.

The "MS hack", as you describe it, has *nothing* to do with any potential race conditions in DCE.

I would suggest reading "Network Security", by Perlman, Kaufman and Spencer for an excellent introduction to these topics.

Regards,

Jeremy Allison,
Samba Team.

Re:This was discussed on NTBugTraq

[Teroc]

Ha ha, trolling, I like that. In fact the only way I ever caught fish was by trolling, but I digress. Yes it doesn't pertain directly to the issue, however I felt it did provide some information regarding Kerberos, so indirectly it helped. Howver I did fail to post all the links at the end of the message, which do mention more of the Kerberos issue. Here they are, if any are interested:

The DNSEXT working group home page
RFC 2065
RFC 2137
RFC 2535
Secret Key Transaction Authentication for DNS (TSIG)
Secret Key Establishment for DNS (TKEY RR)
GSS Algorithm for TSIG (GSS-TSIG)
White paper on Kerberos interoperability
Press release on Kerberos interoperability
S imple Secure Domain Name System (DNS) Dynamic Update

Re:sigh... here we go again.

[chromatic]

I had the same kind of questions last month. It lead to an essay called "Barbarians in the Library".

The gist of my argument is that, if open standards and protocols benefit any one person or organization more than that person or organization contributes to everyone else (as is the case for pretty much everybody!), perhaps removing those benefits will help convince a rogue organization to stop trying to embrace, extend, deform, and extinguish those standards and protocols. It would be nice to get some suggestions and critiques and comments on it. :)

--

MIT uses NT source code to fix it

[Lord+Greyhawk]

You can even fix NT, if you have the source code.

MIT has campus computing labs with solaris and
IRIX. To get future NT client to work with the
existing Kerberos Authentication server, they
are forced to modify NT source code.
(Part of project Pismere http://web.mit.edu/pismere/)

They will also have NT mount user home
directories off of the Andrew File System (AFS).

Re:Better standards

[Arandir]

Is there anything in the Kerberos license that demands they not call it "Kerberos"?

Why can GNU call their version of a standard "make", even though it has numerous incompatible extensions, but Microsoft is not allowed to call their version of Kerberos by the name of "Kerberos", even though it has far fewer extensions and incompatibilities than does GNU Make?

LDAP?

[rm+-rf+/etc/*]

Is their LDAP....er, I mean Active Directory, implementation compatable within a standard LDAP environment, or did they "customize" it as well?

Re:LDAP?

[Paul+Johnson]

I read on the Novell site (yeah, really unbiased of course) that for LDAP Micro$oft did the opposite of embrace and extend. LDAP has had a bunch of extensions added over the years which have become defacto standard. Lots of clients use these extensions, including Lotus Notes. According to Novell MS LDAP does not include these extensions, so it breaks all the standard clients. Unfortunately I can't now find that page on their site.

Paul.

according to Microsoft...

[CAPSLOCK2000]

I just returned (less than an hour) from a Microsoft briefing about W2K (hey it was free and fun).
The MS droid mostly skipped security but spent quite some time on Kerberos. He insisted the MS Kerberos was fully compatible. He even said (translation from Dutch): "the implementation was clean of incompatible Microsoft additions".
According to him the use of the extra field was according to RFC 1510 and would work with all other clients and servers.

This is true

[SEWilco]

Surprise. The Authentication method "Windows NT Challenge/Response" sends an encrypted challenge to the browser. A nonstandard browser just sits there...until you notice your CPU is busy and the flickering messages in the status line. More examples on Deja news by searching for "Netscape MS proxy problem".

An MS plugin for Netscape exists, if you're running Netscape on a system which is compatible with the plugin.

Actually, even Exchange Server has problems if not running on same server as IIS.

yeah

[mircea]

Not to mention I submitted the story 4 days ago, and it was rejected in a matter of minutes. Who cares anymore...

Re:Yes and No....

[Wah]

Nothing Evil about this, just annoying

When your kid brother punches you, that's annoying.

When an 800lb gorilla punches you, that's evil. (because unless you figure out a way to soften the blow, you're dead)

--

Re:Totally off topic

[schon]

I know two people with MS: one of them is me, and the other one is my mother (yes, really.)

Personally, I happen to think it's funny as hell.. and if I had any mod points left, I'd moderate it up as such.

Copyleft patent license

[divec]

Yes. However, if Kerberos had been patented, and then use of the patent was granted under some copyleft license, then Microsoft couldn't have done this.
Of course, that might not have helped either; maybe they'd just have opted for something entirely different.

Clarification

[Hard_Code]

I believe they use a field for which there is no specified use.

This simply means that only W2K can talk Kerberos with W2K servers. It doesn't mean W2K cannot talk to other OSes. The other implementations will just disregard the field. However, if you are attempting to integrate any other systems with W2K server, you are SOL, and apparently Microsoft wants to force you to buy W2K.

Obviously Kerberos is not implemented in W2k

[gotan]

Obviously MS has choosen to implement a standard that, while pretty similar to Kerberos, actually isn't Kerberos. The current standard is available from enough sources and Microsofts changes are not part of it. Thus any company using W2K for which Kerberos is a critical application should sue MS on the grounds that their product W2K isn't able to use Kerberos, contrary to advertising.

It's enough that ONE business successfully sues MS even if it's only for some K$ worth of unscheduled downtime and worktime needed to 'fix' this 'feature'.

This is COMPLETELY untrue...

[altair1]

Folks, this article about w2k Kerberos incompatibility untrue. I have set up a Win2k RC2 workstation last month at my job for testing purposes. We have a Unix KDC on the network running the standard MIT Kerberos distribution. I configured the win2k workstation to authenticate against the unix KDC - and it worked perfectly. As a matter of fact, I configured the workstation using microsoft's own step by step instructions for doing so, which can be found at
http://support.microsoft.com/support/kb/articles /Q232/1/70.ASP?LNG=ENG&SA=ALLKB&FR=0. See the part entitled "Using an MIT KDC with a Windows 2000 Workstation".

This article may be confusing everything with earlier verions of win2k betas (AKA NT5) which microsoft had openly said would not be fully compliant with the kerberos standard. However, they changed this around the RC2 release I believe. You can find an outdated article with more details on this here:
http://www.usenix.org/publications/login/1997-11 /embraces.html.

This older stuff is probably what they're talking about, but they have definitely changed w2k to make it fully compliant with the existing Kerberos standard...

Re:You can access unix/linux, but....

[st.n.]

Actually you can use W2K kerberos to access Unix/Linux kerberos systems. But you can't use Unix/Linux kerberos clients to access W2K servers. Typical Microsoft "embrace-and-extend" crap.

Acually it's the other way round: any client can access W2K servers, but a W2K client will only work properly when communicating with a W2K kerberos server. Otherwise some Win-services like printing won't be available.

But I think that was what I wrote when I posted that news, only with less words. :-)

- Stephan.

--
Carpe diem!

Re:Open Source License Addendum Suggestion

[technos]

Replace in any way, shape or form.

With

...in the common course of business, or for gain of economic interest

The people at Microsoft are no different than us; They deserve their individual right to the source too! If joeblow@eggsucker.microsoft.com wants to submit a patch, or tweak it to his personal liking, he should be able to. Judging him a 'lying scumbag' based on the exploits of his employer are wrong..

Using more of the spec?

[Tau+Zero]

It is MS being their usual "we work with them (almost)" self, but in this case, they're not hiding anything. They just happen to use more of the spec than the reference one.

If this stuff is supposedly in the spec, why are people complaining about it being undocumented and therefore not able to be rolled into, say, Samba?
--

Yeah Baby! Lets sling some FUD!

[Greyfox]

I contend that the extra field is the packet data encrypted on the ultra-secret NSA key, allowing them to eavesdrop on all network transmissions that use the protocol!

That's right, I can dish it out as well as I can take it :-)

Re:Totally off topic

[cybercuzco]

Well I dont intentinally mean to offend anyone with MS multiple sclerosis that is) obviously my comment was meant to be funny, and I'm sure that people who have MS have a sense of humor. If youve been offended, then I'm sorry, but lighten up, the world is a harsh place, and if you cant laugh every once in awhile, you might as well get off this rock.

sigh... here we go again.

[Captain+Sarcastic]

I can envision a hue-and-cry among open source users, who will see this (quite justifiably, I might add) as Microsoft's usual policy of "embrace-and-extinguish." There will be vitriolic posts here, full of people who will suggest that we figure out how to hack Microsoft's modification, or send lots and lots of E-mails to Microsoft to vent our collective spleen, and all kinds of howls of outrage.

Shall we try to get the word out on various news services? It could be difficult - the people who don't immediately understand the technical issues are likely to see us as "anti-Microsoft zealots," and subsequently dismiss our complaints as so much noise. Not that we've always been so good at advocating our actions - for every 10 level-headed suggestions, we have one rabid nihilistic recommendation that is far more entertaining, and grabs far more media attention. Unfair, but true.

The problem is this - How can we figure out a way to prevent Microsoft from doing this? And how do we do it without looking like a bunch of lunatic-fringe weirdos?

Re:sigh... here we go again.

[mcc]

What we want stopped?
Microsoft throwing a bunch of crud into open protocols, cluttering up the procotol JUST so they can put their names on it, say "look! microsoft did something in creating this standard!" Microsoft does not do extend these things to get a technical benefit from the extention; they do it to show people who's boss, to point out that MIT, the linux community, et all, is NOT in control here; this is MICROSOFT'S world, not theirs, and if they think that a community decision is going to be allowed to dictate what happens, then they have another thing coming. And, of course, in the process of extending, they propeitarize, which directly hurts the community currently using the protocol because it means that for a longish while, the original supporters of the protocol will be unable to adapt their software to be operable with microsoft's supporters; and even after the original supporters support microsoft's extention, the way they do this will more than likely be reverse-engineered and highly dodgy (*cough *cough *SAMBA* cough*).

We don't really want microsoft to stop extending; more importantly what we want is microsoft to design their extentions to the standards in such a way as to ENCOURAGE INEROPABILITY. If you are going to be extending a standard, this is not evil in itself; if you are going to add something to the standard in order to get some kind of feature or benefit that you would not get without the extention, this is almost certainly a good thing. But if whatever is on the other side of the protocol from you does not comply with your extention, the result should be that neither side benefits from the presense of the extention. The result should NOT be interopability. All recent extendable standards i can think of-- HTML being the first to come to mind-- attempt to stress methods by which failure by both ends to support the same extention results in the extention not being used, NOT in the standard becoming nonfunctinonal between the two sides.

a better way to phrase the original question, i think, woudl be: How do we get the media, the public, and everything to the point where microsoft can no longer get away with doing this? Microsoft does not neccicarily need to be stopped in this respect; but what needs to happen is people need to be _aware_ that microsoft is doing this; that microsoft is purposefully breaking functionality in a product _they paid for_ in a situation where that functionality that could have easily be retained. People need to begin asking themselves the question of why microsoft is doing this. People need to be aware of the extent to which microsoft wants everything propeitary to them. If people in general were aware of what was going on, and more importantly UNDERSTOOD it, they would almost certainly disapprove; but instead we wind up with the people (who probably never go to anything requiring more authentication than My Yahoo) just going, "Kerberos? Huh?". You think "propeitary" is even in most people's vocabulary?

I apologize if my writing here is somewhat unwieldy. I've had a bad day. :P

-mcc-baka
MIT-MAGIC-COOKIE-1. PH33R.

Re:sigh... here we go again.

[Arandir]

"How can we figure out a way to prevent Microsoft from doing this?"

What exactly do you want to stop? If you want to stop Microsoft from extending standards, then your only recourse to to make those standards proprietary. Even if Kerberos were under the GPL, Microsoft could still add an extension to it and release the modifications back. But there would STILL be an extension to Kerberos! It would then be up to the Kerberos team to incorporate the Microsoft extensions or not. Only by disallowing modifications can this be stopped.

But the Kerberos license is unrestricted, and not copyleft. Their goal was to get Kerberos used as widely as possible. W2K with Kerberos extensions is much more compatible than W2K with no Kerberos at all.

Even dumb by M$ standards

[348]

Reminds me of the old DEC days when they made proprietary RJ-11 connectors, they had the tab on the side so you could only use sanctioned DEC cables, which were twice as expensive. I can see parallels in what M$ is doing, for obvious reasons, but when will M$ learn that every time they do something like this they really create long term damage to their products and alienate their customer base. Whatever PHB's at M$ who supported this should be canned, this is even bad by M$ standards.

Open Source License Addendum Suggestion

[Dharzhak]

Y'know we'd save a lot of headache if every open source license had the following addendum:

Microsoft, and any subsidiary company or employee thereof, is specifically barred from modifying this source code in any way, shape or form.

If you can't join 'em, beat 'em...preferrably with a big stick.

This is a creative move.

[RainBrot]

Let's give proper credit. For once, Microsoft has NOT perverted the standard. They have used a field in the way the RFC described. I believe the RFC actually states that the field is free-form, and that its contents should be defined by the application.

The complaint against Microsoft regarding this issue is that their specific use is a secret.

This is a fairly creative move on Microsoft's part. From appearances, they have fully embraced the standard and have followed it to the letter.

They simply chose to keep a secret.

Why can't Microsoft keep a secret? Sure, it's annoying, but is it illegal or morally/ethically wrong? I don't know. I'm biased, so it seems wrong to me.

I don't think it benefits consumers. It is a barrier to interoperability. It is unlikely that this single secret required a significant amount of research and development, except maybe to identify it as a strategic thing to keep secret.

It won't take long for someone to reverse engineer it or pry the information out of Microsoft, but in the meantime everyone is going to appear to be lagging behind Microsoft in the W2K-compatible server arena, and Microsoft will gain market share. It is unlikely that the DoJ will be able to reverse that.

Regarding traceroute... there is no "right" way to traceroute. Traceroute is a hack. It was not designed into IP. It simply uses conveniently available IP capabilities to accomplish its goal.

Even IF Microsoft's traceroute is not the same as others, their implementation hasn't failed me... so I find any implementation difference to be far less annoying than the fact that they called it "tracert.exe" instead of "traceroute.exe".

None of the operating systems on which "tracert.exe" ships are restricted to 8.3 filesystems. Maybe it's cuz of the ISO9660 filesystem. Whatever the case, it's annoying.

Hmm... I seem to be drifting here... wheee! [submit]

DEC MMJ connectors

[TheGratefulNet]

I used to work at dec, many years back.

the way the MMJ (modified modular jack) came about was to protect devices from being plugged into phone lines. rj11 for comms devices is braindead, IMHO. rj11 is for telco current loop stuff - period! for serial 232 style devices, the MMJ made perfect sense.

and with ethernet being a wider connector (rj45), you have the same benefit as the MMJ - you can't plug a serial cable into a phone jack.

ok - well, a lot of people are using rj45 for phone connectors today. that still doesn't make it right. rj11=phone; rj45=data. why do folks have problems understanding this?

--

Actually the article is wrong

[qi3ber]

According to a page on microsoft's site:

"Windows 2000 clients, either Server or Professional, can be configured to use an MIT Kerberos server. This provides a single sign-on to the MIT KDC and a local Windows 2000 client account"

You can read more about this at http://support.microsoft.com/support/kb/articles/Q 232/1/70.ASP?LNG=ENG&SA=ALLKB&FR=0

So at least they didn't completely break kerberos.

Re:Apparrently Microsoft disagrees (correctly)

First things first. The mag is wrong, we did Kerb5/Win2000 testing most of last year and it was sometimes broken in the -betas-. Final product does work as stated.

MS-Extensions. - This is the vendor data that is allowed as part of the spec. Same place the IBM/Transarc/SecurityDynamics/Entrust/etc put there propriatory data.

3. Won't talk to other Kerb'5 boxes. BULLSHIT on client and server.

4. No real interobrility. If you don't read the damn docs and keep your head up your a**. otherwise it works like this:

Unix Realm MitK5 manual secured vpn type link Win2000 KDC Win2000 AD -> backlevel NT4 domains.

if you want you NT4 box to Authenticate in Unix kerb5 go right ahead. The user ticket will be fine on a trusted NT based kerb realm. same goes true in reverse.

What you lose. Same problems as with all -legal-but-not-required things; no matters who extension it is one side can't process the vendor data. Solve the problem by static mapping trusted and untrusted principles in the kerb realms. It can be a pain and is really only a small scale fix. Same as the other K5 vendors solutions.

no, ou can't make a host part of two realms at once. this is true on all kerb versions

silver-lineing. The K4 world sucked and K% suckes less. The problems of the vendor data have been ignored by most vendors (hello IBM) untill MS starting showing code to the Win2000 Kerb modules and working with MIT and the standards group to get the vendor spec closed. No one wan't to say the MS-Kerb is spec clean and that they aren't. hence the recent intrest other vendors have displayed about joining in cleaning up kerb5

btw, there is a big bug in cross-realm auth that is (hopefully) fixed in sp1 (eta march-april). It hits Win2k to Win2k just as well

It might be a legitimate use?

[/dev/niall]

While I'm sure that Microsoft's intentions were to break exisitng Kerberos installations so they NEED Win2K somewhere in the mix, it doesn't look like an incorrect use of the field in question. If they argue that they're granting rights to Windows resources only anyway... here's a snipped from RFC 1510:

authorization-data

The authorization-data field is used to pass authorization data from the principal on whose behalf a ticket was issued to the application service. If no authorization data is included, this field will be left out. The data in this field are specific to the end service. It is expected that the field will contain the names of service specific objects, and the rights to those objects. The format for this field is described in section 5.2. Although Kerberos is not concerned with the format of the contents of the subfields, it does carry type information (ad-type).

By using the authorization_data field, a principal is able to issue a proxy that is valid for a specific purpose. For example, a client wishing to print a file can obtain a file server proxy to be passed to the print server. By specifying the name of the file in the authorization_data field, the file server knows that the print server can only use the client's rights when accessing the particular file to be printed.

It is interesting to note that if one specifies the authorization-data field of a proxy and leaves the host addresses blank, the resulting ticket and session key can be treated as a capability. See [9] for some suggested uses of this field.

The authorization-data field is optional and does not have to be included in a ticket.

Please note that I'm not defending Microsoft! It's pretty obvious what their intentions where given their track record.

Apparrently Microsoft disagrees

[X]

I had heard this rumour long before W2K came out. However, according to this document, such interoperability is possible. I'm not sure who to believe.

This really CHAPs my ass!

[SpiceWare]

I've had to fight Microsofts CHAP implementation in the past. At a prior company I worked I used to have to dial in to support our EDI software(24 hour support, but seldom needed to call in). I used my OS/2 system to access our AS/400. For some reason they changed our dial-up hardware to NT and all of a sudden I was no longer able to dial in.

I eventually tracked it down to the MS version of CHAP not liking my standard CHAP routines. They wouldn't change the settings to accept standard CHAP as "it would make the system less secure". They didn't like my question of "If 90% of the systems are using Windows, then how does MS-CHAP make it more secure?"

I refused to change my home system to Windows due to work requirements(what I use on my own time is my choice, not theirs). For a few months I didn't provide support from home until I stumbled across a new PPP dialer, Injoy, that had MS-CHAP support.

Extend and embrace?

[Signal+11]

And this is new for Microsoft? Now, what is really humorous about this is that now that the kerberos people are aware of this they'll add "MS extensions" back into the codebase to allow interoperability.. just like pppd added support for MS CHAP and the extra garbage that's sent over the protocol.

Heh. Don't get too worried: we've got 'em under control. Be happy they're using the core of kerberos so it won't be hard to detect and fix the changes they made.

Ah, the irony...

[Admiral+Burrito]

Acually it's the other way round: any client can access W2K servers, but a W2K client will only work properly when communicating with a W2K kerberos server.

Does anyone else see the irony here? MS-Kerberos forces Win2k clients to use a Win2k server...

Kerberos keeps the damned in Hades. Film at eleven.

You can access unix/linux, but....

[Kevinv]

Actually you can use W2K kerberos to access Unix/Linux kerberos systems. But you can't use Unix/Linux kerberos clients to access W2K servers. Typical Microsoft "embrace-and-extend" crap.

Microsoft used the semi-documented (but not in the official spec) data authorization field in the kerberos ticket to their own purposes and refuses to tell anyone what they did.

By the way ...

[Stavr0]

according to Microsoft Mythology, Kerberos is a cat and it's got four heads. It guards the gates of heck.
---

UCITA test?

[EnderWiggnz]

maybe MS will test the UCITA and not allow reverse-engineering of this "proprietary" tradesecret that they obviously enhanced...

I get the distinct impression that the word "interoperability" has a different definition for MS... basically:
"All of MS's products work with MS products... how much more do you want?

The best part!

[bifrost]

The best part is that the MS Kerberos extensions *STILL* Rely on the old insecure Domain Authentication system. They actually pass tickets between machines with that. We all know how wonderful that system is, and of course how secure it is. You still won't find MS Kerberos to be useful, the only way for Win2k to correctly authenticate to a Kerberos domain, is to make it part of a guest/second domain, in which the W2k PDC is the KDC for a second domain!

Its retarded, It still relies on the old screwed up MS Security junk, which is *STILL* compatible with the ancient LanMan authentication. Something that is still easily crackable. Don't throw away that old L0phtcrack yet, there is still use for it.

About the only good thing about Win2k is that you don't *HAVE* to reboot for the almost 100 things you used to have to, now its just like 10-15 things that you do. And that its got IPSec built in, but apparently you still need to have a Win2k Cert server for that to work, so its the same old story. *sigh*

Better standards

[Farq+Fenderson]

There is a solution to this. Or at least to stop it from happening in the future.

Stadnards could be written in such a way that any extended features must be requested before thier use. If they aren't available, then the client / server MUST continue without the use of that extended feature.

This would eliminate incompatabilities like this, since any closed (or otherwise) implementation that doesn't function without a certain extended feature could not claim to conform to the standard. At this point micros~1 could not claim they've got an 'enhanced implementation of standard X' when their version is incompatable with everyone else's. They could only claim to have an 'incomplete implementation of standard X'. The key is placing portability implicitly in the standard.

---
script-fu: hash bang slash bin bash

More info available...

[logicTrAp]

You can get some more info on this issue in the Kerberos FAQ

This is obviously an attempt to break Samba

From zdnet:

"[Windows 2000 product manager] Boettcher added that both Unix workstations and Win2000 desktops may log in to the Win2000 server. But Win2000 desktops cannot log in to a Unix Kerberos server and receive access to Win2000 resources such as file and print, he said."

Every new release of Windows NT to date has added "extensions" to SMB designed to prevent third party vendors from acting as SMB servers. Since Samba is a better SMB implementation than Micro$oft's, obviously MICROS~1 marketing were afraid Samba was cutting into NT Server sales. Hence this transparent attempt to render Samba worthless for Win2K clients.

The only credible response to this is a complete boycott of Win2K until Microshaft provides the Samba development team with the information they need to make Samba interoperate with Win2K clients.

Re:Apparrently Microsoft disagrees (correctly)

[Jeremy+Allison+-+Sam]

> Can you link to any hard data?

Yep. The O'Reilly book, "DCE Security Programming" by Wei Hu, ISBN 1-56592-134-8 (just don't buy it from Amazon :-).

Page 37, section entitled "How PAC's are used" explains how a standard Kerb5 TGT is obtained, then a ticket to the privillage service is obtained, then a second TGT (called a PTGT) is obtained from the privillage service. This PTGT contains the authorisation data (user and groups in the form of DCE UUIDs) stored in the "application data" field.

It was done this way so a *standard* kerb5 server could be used as a authentication source, with a secondary server used as an *authorization* source.

Microsoft could have done the same. They didn't, but modified the Kerb5 KDC directly and put authorization data into the TGT. That's what the fuss is about.

Regards,

Jeremy Allison,
Samba Team.

Re:Apparrently Microsoft disagrees (correctly)

[Jeremy+Allison+-+Sam]

> MS-Extensions. - This is the vendor data that is
> allowed as part of the spec. Same place the
> IBM/Transarc/SecurityDynamics/Entrust/etc put
> there propriatory data.

This is incorrect. The DCE PAC's are created by first getting a *standard* TGT from a Kerb5 KDC, then using that to get an additional TGT containing the PAC. Microsoft could have done the same. They chose not to. That is what people are objecting to.

Regards,

Jeremy Allison,
Samba Team.

This was discussed on NTBugTraq

[Teroc]

mailing list several days previous. Here is the 'relevant' information, posted by a rep from Microsoft:

When RFC 2137 "Secure Domain Name System Dynamic Update" was written, it was
based on the then-current DNSSEC spec, RFC 2065 "Domain Name Security
Extensions". RFC 2535, a re-write of DNSSEC based on implementation and
deployment experience, obsoletes RFC 2065. A side-effect of the deprecation
of RFC 2065 is the invalidation of RFC 2137. RFC 2137 is not safe for
implementation.

Upshot: there is no IETF standard for DNS secure dynamic update.

Two years ago we had to make a call on whether or not we should implement
DNSSEC (RFC 2065) in Windows 2000. DNSSEC - which is a public key
infrastructure unto itself - is very complex. In our judgment, at the time,
it was not ready for implementation and deployment. It followed that RFC
2137 was also not ready for implementation and deployment.

Still, we needed a solution for secure dynamic update. As it happened, the
DNSIND working group in the IETF had already recognized that DNSSEC was not
appropriate in all situations, and that there was a demand for a lightweight
(shared secret) alternative. Two complementary Internet-Drafts were
published to satisfy this requirement: "Secret Key Transaction
Authentication for DNS (TSIG)", and "Secret Key Establishment for DNS (TKEY
RR)".

TSIG and TKEY alone do not solve the key distribution problem inherent in
any secret key system. However, both mechanisms allow for extension, which
permitted us to publish a third complementary draft, "GSS Algorithm for TSIG
(GSS-TSIG)". The GSS-API mechanism enables us to use integrated Windows
security to solve the key distribution problem, and ensure our customers
will have no additional key management burden associated with secure update.

The GSS-TSIG draft has been available since November of 1997. Microsoft
would be happy to assist any vendors who wish to develop an independent,
interoperable implementation. We have already demonstrated GSS-API/Kerberos
interoperability between Windows 2000 and other GSS/Kerberos implementations
(see below for more information).

The DNSEXT working group (a consolidation of the DNSIND and DNSSEC working
groups) is currently working on an Internet-Draft to replace RFC 2137. This
draft, called "Simple Secure Domain Name System (DNS) Dynamic Update",
separates the authentication of an update from the later DNSSEC
authentication of the data. The draft acknowledges the TSIG/TKEY method as
a way to authenticate updates. When TSIG, TKEY, GSS-TSIG, and Simple Secure
Dynamic Update reach standard status, there will be an IETF standard for DNS
secure dynamic update.

Microsoft is continuing to evaluate the viability of and demand for
DNSSEC/public key-based security for DNS.

Note especially the third paragraph from the end, where MS will gladly 'help' you write a standard :)
Cheers

Yes and No....

[trims]

Actually, MS's implimentation interoperates to a certain degree with the reference MIT one. The difference that people are pointing out is that MS implimented one of the "optional" features that the reference implimentation doesn't.

Now, this is good and bad. What it means is that MS clients can authorize to an MIT-based server's realm, and that UNIX clients can authorize to a MS-based realm, though you really need to run an MS server as the "native" realm for the MS clients, in order to have this extra field for the MS clients to use. I think they use it for something in Active Directory, but I'm not sure.

It is MS being their usual "we work with them (almost)" self, but in this case, they're not hiding anything. They just happen to use more of the spec than the reference one.

There's nothing keeping someone from taking the MIT software and adding the optional feature that MS uses. In fact, it's not hard to do (we once looked at doing exactly this). IASMOP (It's A Simple Matter Of Programming). The hitch is that you have an installed base that needs to be upgraded, which is kinda a bummer.

And no, this isn't new. I found out about this almost 2 years ago.

Nothing Evil about this, just annoying.

-Erik

More information

[coyote-san]

A lot of people are reacting to MS's "breaking" yet another standard, and don't understand the real problem that MS is trying to solve.

In a nutshell, Kerberos is a *network* authentication mechanism, not a system authentication mechanism. That means that when John Smith sits down at his terminal and acquires a Kerberos ticket, it's validated against a central site *with no cross-reference to local information.*

In an ideal world, the principal name and local user name would be identical. The local system could then look up the principal name in its local user database and acquire user information from /etc/passwd and /etc/groups, or their local equivalents. In the real world, this isn't always possible but many sites use a (standard?) secondary mechanism that maps Kerberos principals to local user names, and again you acquire user information from /etc/passwd and /etc/group.

Other alternatives are getting that information out of NIS, LDAP, etc., or Kerberos-enhanced versions of the same if they're paranoid about someone trying to spoof that information.

(AFAIK) what MS did with W2Kerberos is put the equivalence of /etc/passwd and /etc/group information into the "authorization" field. That's unusual, but not inappropriate -- and arguably an elegant solution to the crippled NT environment.

However, for reasons that make no sense to anyone in this reality they decided to digitally sign that information. From a security standpoint, this is utterly insane - Kerberos tickets already use strong encryption and session keys, so there's nothing to be gained by adding an additional layer of encryption to the payload. Furthermore, the KDC should be physically and electronically secured, so it should not be a significant risk to maintain unsigned user authority information on the KDC in plaintext. Assuming you don't simply colocate those services, of course!

However, digitally signing that data and failing to disclose the details is an excellent way to control market share, if the user community doesn't rip their head off for this trick. In this case it's a possibility since the sites that use Kerberos are more security-aware than your average site, and they might not be willing to compromise their security by maintaining two realms (or worse, replacing their Unix KDCs with Windows KDCs).

Totally off topic

[cybercuzco]

This is off topic, but did anyone else notice the unintentionally funny headline at BBC Sci/tech? It says "cannabis helps 'MS' sufferers" I of course, totally agree, If I used Windows I'd have to be smoking pot too ;-)