[Previous] [Next] [Contents] [Index]
This chapter provides DCE developers and administrators information about the current release of PC-DCE and contains the following sections:
1.2 Problems Fixed in 5.0.1
1.3 Notes on Operation
1.4 Known Problems and Restrictions
1.5 Corrections to Documentation
Throughout documents related to Entegrity PC-DCE, use of the term
Windows refers to all supported Windows operating systems unless noted
1.1 New Features Introduced in v5.0
The following list describes new major features for this release.
This problem was most likely to occur on a Windows Terminal Server. The PC-DCE runtime uses the C runtime rand function to select a binding. Each thread in an application is supposed to provide a different seed to the rand function. However, if two threads were started within a second of each other, then rand would be seeded with the same value. This would cause them to select bindings in the same order.
If applications are running on different hosts, a problem was is likely to occur because the hosts' clocks are a few seconds out of sync. However, all clients running on a Terminal Server host use the same clock, thus making it far more likely that threads even threads in different instances of an application would seed rand with the same value, causing the client applications to bind to the same servers in the same order.
PC-DCE now seeds rand with a value that changes every millisecond rather than every second, making it far less likely that two threads could attempt to bind to the same servers in the same order.
Installing New Licenses via DCE Service Panel
There was a problem with installing a new license via the service panel. When an evaluation license expired, the service panel would no longer run. Now the service panel will run, but only the License button is available. As always, you can still access the license tool directly from the Windows Start button. Choose Start -> Programs -> Entegrity PC-DCE -> Tools -> License Installer.
Uninstalling PC-DCE If Installed with an Evaluation License
The uninstaller now runs even if the evaluation license has expired.
Integrated Login on Windows 2000 and Windows XP
Integrated login failed to work on Windows 2000 and XP. When installing the PC-DCE runtime, the installer failed to create all the registry entries needed to run integrated login. This has been fixed.
Local Administrator Script (preconfig.tcl) Simplified
Unnecessary groups and ACL assignments have been removed from the NetCrusader/Web portion of the split configuration script preconfig.tcl. Specifically, the wcsecad-admin group, which is not used, is no longer created. Also the Security Adapter's principal is no longer added to the cds-admin and dced-admin groups and the local administrator is no longer added to the ACL on /.:/subsys/www/wc-servers.
New Slave Now Receives Updates from New Master
Have fixed the problem described in Entegrity Tech Note 411GR, Slave Does Not Receive Updates from New Master.
When configuring a master Security server, the host machine's self principal is now added to the ACLs for the /.:/sec/replist object and the /.:/subsys/dce/sec directory. Without these ACLs, if the master Security server becomes a slave then it would not be able to receive updates from the new master.
This change was made to dce_config.exe.
DCE Director Does Not Work After Master Security Server Made Replica
Have fixed a problem related to the one described in Entegrity Tech Note 411GR, Slave Does Not Receive Updates from New Master.
DCE Director would not work once the master Security server was made a replica. The Director used to depend on the value of the window registry entry HKEY_LOCAL_MACHINE\Software\Gradient\DCE\Configuration\SecurityServerName, which becomes out-of-date when the master Security server becomes a slave. Now the Director retrieves the name of the master Security server from the CDS namespace.
Canceling Integrated Login Delayed Windows Login
Fixed a problem where cancelling integrated login too quickly would delay Windows login. A cancel button is displayed during the integrated login process. If the user clicked the cancel button as soon as it was displayed, the integrated login process would not be completely cancelled and the Windows login process would be delayed until some timeouts occurred or the user typed Ctrl-Alt-Del. This has now been fixed.
Waiting Pthread Not Always Canceled
Fixed a problem where one thread calling pthread_cancel() to cancel another thread that was waiting for pthread_join() to complete did not always result in the waiting thread being cancelled.
Memory Associated with a Login Context Not Always Released
Fixed a problem where sec_login_release_context did not always release all of the memory associated with a login context.
1.3 Notes on Operation
This section describes operational and other minor changes for the 5.0 release. These are not documented in the PC-DCE guides.
1.3.1 Installing PC-DCE on Hosts Configured with Compaq DCE
Before installing PC-DCE on any Compaq DCE host, Compaq DCE must first be uninstalled. To preserve cell configuration information, replicate any Compaq DCE servers to PC-DCE server hosts prior to uninstalling Compaq DCE from cell server hosts.
1.3.2 DCE Director
Concurrent Access to Security Registry Entries
While DCE Director is accessing security registry entities (principals, accounts, groups, and so on), operations referencing these entities will fail if the entries are deleted from the registry by another DCE user.
Create Group Option in User Account Dialog Boxes
After creating a new group from the User Account dialog boxes, there is no immediate update to the group page or UNIX page. When you select a new page from the view or modify dropdown list, or press OK to proceed, the new group is added to the group page and the UNIX page.
DCE Director Failure
If DCE has not been properly configured and you try to start DCE Director, the application fails, but you may not receive any error messages.
Multiple Copies of the Same View
DCE Director allows the same view to be shown multiple times.
Changing User Account Passwords
To use the DCE Integrated Login feature, you must keep password information in the DCE Registry synchronized with password information in the NT security registry. Currently, modifying user account passwords with DCE Director changes the password only in the DCE Registry; the password in the NT security registry remains unchanged. At present, the only supported method for changing user passwords in both registries simultaneously is by using the Change Password button on the Windows NT Security dialog box (press Ctrl+Alt+Del to get this). Passwords will not remain synchronized if they are changed with the User Manager utility.
For Windows NT v4.0 systems: If you want to export bindings onto multiple network interfaces, you must either install Service Pack 4, or if you want to continue using Service Pack 3, obtain a hotfix from Microsoft. To obtain the hotfix, contact Microsoft, specify article Q188879, and request the hotfix. In addition, read the section in the PC-DCE Administrator's Guide on the environment variable RPC_UNSUPPORTED_NETIFS.
Running Applications With Old Runtime Versions Not Supported
If you build applications using the current PC-DCE Application Developer's Kit, you must run them with the PC-DCE runtime at the current revision or later.
DHCP is supported on clients; however, DCE interfaces rely on a stable underlying address, and therefore DCE servers do not support DHCP.
ACL_EDIT, DTSCP, RGY_EDIT, and RPCCP
These programs are currently still available in PC-DCE but are no longer officially supported as most of their functionality is now encompassed in the DCE control program (dcecp). In addition, it is likely that these programs will be removed in future releases.
Because of The Open Group licensing changes, we no longer included cdscp with our Runtime Kits; however, it is included with our CDS servers.
Synchronizing Client Time with the Security Server
For synchronization to work from the client without the DTS daemon, you must run a DTS server (local or global) on the same machine as your master Security server.
Public Key Infrastructure Implementation
Because of incompatibilities between RFCs 68.3 and 68.4, PC-DCE Version 5.0 does not implement the OSF Version 1.2.2 Public Key Infrastructure (PKI) enhancement.
1.4 Known Problems and Restrictions
This section describes known problems and other restrictions for this and previous releases.
Known problems in previous releases are still in effect.
1.4.1 Known Problems and Restrictions in v4.0.1
188.8.131.52 DCE Setup
While DCE Setup is included with PC-DCE 5.0, it is not fully functional with this release. To configure DCE services, use the PC-DCE Configuration Panel.
184.108.40.206 DCE Director
Policy and Organization Restrictions
You cannot change the organization attribute of an account, and you cannot set policies such as minimum password length.
Removal of the ACL Entry Allowing the Group's Members to Add/Remove Members Does Not Work
If you modify a group to remove the ACL entry permitting its members to add or remove members, the change does not take effect.
To remove the ACL entry you must use the Visual DCE ACL Editor. With the CDS object highlighted in the Select a kind of object list, choose Access Control from the Actions Menu. Type in /.:/sec/group/groupname for the ACL path. Modify the ACL to remove the groupname entry.
220.127.116.11 Visual DCE ACL Editor
Displaying ACLs with More Than Eight Permissions
If you are editing an ACL belonging to a user-written ACL Manager that supports more than eight permissions, the necessary display width required may be larger than expected by the Visual DCE ACL Editor. If this is the case, the Visual DCE ACL Editor will cause an exception and not display the ACL.
To edit the ACL, use dcecp or acl_edit.
ACL Name not Passed to the Editor
If an instance of the Visual DCE ACL Editor is already running, and you select a directory using DCE Director and press the Access Control button, the existing Visual DCE ACL Editor window will be brought to the foreground but the new ACL will not be opened.
To open the ACL, choose Open from the ACL menu and type in the desired path.
Visual DCE ACL Editor Failure
If your machine has not been properly configured for DCE, and you try to start the Visual DCE ACL Editor, you may get the following error message:
An application error has occurred and an application error log is being
To correct the problem, you need to properly configure DCE on your machine.
Applications Developed Using Compaq DCE ADK
Applications developed with the Compaq DCE ADK are not compatible with PC-DCE. Such applications must be recompiled and relinked using the PC-DCE ADK. See the PC-DCE Developer's Notes for more information about migrating Compaq DCE applications.
Incorrect Dependency Error
During a compile, Microsoft Visual C/C++ Versions 4.2 and earlier may report the following dependent files are missing:
These Entegrity internal include files are commented out, but the Microsoft compiler fails to detect this. You can either ignore the error or upgrade to Visual C/C++ 5.0.
Name Service Interface Daemon (nsid) and Windows 98
nsid is not currently functional on the Windows 98 operating system.
DCE Director and DCEsetup Help Files
Accessing DCE Director and DCEsetup help files though help buttons in dialog boxes and at the graphical interface works inconsistently. Launch these help files from the Help menu in each of these tools.
Integrated Login Timeout
If you restart a PC-DCE server or client system that uses Integrated Login, and the system is unable to contact a Master or Replica Security Server, the Windows login is halted. In this case, PC-DCE displays a message box that lets you choose to:
DCE service routing is a specification of where DCE serviceability messages are logged. The dce_install_directory /opt/dcelocal/var/svc/routing file specifies the default routing(s) for serviceability messages from any DCE application server - including dced, cdsadv, dtsd, etc. For example, the routing FATAL:FILE:/tmp/service.log specifies that fatal messages are to be logged in the file /tmp/service.log.
DCE service library uses a colon (:) as the separator in a routing specification. Because of this, pathnames in the routing specification must use a percent sign (%) as a separator after the drive, if one is specified. For example, specify FATAL:FILE:C%/tmp/service.log rather than FATAL:FILE:C:/tmp/service.log. This limitation will be removed in a future release.
See section 9.4.2 of OSF DCE Administration Guide - Core Concepts for more information on DCE serviceability routing.
Cell renaming does not work reliably. The dcecp cellalias set command has been disabled in the Warranty Patch. A defect for The Open Group (OT 12864) has been opened for this problem. If you want to create an alternate cell name, use the cellalias create command. This will create a cell alias name without changing the primary cell name.
Cell alias names are not automatically propagated across cell boundaries. Use of cell aliases across cell boundaries is not supported.
Cell alias creation will fail if a cell includes DCE 1.0.x-based clients. The dcecp cellalias script attempts to update every cell-member host by contacting its DCE host daemon (dced). Once the script detects an error (such as failing on a 1.0.x-based client), it will proceed to undo the alias creation operation for the entire cell.
Transitive trust validation is performed using the pathname of the target principal. Transitive trust will succeed for a cell alias name only if there is a trust path expressed for that alias.
Ticket requests to alias names for the local privilege server are treated as foreign cell requests. At DCE 1.2.1, the privilege server removes ERAs from credentials requested by foreign cells. Therefore, credentials returned by ticket requests to alias names will not include ERAs.
The following scenario illustrates this limitation:
The credentials returned for /.../new_cell/service will not include ERAs. The privilege server treats the request to /.../new_cell as an intercell request from /.../old_cell to /.../new_cell, and removes any ERAs that may be attached to the principal.
Exception mapping from native to DCE exceptions is not supported in the OMF-compliant link library.
No DCED Support for the Auto Start Option
It is a limitation of The Open Group DCE 1.2.1 and consequently of the PC-DCE Version 5.0 implementation that dced cannot start up configured services on demand when the first RPC is made.
DCED and Endpoint Services
The PC-DCE Service Panel may currently show that dced is running in a light-weight configuration even if the Endpoint Service Only checkbox is selected in the Options tab of the PC-DCE Configuration Panel. In reality, only the Microsoft Endpoint Mapper will be running.
The DCE control program (dcecp) may not be compatible with any existing TCL environment setup outside of the PC-DCE installation. In addition, you cannot execute commands by specifying the full path in dcecp.
Required DTS Servers in a Cell
DCE requires there to be three DTS servers configured in a cell to insure stable time management. Though this is the best case scenario, we acknowledge that there may be some situations where this may not be feasible.
To reset the number of required servers:
Use the dcecp command: dts modify-minservers #
Use the dtscp command: set servers required #
Where # is the minimum number of DTS servers you wish to require in your cell. This will improve efficiency in cells with fewer than three DTS servers, and eliminate extra warning messages from being logged.
Security Server Mappings Invalid from Non PC-DCE Client
Due to a base DCE bug, clients contacting PC-DCE servers that use the Microsoft Endpoint Mapper will fail due to unrecognized protocol towers. Please check with your DCE vendor to see if they have addressed this problem, and reference The Open Group OT 13669.
1.5 Corrections to Documentation
As of version 4.0.6, Entegrity removed reference to the Remote Client Configuration Utility, Regii (remtool.exe), from the PC-DCETM Administrator's Guide.
[Previous] [Next] [Contents] [Index]
To make comments or ask for help, contact email@example.com.