1 — Release Notes


[Previous] [Next] [Contents] [Index]


This chapter provides DCE developers and administrators information about the current release of PC-DCE and contains the following sections:

1.1 New Features Introduced in v5.0.2
1.2 Problems Fixed in v5.0.2
1.3 Notes on Operation
1.4 Known Problems and Restrictions
1.5 Corrections to Documentation
1.6 Previous Releases — New Features
1.7 Previous Releases — Problems Fixed

NOTE: Throughout documents related to Entegrity PC-DCE, use of the term Windows refers to all supported Windows operating systems unless noted otherwise.

1.1 New Features Introduced in v5.0.2

There are no new major features in this release.

1.2 Problems Fixed in v5.0.2

This section describes problem fixes contained in this release.

Fix for Denial of Service Attack Worm (RPC Attack)

Implemented a fix for the vulnerability to RPC attacks described in CERT Vulnerability VU#377804 (http://www.kb.cert.org/vuls/id/377804). A worm that exploits that vulnerability had been reported to seek out systems that support the RPC endpoint map service on port 135 and attempt to attack those systems.

The Entegrity implementations of DCE RPC were not vulnerable to the DCOM buffer overflow attacks described in CERT VU#568148, however, the exploit tools did cause an error path to be executed that resulted in a NULL pointer dereference and a subsequent service termination, resulting in a denial of service.

dcecp Commands Failed Unexpectedly

Occasionally users would see a dcecp command fail unexpectedly. For example, the object show command would fail on a perfectly valid CDS object. The only way to recover was to restart dcecp. This was due to a stack corruption, which has been fixed.

Configuration Failure When Creating CDS

Occasionally a configuration failure would occur, usually around the point where dce_config was creating CDS entries. It would create an entry, then fail to find it, thus preventing the user from configuring the machine. This was caused by a problem in a CDS routine, which has been fixed.

Endpoints Not Registered

A workaround has been implemented for a bug in the Windows NT 4.0 endpoint mapper where it occasionally would not register an endpoint.

Maximum Ticket Lifetime Incorrectly Recorded

Fixed a problem with sec_salvage_db where it failed to correctly record the maximum ticket lifetime if it was set to the default value.

Configuration Problems in UDP-Only Environment

As of this release, dce_config will now work in a UDP-only environment.

Load Balancing

Enhanced load balancing through further improvements to how threads randomly select a binding from a binding vector.

Symbol Files for secd.exe and gdad.exe

The symbol files for secd.exe and gdad.exe were not included in previous releases of this product. If you have symbol files installed on a machine and a demon crashes, the resulting report for third party tools such as Dr. Watson can now more accurately show where the crash occurred.

1.3 Notes on Operation

This section describes operational and other minor changes for the 5.0 release. These are not documented in the PC-DCE guides.

1.3.1 Installing PC-DCE on Hosts Configured with Compaq DCE

Before installing PC-DCE on any Compaq DCE host, Compaq DCE must first be uninstalled. To preserve cell configuration information, replicate any Compaq DCE servers to PC-DCE server hosts prior to uninstalling Compaq DCE from cell server hosts.

1.3.2 DCE Director

Concurrent Access to Security Registry Entries

While DCE Director is accessing security registry entities (principals, accounts, groups, and so on), operations referencing these entities will fail if the entries are deleted from the registry by another DCE user.

Create Group Option in User Account Dialog Boxes

After creating a new group from the User Account dialog boxes, there is no immediate update to the group page or UNIX page. When you select a new page from the view or modify dropdown list, or press OK to proceed, the new group is added to the group page and the UNIX page.

DCE Director Failure

If DCE has not been properly configured and you try to start DCE Director, the application fails, but you may not receive any error messages.

Multiple Copies of the Same View

DCE Director allows the same view to be shown multiple times.

Changing User Account Passwords

To use the DCE Integrated Login feature, you must keep password information in the DCE Registry synchronized with password information in the NT security registry. Currently, modifying user account passwords with DCE Director changes the password only in the DCE Registry; the password in the NT security registry remains unchanged. At present, the only supported method for changing user passwords in both registries simultaneously is by using the Change Password button on the Windows NT Security dialog box (press Ctrl+Alt+Del to get this). Passwords will not remain synchronized if they are changed with the User Manager utility.

1.3.3 Configuration

Multi-homing

For Windows NT v4.0 systems: If you want to export bindings onto multiple network interfaces, you must either install Service Pack 4 or later service pack, or if you want to continue using Service Pack 3, obtain a hotfix from Microsoft. To obtain the hotfix, contact Microsoft, specify article Q188879, and request the hotfix. In addition, read the section in the PC-DCE Administrator's Guide on the environment variable RPC_UNSUPPORTED_NETIFS.

1.3.4 Administration

Running Applications With Old Runtime Versions Not Supported

If you build applications using the current PC-DCE Application Developer's Kit, you must run them with the PC-DCE runtime at the current revision or later.

DHCP Support

DHCP is supported on clients; however, DCE interfaces rely on a stable underlying address, and therefore DCE servers do not support DHCP.

ACL_EDIT, DTSCP, RGY_EDIT, and RPCCP

These programs are currently still available in PC-DCE but are no longer officially supported as most of their functionality is now encompassed in the DCE control program (dcecp). In addition, it is likely that these programs will be removed in future releases.

CDSCP

Because of The Open Group licensing changes, we no longer included cdscp with our Runtime Kits; however, it is included with our CDS servers.

Synchronizing Client Time with the Security Server

For synchronization to work from the client without the DTS daemon, you must run a DTS server (local or global) on the same machine as your master Security server.

Public Key Infrastructure Implementation

Because of incompatibilities between RFCs 68.3 and 68.4, PC-DCE Version 5.0 does not implement the OSF Version 1.2.2 Public Key Infrastructure (PKI) enhancement.

1.4 Known Problems and Restrictions

This section describes known problems and other restrictions for this and previous releases.

Known problems in previous releases are still in effect.

1.4.1 Known Problems and Restrictions in v4.0.1

1.4.1.1 DCE Setup

While DCE Setup is included with PC-DCE 5.0, it is not fully functional with this release. To configure DCE services, use the PC-DCE Configuration Panel.

1.4.1.2 DCE Director

Policy and Organization Restrictions

You cannot change the organization attribute of an account, and you cannot set policies such as minimum password length.

Removal of the ACL Entry Allowing the Group's Members to Add/Remove Members Does Not Work

If you modify a group to remove the ACL entry permitting its members to add or remove members, the change does not take effect.

To remove the ACL entry you must use the Visual DCE ACL Editor. With the CDS object highlighted in the Select a kind of object list, choose Access Control from the Actions Menu. Type in /.:/sec/group/groupname for the ACL path. Modify the ACL to remove the groupname entry.

1.4.1.3 Visual DCE ACL Editor

Displaying ACLs with More Than Eight Permissions

If you are editing an ACL belonging to a user-written ACL Manager that supports more than eight permissions, the necessary display width required may be larger than expected by the Visual DCE ACL Editor. If this is the case, the Visual DCE ACL Editor will cause an exception and not display the ACL.

To edit the ACL, use dcecp or acl_edit.

ACL Name not Passed to the Editor

If an instance of the Visual DCE ACL Editor is already running, and you select a directory using DCE Director and press the Access Control button, the existing Visual DCE ACL Editor window will be brought to the foreground but the new ACL will not be opened.

To open the ACL, choose Open from the ACL menu and type in the desired path.

Visual DCE ACL Editor Failure

If your machine has not been properly configured for DCE, and you try to start the Visual DCE ACL Editor, you may get the following error message:

An application error has occurred and an application error log is being 
generated.

To correct the problem, you need to properly configure DCE on your machine.

1.4.1.4 Development

Applications Developed Using Compaq DCE ADK

Applications developed with the Compaq DCE ADK are not compatible with PC-DCE. Such applications must be recompiled and relinked using the PC-DCE ADK. See the PC-DCE Developer's Notes for more information about migrating Compaq DCE applications.

Incorrect Dependency Error

During a compile, Microsoft Visual C/C++ Versions 4.2 and earlier may report the following dependent files are missing:

sys/file.h sys/lic.h

These Entegrity internal include files are commented out, but the Microsoft compiler fails to detect this. You can either ignore the error or upgrade to Visual C/C++ 5.0.

1.4.1.5 Other

Name Service Interface Daemon (nsid) and Windows 98

nsid is not currently functional on the Windows 98 operating system.

DCE Director and DCEsetup Help Files

Accessing DCE Director and DCEsetup help files though help buttons in dialog boxes and at the graphical interface works inconsistently. Launch these help files from the Help menu in each of these tools.

Integrated Login Timeout

If you restart a PC-DCE server or client system that uses Integrated Login, and the system is unable to contact a Master or Replica Security Server, the Windows login is halted. In this case, PC-DCE displays a message box that lets you choose to:

Routing File Syntax

DCE service routing is a specification of where DCE serviceability messages are logged. The dce_install_directory /opt/dcelocal/var/svc/routing file specifies the default routing(s) for serviceability messages from any DCE application server - including dced, cdsadv, dtsd, etc. For example, the routing FATAL:FILE:/tmp/service.log specifies that fatal messages are to be logged in the file /tmp/service.log.

DCE service library uses a colon (:) as the separator in a routing specification. Because of this, pathnames in the routing specification must use a percent sign (%) as a separator after the drive, if one is specified. For example, specify FATAL:FILE:C%/tmp/service.log rather than FATAL:FILE:C:/tmp/service.log. This limitation will be removed in a future release.

See section 9.4.2 of OSF DCE Administration Guide - Core Concepts for more information on DCE serviceability routing.

Cell Aliases

Cell renaming does not work reliably. The dcecp cellalias set command has been disabled in the Warranty Patch. A defect for The Open Group (OT 12864) has been opened for this problem. If you want to create an alternate cell name, use the cellalias create command. This will create a cell alias name without changing the primary cell name.

Cell alias names are not automatically propagated across cell boundaries. Use of cell aliases across cell boundaries is not supported.

Cell alias creation will fail if a cell includes DCE 1.0.x-based clients. The dcecp cellalias script attempts to update every cell-member host by contacting its DCE host daemon (dced). Once the script detects an error (such as failing on a 1.0.x-based client), it will proceed to undo the alias creation operation for the entire cell.

Transitive Trust

Transitive trust validation is performed using the pathname of the target principal. Transitive trust will succeed for a cell alias name only if there is a trust path expressed for that alias.

Ticket requests to alias names for the local privilege server are treated as foreign cell requests. At DCE 1.2.1, the privilege server removes ERAs from credentials requested by foreign cells. Therefore, credentials returned by ticket requests to alias names will not include ERAs.

The following scenario illustrates this limitation:

  1. Create old_cell.

  2. Add new_cell as an alias for old_cell.

  3. dce_login as /.../old_cell/user.

  4. Request credentials to application service /.../new_cell/service.

The credentials returned for /.../new_cell/service will not include ERAs. The privilege server treats the request to /.../new_cell as an intercell request from /.../old_cell to /.../new_cell, and removes any ERAs that may be attached to the principal.

Exception Mapping

Exception mapping from native to DCE exceptions is not supported in the OMF-compliant link library.

No DCED Support for the Auto Start Option

It is a limitation of The Open Group DCE 1.2.1 and consequently of the PC-DCE Version 5.0 implementation that dced cannot start up configured services on demand when the first RPC is made.

DCED and Endpoint Services

The PC-DCE Service Panel may currently show that dced is running in a light-weight configuration even if the Endpoint Service Only checkbox is selected in the Options tab of the PC-DCE Configuration Panel. In reality, only the Microsoft Endpoint Mapper will be running.

DCECP Limitations

The DCE control program (dcecp) may not be compatible with any existing TCL environment setup outside of the PC-DCE installation. In addition, you cannot execute commands by specifying the full path in dcecp.

Required DTS Servers in a Cell

DCE requires there to be three DTS servers configured in a cell to insure stable time management. Though this is the best case scenario, we acknowledge that there may be some situations where this may not be feasible.

To reset the number of required servers:

Use the dcecp command: dts modify-minservers #

or

Use the dtscp command: set servers required #

Where # is the minimum number of DTS servers you wish to require in your cell. This will improve efficiency in cells with fewer than three DTS servers, and eliminate extra warning messages from being logged.

Security Server Mappings Invalid from Non PC-DCE Client

Due to a base DCE bug, clients contacting PC-DCE servers that use the Microsoft Endpoint Mapper will fail due to unrecognized protocol towers. Please check with your DCE vendor to see if they have addressed this problem, and reference The Open Group OT 13669.

1.5 Corrections to Documentation

1.6 Previous Releases — New Features

1.6.1 New in v5.0

The following list describes new major features for this release.

1.7 Previous Releases — Problems Fixed

1.7.1 Problems Fixed v5.0.1

Installing New Licenses via DCE Service Panel

There was a problem with installing a new license via the service panel. When an evaluation license expired, the service panel would no longer run. Now the service panel will run, but only the License button is available. As always, you can still access the license tool directly from the Windows Start button. Choose Start -> Programs -> Entegrity PC-DCE -> Tools -> License Installer.

Uninstalling PC-DCE If Installed with an Evaluation License

The uninstaller now runs even if the evaluation license has expired.

Integrated Login on Windows 2000 and Windows XP

Integrated login failed to work on Windows 2000 and XP. When installing the PC-DCE runtime, the installer failed to create all the registry entries needed to run integrated login. This has been fixed.

Local Administrator Script (preconfig.tcl) Simplified

Unnecessary groups and ACL assignments have been removed from the NetCrusader/Web portion of the split configuration script preconfig.tcl. Specifically, the wcsecad-admin group, which is not used, is no longer created. Also the Security Adapter's principal is no longer added to the cds-admin and dced-admin groups and the local administrator is no longer added to the ACL on /.:/subsys/www/wc-servers.

New Slave Now Receives Updates from New Master

Have fixed the problem described in Entegrity Tech Note 411GR, Slave Does Not Receive Updates from New Master.

When configuring a master Security server, the host machine's self principal is now added to the ACLs for the /.:/sec/replist object and the /.:/subsys/dce/sec directory. Without these ACLs, if the master Security server becomes a slave then it would not be able to receive updates from the new master.

This change was made to dce_config.exe.

DCE Director Does Not Work After Master Security Server Made Replica

Have fixed a problem related to the one described in Entegrity Tech Note 411GR, Slave Does Not Receive Updates from New Master.

DCE Director would not work once the master Security server was made a replica. The Director used to depend on the value of the window registry entry HKEY_LOCAL_MACHINE\Software\Gradient\DCE\Configuration\SecurityServerName, which becomes out-of-date when the master Security server becomes a slave. Now the Director retrieves the name of the master Security server from the CDS namespace.

Canceling Integrated Login Delayed Windows Login

Fixed a problem where cancelling integrated login too quickly would delay Windows login. A cancel button is displayed during the integrated login process. If the user clicked the cancel button as soon as it was displayed, the integrated login process would not be completely cancelled and the Windows login process would be delayed until some timeouts occurred or the user typed Ctrl-Alt-Del. This has now been fixed.

Waiting Pthread Not Always Canceled

Fixed a problem where one thread calling pthread_cancel() to cancel another thread that was waiting for pthread_join() to complete did not always result in the waiting thread being cancelled.

Memory Associated with a Login Context Not Always Released

Fixed a problem where sec_login_release_context did not always release all of the memory associated with a login context.


[Previous] [Next] [Contents] [Index]


To make comments or ask for help, contact support@entegrity.com.

Copyright © 1997-2003 Entegrity Solutions Corporation & its subsidiaries