			    Cygnus Solutions
			      KerbNet 1.2
			     Release Notes
			     May 23, 1997

NEW FEATURES
============

Windows NT KDC Software
-----------------------
KerbNet 1.2 includes full KDC software for Windows NT (3.51 and 4.0).
It is now possible to run a Kerberos server on a Windows NT machine as
well as on a UNIX machine (or any combination of the two).


Administrative Software
-----------------------
KerbNet 1.2 includes a GUI version of the kadmin program, on both UNIX
and Windows NT, for creating and editing Kerberos principals and
policies.


Automated Installation
----------------------
KerbNet 1.2 installation is fully automated.  Macintosh and Windows
users simply unpack and install the software as they do for any other
Macintosh or Windows program.  UNIX users simply extract the files from
the tarfile and run an installation program to automatically set up
their machine as either a KDC, application server, or client.  Refer to
the Installation Guide for instructions for running the installation
program and for details of what steps you need to perform manually to
complete the procedure.


Oracle Database Support (Solaris 2.5 only)
------------------------------------------
On Solaris 2.5, KerbNet 1.2 supports the Oracle database format as well
as the db2 (standard) database format for the Kerberos database.
Because database propagation is independent of the database format, you
can have any combination of KDCs using any of the supported database
formats.

Note that KerbNet 1.2 with Oracle for Solaris is a separate package from
standard KerbNet 1.2 for Solaris.  If you will be using an Oracle
database, be sure to install the Oracle version.

With the Oracle version you can also have logging information stored in
an Oracle database.  See the documentation for details.


db2 Database Format Change
--------------------------
In KerbNet 1.2, db2 Kerberos databases are now stored in btree format.
This greatly improves the performance of the kadmin administrative
software, particularly for databases containing 100,000 or more
principals.  Note that if you are running a version of KerbNet earlier
than 1.1 (or any other version of Kerberos), you will need to manually
dump your Kerberos database and load it under KerbNet 1.2.  See the
Installation Guide for details.


Kerberos Plug-in for Netscape Web Server (Solaris 2.5 only)
-----------------------------------------------------------
KerbNet 1.2 includes a Kerberos plug-in for the Netscape Web server
(Solaris 2.5 only).  Via this plug-in, web servers can use Kerberos to
validate passwords.  Note, however, that the Netscape server uses its
own mechanism to encrypt (or not encrypt!) the connection between the
user's browser and the web server.


Windows Client Software
-----------------------
KerbNet 1.2 is integrated with the Windows NT gina (login) programs.
Windows NT users will now obtain Kerberos tickets automatically upon
logging in to their machines.


Encryption Available for Windows 95 and Windows NT Telnet
---------------------------------------------------------
The Windows NT and Windows 95 KerbNet 1.2 telnet client can now make
encrypted connections.


ISSUES
======

UNIX Installation
-----------------
Note:  these are some of the installation issues you need to be aware
of.  They are *NOT* a condensed version of the Installation Guide.

The UNIX installation program configures application servers to allow
both Kerberos and non-Kerberos telnet, rlogin, rsh, rcp, and ftp
connections.  If you want to configure an application server to allow
only Kerberos connections from these programs, you will need to edit
your inetd.conf file after running the program, as described in the UNIX
Installation Guide.

The installation program assumes you are using the standard Kerberos
port numbers.  If you want to run any of your Kerberos programs on
non-standard ports, you will need to edit your services and krb5.conf
files manually.  However, if you are upgrading from a previous version
of KerbNet (or other version of Kerberos V5), the installation program
will preserve any entries already in your krb5.conf file.

The installation program assumes your users will be authenticating only
to the default realm.  If your users will be accessing KDCs in other
realms, you will need to add these to your krb5.conf file manually.

The installation program does not configure the X display manager (xdm).
If you will be running xdm, you will need to edit the xdm configuration
files manually, as described in the UNIX Installation Guide.

The installation program is designed to minimize the impact on
user-visible aspects of your system.  For this reason, the installation
program does not replace your system login program or xdm with the
KerbNet versions.  If you want to have your users log in using one of
these programs, you will need to switch them manually.

When you unpack the KerbNet tar file, it will unpack into the directory
/usr/cygnus/kerbnet-1.2.  If you move KerbNet 1.2 to another location,
you must make /usr/cygnus/kerbnet-1.2 a symbolic link that points to the
new location.


Windows (95 and NT) Installation
--------------------------------
When upgrading from KerbNet 1.1, or reinstalling after removing the
1.2 release, be certain the credentials cache
(C:\Cygnus\KerbNet\CCACHE) directory is not present, or the install
will fail.

When removing an installed version of KerbNet, use the control pannel
"Add/Remove Programs" function.  This ensures that the package is
uninstalled correctly.  If the uninstall reports that some items could
not be automatically removed, the C:\Cygnus\KerbNet\CCACHE directory
is most likely the cause.  Remove it manually.


ksu (SunOS)
-----------
Using the ksu program to switch to a userid other than root does not
work under SunOS.


login.krb5
----------
The HP-UX 10 version of the KerbNet 1.1 login.krb5 program does not
respond to the "krb4_convert" option in the krb5.conf [appdefaults]
section.


NetBSD libraries and setuid programs
------------------------------------
NetBSD does not allow setuid programs to specify paths to their
libraries.  As a result, in order for the ksu, xdm-restart, and v4rcp
programs to work properly on NetBSD systems, you will need to specify
the library path manually, using the command:

	ldconfig -m /usr/cygnus/kerbnet/lib

Cygnus Solutions recommends placing this command in one of your /etc/rc
scripts.


ftpd
----
The KerbNet ftp cannot authenticate to certain earlier versions of
Kerberos V5 ftpd.  This is not an issue when upgrading from earlier
versions of KerbNet, but if you have any hosts running older versions
of Kerberos V5 ftpd, either from Cygnus Support (96q1 or earlier) or
from MIT (beta 6 or earlier), you will not be able to use
authenticated ftp to these hosts.  Note that this incompatibility only
exists in one direction; the KerbNet ftpd is fully compatible with
older versions of the ftp client.


klogind, kshd
-------------
KerbNet checksums are handled differently from earlier versions of
Kerberos V5.  This is not an issue when upgrading from earlier
versions of KerbNet, but if you have any hosts running older versions
of Kerberos V5, either from Cygnus Support (96q1 or earlier) or from
MIT (beta 6 or earlier), you should not require checksums (specify the
"-i" option when starting krlogind or krshd), or you will not be able
to connect to these hosts with the older Kerberized Berkeley r-command
clients (rlogin, rcp, rsh).  The inetd.conf entries added by the
installation program include this option.

klogin
------
klogin does not properly handle the -a argument.  This argument is
only used for fallback to the ucb version of rlogin.  If you need this
argument, invoke the ucb version directly.
