===================================================== README ADDENDA This file contains additional changes and updates to the readme.txt file shipped with Distributed Computing Environment (DCE) for Windows NT, Version 2.2. ===================================================== Contents A.1 IBM DCE Client for OS/2 A.2 Entrust/Entelligence Limitations A.3 Configuration of the Identity Mapping Server A.4 PKC (Public Key Certificate) Login with Reserved DCE Principals A.5 Change in Auditing of Login Attempts A.6 Auditing Name-Based Authorization A.7 dcecp Commands Not Supported by Slim Client A.8 Daylight Savings Time Issue for Some Time Zones A.9 dcecp cdscache dump Command Restriction A.10 CDS Replica Unconfig May Fail to Remove All References to Clearinghouse A.11 Additional Information on DCE for Windows 95 A.12 Viewing Online Documentation directly from the CD. ===================================================== A.1 IBM DCE Client for OS/2 The Quick Beginnings document states incorrectly that the IBM Distributed Computing Environment Client including Distributed File System for OS/2 Warp, Version 4.0 is included with the DCE for Windows NT, Version 2.2. ===================================================== A.2 Entrust/Entelligence Limitations While testing PKC (Public Key Certificate) Login support, the following Entrust/Entelligence limitations were encountered: * On systems which are running the DCE Security Server (secd) or Identity Mapping Server (idmsd), and Entrust ELI (etli40), only the NT administrator can login to DCE using PKC Login. This problem can be avoided by disabling ELI. * In an environment with a substantial amount of concurrent login activity, the DCE Security Servers may receive errors from Entrust while processing authentication messages. This will result in failed PKC Login attempts. If NOTICE level logging is enabled in the DCE Serviceability routing file before secd is started, the DCE Security Servers will log the Entrust errors in the notice.log file. The following two errors are currently being investigated by Entrust Technologies Customer Support : 1998-11-07-20:03:04.553-06:00I----- secd NOTICE pkc pkc_ent .\pkinit_cms_ent.c 231 0x01c1b418 msgID=0x05F5202D Entrust: .\pkinit_cms_ent.c(571), -4060 1998-11-08-20:13:04.533-06:00I----- secd NOTICE pkc pkc_ent .\pkinit_cms_ent.c 231 0x01c1b418 msgID=0x05F5202D Entrust: .\pkinit_cms_ent.c(571), -483 These errors only effect PKC Login users, the DCE Security Servers will continue to process non-PKC requests. To work around these problems, restart secd on the Security Server where the error is logged. * Use of Entrust/Lite or the Entrust/PKI in "lite mode" with PKC Login is not supported. ===================================================== A.3 Configuration of the Identity Mapping Server When configuring a DCE Security Server to support Public Key Certificate Login, you must configure at least one Identity Mapping Server(IDMS) in the cell. For improved performance, we recommend configuring an IDMS on each Security Server. Using DCEsetup, you must explicitly select "Identity Mapping Server", it is not automatically configured when you select "Certificate Based Login." ===================================================== A.4 PKC Login with Reserved DCE Principals Reserved DCE principals are not allowed to use Public Key Certificate Login. In DCE/NT 2.2, principals which have the Reserved flag set include: * the administrative id specified when the cell is initially configured, * the krbtgt principal for the cell, and * the self principal for the system which is the initial master security server. One side-effect of this restriction is that you cannot supply the name of an Entrust user profile as the cell_admin id during DCE configuration. ===================================================== A.5 Change in Auditing of Login Attempts In previous versions of DCE, if the authorization mechanism for an audited event relied only on names, the event would never be properly audited when an invalid name (i.e., a string which is not a valid DCE principal name) was used. In this release, when any event that relies only on names for security (name-based authorized RPC, pre-authentication) is audited and given a non-DCE principal name, the event will be audited properly. If the name that was used is a valid DCE principal name, the principal's UUID will be stored in the audit record as the "Client UUID". If the name provided is not valid, the client UUID will be set to all zeroes, the authorization status will be rpc_c_authz_name (displayed as "Authorized with a name" by dce_aud_print() and dcecp audtrail show), and the name will be stored as the first event specific item in the audit record. This is not the default behavior for name-based authorization, but it has been enabled for AS_Request, TGS_TicketReq, TGS_RenewReq, and TGS_ValidateReq events. Some Examples: * A user logs in with dce_login and a non-DCE principal, giving an incorrect third-party protocol password. The audit record for that event (AS_Request 0x101) will contain: an outcome of failure, an authorization status of rpc_c_authz_name, a nil client UUID, and the only event-specific item will be the string that the user gave as the principal to dce_login. * A user logs in using dce_login and a valid DCE principal, giving an incorrect third-party protocol password. The audit record for that event (AS_Request 0x101) will contain: an outcome of denial, an authorization status of rpc_c_authz_name, and a client UUID which identifies the principal name given to dce_login. * A user logs in using dce_login and the name of an Entrust user profile, giving an incorrect Entrust passphrase for that profile. The audit record will contain an outcome of denial, and an authorization status of rpc_c_authz_name. If the Entrust profile name does not match a valid DCE principal name, the client UUID will be all zeroes and the profile name (given to dce_login) will be the only event-specific item in the audit record. * A user logs in using dce_login and the name of an Entrust user profile, giving the Entrust passphrase for that profile. The audit record for that event (AS_Request 0x101) will contain an outcome of success and an authorization status of rpc_c_authz_name. If the Entrust profile name does not match a valid DCE principal name, the client UUID will be all zeroes and the profile name provided to dce_login, will be the only event-specific item in the audit record. The name stored in the audit record is the name the user supplied when he or she attempted to login. If the name happens to be a valid DCE principal name, then the principal's UUID will be stored. Otherwise, the name will appear in the event-specific information. With PKC Login, if the Entrust user profile name is the same as any DCE principal name, the UUID for that principal will be stored as the client UUID in the audit record and there will be no event-specific information. ===================================================== A.6 Auditing Name-Based Authorization Application developers who will be auditing events which use name-based authorization should note that storing a non-DCE name as the first event-specific item is not the default behavior. Name-based authorized events may be audited in two ways. If the client made a name-based RPC call, the server will have a binding handle which has the name the client used. This handle should be given to dce_aud_start(). Alternately, if the event does not have a binding handle, but has some identifying name for the client, that name should be given to dce_aud_start_with_name() as the "client" parameter. To ensure the name given to dce_aud_start*() is put in the audit record, pass an additional bit flag to the dce_aud_start routines in the "options" parameter. A new bit flag has been defined in audit.h, called aud_c_evt_save_nondce_names. If this flag is passed to any of the dce_aud_start functions, a non-DCE name will be stored in the audit record as the first event-specific item. ===================================================== A.7 dcecp Commands Not Supported by Slim Client The following dcecp commands are not supported by Slim Client: aud disable aud enable aud help aud modify aud operations aud rewind aud show aud stop audevents catalog audevents help audevents operations audevents show audevents catalog audfilter catalog audfilter create audfilter delete audfilter help audfilter modify audfilter operations audfilter show audtrail help audtrail operations audtrail show ems emsconsumer emsevent emslog hostdata create hostdata delete hostdata help hostdata modify hostdata operations hostdata show keytab add keytab catalog keytab create keytab delete keytab help keytab list keytab operations keytab remove keytab show server catalog server create server delete server disable server enable server help server modify server operations server ping server show server start server stop ===================================================== A.8 Daylight Savings Time Issue for Some Time Zones A problem present in the Microsoft C Runtime library causes problems for Windows NT systems running DCE in some European time zones (such as GMT+1 and GMT+2) when Daylight Savings Time ends. This problem occurs for one hour between 02:00 and 03:00 a.m. Contact your IBM representative in order to receive the fix for this problem. ===================================================== A.9 dcecp cdscache dump Command Restriction Currently, the dcecp> cdscache dump command can be used only from the Administrator account. Since this command displays only the private/user cache information particular to the current user, this command cannot be used to display complete cache information for any user other than the Administrator. The cdscp dump clerk cache command does not require the user to be Administrator. Use this command to display private/user cache information. ===================================================== A.10 CDS Replica Unconfig May Fail to Remove All References to Clearinghouse As part of unconfiguring a CDS Replica server, DCE may not properly remove the unconfigured clearinghouse from the entire list of directories that had been replicated in this clearinghouse. As a result, some error messages may appear during the unconfigure operation. The cell administrator must manually exclude this clearinghouse from all directories that had been replicated within it using the "cdscp set directory to new epoch master" command for each directory. ===================================================== A.11 Additional Information on DCE for Windows 95 A CD labeled IBM Distributed Computing Environment ADK and Runtime Services for Windows 95 is provided with the complete DCE for Windows NT, Version 2.2 product. It is not provided with the packages that included either the DCE Runtime Services and ADK for Windows NT or the DCE Runtime Services for Windows NT separately. The readme file (readme.txt) for DCE for Windows 95 is located in the root (\) directory of that CD. To install DCE Runtime Services and the DCE Application Development Kit for Windows 95: 1. Insert the CD labeled IBM Distributed Computing Environment ADK and Runtime Services for Windows 95 in your CD-ROM drive. After a few moments, the Welcome window appears. 2. After reading the information in the Welcome window, click NEXT to continue. 3. In the Select Components window, click on the components you want to install. NOTE: DCE Runtime Services must be selected and is a prerequisite for installing any other components. 4. The default Destination Directory is C:\PROGRAM FILES\DCE To change to a different drive or a different directory, click on BROWSE. Click NEXT to continue. 5. In the Cultural Conventions window, select a preferred cultural convention. Click NEXT to continue. 6. In the Start Copying Files window, review the installation information. If you want to change any settings, click Back to make the changes. Otherwise, click NEXT to start the process of copying files to your hard drive. 7. The Setup window appears showing the progress indicator. When the installation completes the IBM Software Registration Tool window appears. Click NEXT to complete the software registration. 8. After completing the software registration, a question appears asking whether you want to view the online readme file. Click YES to view the readme; otherwise click NO. NOTE: Viewing the online readme file is optional . Since it contains last minute product changes that are not documented elsewhere, we recommend you read it. 9. After closing the online readme file (or if you chose not to view it), the Installation Completed window appears. You are asked whether you want to restart your system. Make your choice and then click FINISH. NOTE: DCE Runtime Services for Windows 95 modifies the system configuration. If you choose not to restart your system at this time, you must restart it later for DCE changes to take effect. After completing the installation procedure, you must configure DCE services on your system. To configure DCE services on Windows 95: 1. Click START, point to PROGRAM, click DCE FOR WINDOWS 95, and the click the DCESETUP icon. 2. Click the CONFIGURE menu, and then click on one of the configuration options. ===================================================== A.12 Viewing Online Documentation directly from the CD. In instances when the online documentation is not installed (for example, the Slim Client client package) or if you choose not to install online documentation, it can be viewed directly from the CD labeled IBM Distributed Computing Environment (DCE) for Windows NT. The help files for the documentation are located in: x:\language\documentation\ Where x is the driver for the CDROM language is the language in which you want the documenation displayed. For example: g:\English\documentation\