1 — Release Notes

[Previous] [Next] [Contents] [Index]

This chapter provides DCE developers and administrators information about the current release of PC-DCE and contains the following sections:

1.1 New Features Introduced in v5.0
1.2 Problems Fixed in 5.0.1
1.3 Notes on Operation
1.4 Known Problems and Restrictions
1.5 Corrections to Documentation

NOTE: Throughout documents related to Entegrity PC-DCE, use of the term Windows refers to all supported Windows operating systems unless noted otherwise.

1.1 New Features Introduced in v5.0

The following list describes new major features for this release.

1.2 Problems Fixed in 5.0.1

Client Applications Failed to Randomly Bind to a Server

This problem was most likely to occur on a Windows Terminal Server. The PC-DCE runtime uses the C runtime rand function to select a binding. Each thread in an application is supposed to provide a different seed to the rand function. However, if two threads were started within a second of each other, then rand would be seeded with the same value. This would cause them to select bindings in the same order.

If applications are running on different hosts, a problem was is likely to occur because the hosts' clocks are a few seconds out of sync. However, all clients running on a Terminal Server host use the same clock, thus making it far more likely that threads — even threads in different instances of an application — would seed rand with the same value, causing the client applications to bind to the same servers in the same order.

PC-DCE now seeds rand with a value that changes every millisecond rather than every second, making it far less likely that two threads could attempt to bind to the same servers in the same order.

Installing New Licenses via DCE Service Panel

There was a problem with installing a new license via the service panel. When an evaluation license expired, the service panel would no longer run. Now the service panel will run, but only the License button is available. As always, you can still access the license tool directly from the Windows Start button. Choose Start -> Programs -> Entegrity PC-DCE -> Tools -> License Installer.

Uninstalling PC-DCE If Installed with an Evaluation License

The uninstaller now runs even if the evaluation license has expired.

Integrated Login on Windows 2000 and Windows XP

Integrated login failed to work on Windows 2000 and XP. When installing the PC-DCE runtime, the installer failed to create all the registry entries needed to run integrated login. This has been fixed.

Local Administrator Script (preconfig.tcl) Simplified

Unnecessary groups and ACL assignments have been removed from the NetCrusader/Web portion of the split configuration script preconfig.tcl. Specifically, the wcsecad-admin group, which is not used, is no longer created. Also the Security Adapter's principal is no longer added to the cds-admin and dced-admin groups and the local administrator is no longer added to the ACL on /.:/subsys/www/wc-servers.

New Slave Now Receives Updates from New Master

Have fixed the problem described in Entegrity Tech Note 411GR, Slave Does Not Receive Updates from New Master.

When configuring a master Security server, the host machine's self principal is now added to the ACLs for the /.:/sec/replist object and the /.:/subsys/dce/sec directory. Without these ACLs, if the master Security server becomes a slave then it would not be able to receive updates from the new master.

This change was made to dce_config.exe.

DCE Director Does Not Work After Master Security Server Made Replica

Have fixed a problem related to the one described in Entegrity Tech Note 411GR, Slave Does Not Receive Updates from New Master.

DCE Director would not work once the master Security server was made a replica. The Director used to depend on the value of the window registry entry HKEY_LOCAL_MACHINE\Software\Gradient\DCE\Configuration\SecurityServerName, which becomes out-of-date when the master Security server becomes a slave. Now the Director retrieves the name of the master Security server from the CDS namespace.

Canceling Integrated Login Delayed Windows Login

Fixed a problem where cancelling integrated login too quickly would delay Windows login. A cancel button is displayed during the integrated login process. If the user clicked the cancel button as soon as it was displayed, the integrated login process would not be completely cancelled and the Windows login process would be delayed until some timeouts occurred or the user typed Ctrl-Alt-Del. This has now been fixed.

Waiting Pthread Not Always Canceled

Fixed a problem where one thread calling pthread_cancel() to cancel another thread that was waiting for pthread_join() to complete did not always result in the waiting thread being cancelled.

Memory Associated with a Login Context Not Always Released

Fixed a problem where sec_login_release_context did not always release all of the memory associated with a login context.

1.3 Notes on Operation

This section describes operational and other minor changes for the 5.0 release. These are not documented in the PC-DCE guides.

1.3.1 Installing PC-DCE on Hosts Configured with Compaq DCE

Before installing PC-DCE on any Compaq DCE host, Compaq DCE must first be uninstalled. To preserve cell configuration information, replicate any Compaq DCE servers to PC-DCE server hosts prior to uninstalling Compaq DCE from cell server hosts.

1.3.2 DCE Director

Concurrent Access to Security Registry Entries

While DCE Director is accessing security registry entities (principals, accounts, groups, and so on), operations referencing these entities will fail if the entries are deleted from the registry by another DCE user.

Create Group Option in User Account Dialog Boxes

After creating a new group from the User Account dialog boxes, there is no immediate update to the group page or UNIX page. When you select a new page from the view or modify dropdown list, or press OK to proceed, the new group is added to the group page and the UNIX page.

DCE Director Failure

If DCE has not been properly configured and you try to start DCE Director, the application fails, but you may not receive any error messages.

Multiple Copies of the Same View

DCE Director allows the same view to be shown multiple times.

Changing User Account Passwords

To use the DCE Integrated Login feature, you must keep password information in the DCE Registry synchronized with password information in the NT security registry. Currently, modifying user account passwords with DCE Director changes the password only in the DCE Registry; the password in the NT security registry remains unchanged. At present, the only supported method for changing user passwords in both registries simultaneously is by using the Change Password button on the Windows NT Security dialog box (press Ctrl+Alt+Del to get this). Passwords will not remain synchronized if they are changed with the User Manager utility.

1.3.3 Configuration

Multi-homing

For Windows NT v4.0 systems: If you want to export bindings onto multiple network interfaces, you must either install Service Pack 4, or if you want to continue using Service Pack 3, obtain a hotfix from Microsoft. To obtain the hotfix, contact Microsoft, specify article Q188879, and request the hotfix. In addition, read the section in the PC-DCE Administrator's Guide on the environment variable RPC_UNSUPPORTED_NETIFS.

1.3.4 Administration

Running Applications With Old Runtime Versions Not Supported

If you build applications using the current PC-DCE Application Developer's Kit, you must run them with the PC-DCE runtime at the current revision or later.

DHCP Support

DHCP is supported on clients; however, DCE interfaces rely on a stable underlying address, and therefore DCE servers do not support DHCP.

ACL_EDIT, DTSCP, RGY_EDIT, and RPCCP

These programs are currently still available in PC-DCE but are no longer officially supported as most of their functionality is now encompassed in the DCE control program (dcecp). In addition, it is likely that these programs will be removed in future releases.

CDSCP

Because of The Open Group licensing changes, we no longer included cdscp with our Runtime Kits; however, it is included with our CDS servers.

Synchronizing Client Time with the Security Server

For synchronization to work from the client without the DTS daemon, you must run a DTS server (local or global) on the same machine as your master Security server.

Public Key Infrastructure Implementation

Because of incompatibilities between RFCs 68.3 and 68.4, PC-DCE Version 5.0 does not implement the OSF Version 1.2.2 Public Key Infrastructure (PKI) enhancement.

1.4 Known Problems and Restrictions

This section describes known problems and other restrictions for this and previous releases.

Known problems in previous releases are still in effect.

1.4.1 Known Problems and Restrictions in v4.0.1

1.4.1.1 DCE Setup

While DCE Setup is included with PC-DCE 5.0, it is not fully functional with this release. To configure DCE services, use the PC-DCE Configuration Panel.

1.4.1.2 DCE Director

Policy and Organization Restrictions

You cannot change the organization attribute of an account, and you cannot set policies such as minimum password length.

Removal of the ACL Entry Allowing the Group's Members to Add/Remove Members Does Not Work

If you modify a group to remove the ACL entry permitting its members to add or remove members, the change does not take effect.

To remove the ACL entry you must use the Visual DCE ACL Editor. With the CDS object highlighted in the Select a kind of object list, choose Access Control from the Actions Menu. Type in /.:/sec/group/groupname for the ACL path. Modify the ACL to remove the groupname entry.

1.4.1.3 Visual DCE ACL Editor

Displaying ACLs with More Than Eight Permissions

If you are editing an ACL belonging to a user-written ACL Manager that supports more than eight permissions, the necessary display width required may be larger than expected by the Visual DCE ACL Editor. If this is the case, the Visual DCE ACL Editor will cause an exception and not display the ACL.

To edit the ACL, use dcecp or acl_edit.

ACL Name not Passed to the Editor

If an instance of the Visual DCE ACL Editor is already running, and you select a directory using DCE Director and press the Access Control button, the existing Visual DCE ACL Editor window will be brought to the foreground but the new ACL will not be opened.

To open the ACL, choose Open from the ACL menu and type in the desired path.

Visual DCE ACL Editor Failure

If your machine has not been properly configured for DCE, and you try to start the Visual DCE ACL Editor, you may get the following error message: 

An application error has occurred and an application error log is being 
generated.

To correct the problem, you need to properly configure DCE on your machine.

1.4.1.4 Development

Applications Developed Using Compaq DCE ADK

Applications developed with the Compaq DCE ADK are not compatible with PC-DCE. Such applications must be recompiled and relinked using the PC-DCE ADK. See the PC-DCE Developer's Notes for more information about migrating Compaq DCE applications.

Incorrect Dependency Error

During a compile, Microsoft Visual C/C++ Versions 4.2 and earlier may report the following dependent files are missing:

sys/file.h sys/lic.h

These Entegrity internal include files are commented out, but the Microsoft compiler fails to detect this. You can either ignore the error or upgrade to Visual C/C++ 5.0.

1.4.1.5 Other

Name Service Interface Daemon (nsid) and Windows 98

nsid is not currently functional on the Windows 98 operating system.

DCE Director and DCEsetup Help Files

Accessing DCE Director and DCEsetup help files though help buttons in dialog boxes and at the graphical interface works inconsistently. Launch these help files from the Help menu in each of these tools.

Integrated Login Timeout

If you restart a PC-DCE server or client system that uses Integrated Login, and the system is unable to contact a Master or Replica Security Server, the Windows login is halted. In this case, PC-DCE displays a message box that lets you choose to:

Routing File Syntax

DCE service routing is a specification of where DCE serviceability messages are logged. The dce_install_directory /opt/dcelocal/var/svc/routing file specifies the default routing(s) for serviceability messages from any DCE application server - including dced, cdsadv, dtsd, etc. For example, the routing FATAL:FILE:/tmp/service.log specifies that fatal messages are to be logged in the file /tmp/service.log.

DCE service library uses a colon (:) as the separator in a routing specification. Because of this, pathnames in the routing specification must use a percent sign (%) as a separator after the drive, if one is specified. For example, specify FATAL:FILE:C%/tmp/service.log rather than FATAL:FILE:C:/tmp/service.log. This limitation will be removed in a future release.

See section 9.4.2 of OSF DCE Administration Guide - Core Concepts for more information on DCE serviceability routing.

Cell Aliases

Cell renaming does not work reliably. The dcecp cellalias set command has been disabled in the Warranty Patch. A defect for The Open Group (OT 12864) has been opened for this problem. If you want to create an alternate cell name, use the cellalias create command. This will create a cell alias name without changing the primary cell name.

Cell alias names are not automatically propagated across cell boundaries. Use of cell aliases across cell boundaries is not supported.

Cell alias creation will fail if a cell includes DCE 1.0.x-based clients. The dcecp cellalias script attempts to update every cell-member host by contacting its DCE host daemon (dced). Once the script detects an error (such as failing on a 1.0.x-based client), it will proceed to undo the alias creation operation for the entire cell.

Transitive Trust

Transitive trust validation is performed using the pathname of the target principal. Transitive trust will succeed for a cell alias name only if there is a trust path expressed for that alias.

Ticket requests to alias names for the local privilege server are treated as foreign cell requests. At DCE 1.2.1, the privilege server removes ERAs from credentials requested by foreign cells. Therefore, credentials returned by ticket requests to alias names will not include ERAs.

The following scenario illustrates this limitation:

  1. Create old_cell.

  2. Add new_cell as an alias for old_cell.

  3. dce_login as /.../old_cell/user.

  4. Request credentials to application service /.../new_cell/service.

The credentials returned for /.../new_cell/service will not include ERAs. The privilege server treats the request to /.../new_cell as an intercell request from /.../old_cell to /.../new_cell, and removes any ERAs that may be attached to the principal.

Exception Mapping

Exception mapping from native to DCE exceptions is not supported in the OMF-compliant link library.

No DCED Support for the Auto Start Option

It is a limitation of The Open Group DCE 1.2.1 and consequently of the PC-DCE Version 5.0 implementation that dced cannot start up configured services on demand when the first RPC is made.

DCED and Endpoint Services

The PC-DCE Service Panel may currently show that dced is running in a light-weight configuration even if the Endpoint Service Only checkbox is selected in the Options tab of the PC-DCE Configuration Panel. In reality, only the Microsoft Endpoint Mapper will be running.

DCECP Limitations

The DCE control program (dcecp) may not be compatible with any existing TCL environment setup outside of the PC-DCE installation. In addition, you cannot execute commands by specifying the full path in dcecp.

Required DTS Servers in a Cell

DCE requires there to be three DTS servers configured in a cell to insure stable time management. Though this is the best case scenario, we acknowledge that there may be some situations where this may not be feasible.

To reset the number of required servers:

Use the dcecp command: dts modify-minservers #

or

Use the dtscp command: set servers required #

Where # is the minimum number of DTS servers you wish to require in your cell. This will improve efficiency in cells with fewer than three DTS servers, and eliminate extra warning messages from being logged.

Security Server Mappings Invalid from Non PC-DCE Client

Due to a base DCE bug, clients contacting PC-DCE servers that use the Microsoft Endpoint Mapper will fail due to unrecognized protocol towers. Please check with your DCE vendor to see if they have addressed this problem, and reference The Open Group OT 13669.

1.5 Corrections to Documentation

1.5.1 Regii

As of version 4.0.6, Entegrity removed reference to the Remote Client Configuration Utility, Regii (remtool.exe), from the PC-DCETM Administrator's Guide.

[Previous] [Next] [Contents] [Index]

To make comments or ask for help, contact support@entegrity.com.

Copyright © 1997-2003 Entegrity Solutions Corporation & its subsidiaries