README for IBM(R) Distributed Computing Environment (DCE) for Windows NT(R), Version 2.2.3, and IBM DCE for Windows NT, Version 2.2 Engineering Change Order 8 (ECO8) ===================================================== ABOUT THIS README FILE: The contents of this README file is unchanged for versions prior to ECO8. See Part VII for new information about ECO8. ===================================================== (C) Copyright IBM Corporation 2000, 2002. All rights reserved. Note: See Part V, Section 8.0 Notices for complete copyright citation. ===================================================== For the purposes of this document, three identifiers are used for the version of DCE: 2.2, 2.2.0, and 2.2.3. When version 2.2.0 is used, the document is referring to the first release of the IBM DCE for Windows NT, Version 2.2 product. When version 2.2.3 is used, the document is referring to the second release of the IBM DCE for Windows NT, Version 2.2 product. When 2.2 is used, the document is referring to either the first or second release of the IBM DCE for Windows NT, Version 2.2 product. Also, for the purposes of this document only, if IBM DCE for Windows NT, Version 2.2 is installed on a system with either the IBM DCE for Windows NT, Version 2.2 ECO1 or ECO2 Service Updates, the version 2.2.0 specification also applies. ECO3 refers to the IBM DCE for Windows NT, Version 2.2 ECO3 Service Update. ECO3 upgrades IBM DCE for Windows NT, Version 2.2.0 to IBM DCE for Windows NT, Version 2.2.3. ECO3 incorporates fixes and provides the ability to run on the Microsoft(R) Windows(R) 2000 operating system. ECO5 refers to the IBM DCE for Windows NT, Version 2.2 ECO5 Service Update. ECO5 incorporates fixes and provides the ability to run on the Microsoft(R) Windows(R) XP Professional (32 bit) operating system. ECO6 refers to the IBM DCE for Windows NT, Version 2.2 ECO6 Service Update. ECO6 incorporates fixes and provides the ability to run on the Microsoft(R) Windows(R) Server 2003 Enterprise Edition (32 bit) operating system ECO7 refers to the IBM DCE for Windows NT, Version 2.2 ECO7 Service Update. ECO7 incorporates fixes and provides the ability to run on the Microsoft(R) Windows(R) Server 2000/2003 (32 bit) operating system 'Terminal Server' environment ECO8 refers to the IBM DCE for Windows NT, Version 2.2 ECO8 Service Update. ECO8 incorporates fixes and provides the ability to run on the Microsoft(R) Windows(R) Vista Ultimate Edition (32 bit), Windows(R) Vista Business Edition (32 bit) and Windows(R) Vista Enterprise Edition (32 bit) operating system. ===================================================== Windows 2000 considerations: If you want to run IBM DCE for Windows NT on Windows 2000, you must have either IBM DCE for Windows NT, Version 2.2.3 or IBM DCE for Windows NT, Version 2.2.0 and ECO3. * If you want to install IBM DCE for Windows NT, Version 2.2.3 directly on Windows 2000, no special installation instructions are necessary. See Part I for other important information. * If you want to install IBM DCE for Windows NT, Version 2.2.0 on Windows 2000, refer to Part II. Section 1.3 of Part II contains important instructions for this installation. * If you have DCE for Windows NT, Version 2.2.3 and are migrating a Windows NT machine with DCE for Windows NT, Version 2.2.0 installed on it to Windows 2000, refer to Part I, section 2.3 for important instructions. Refer to Part II, section 1.4 if you have ECO3. ===================================================== Contents Part I - README for IBM DCE for Windows NT, Version 2.2.3 1.0 System Requirements 2.0 Installation and Configuration 3.0 Interoperability with Other DCE Systems Part II - README for IBM DCE for Windows NT, Version 2.2 ECO3 Service Update 1.0 Installation 2.0 Contents of the IBM DCE for Windows NT, Version 2.2 ECO3 Service Update Part III - Known Limitations and Important Notes Part IV - README for IBM DCE for Windows NT, Version 2.2 ECO5 Service Update 1.0 System requirements 2.0 Unsupported features of Windows 3.0 Installation 4.0 Slim client 5.0 New environment variables 6.0 Supported compilers 7.0 Windows XP filesystem ACL issue 8.0 New error messages 9.0 ECO APAR fixes Part V - README for IBM DCE for Windows NT, Version 2.2 ECO6 Service Update 1.0 System requirements 2.0 Unsupported features of Windows 3.0 Installation 4.0 Integrated Login Enhanced 5.0 Documentation 6.0 ECO APAR fixes 7.0 Supported Compilers 8.0 Notices Part VI - README for IBM DCE for Windows NT, Version 2.2 ECO7 Service Update 1.0 System requirements 2.0 Unsupported features of Windows 3.0 Installation 4.0 Documentation 5.0 ECO7 APAR fixes 6.0 Supported compilers 7.0 Notices Part VII - README for IBM DCE for Windows NT, Version 2.2 ECO8 Service Update 1.0 System requirements 2.0 Unsupported features of Windows 3.0 Installation 4.0 Documentation 5.0 ECO8 APAR fixes 6.0 Supported compilers 7.0 Notices Note: Last minute problems and notes might be documented at www.software.ibm.com/enetwork/dce. ===================================================== Part I - README for IBM DCE for Windows NT, Version 2.2.3 ===================================================== IBM DCE for Windows NT, Version 2.2.0 includes separate packages for Commercial Data Masking Facility (CDMF) data masking (40 bit) and Data Encryption Standard (DES) encryption (56 bit). Because the export regulations have become less restrictive since the 2.2.0 release, beginning with IBM DCE for Windows NT, Version 2.2.3, only the DES version is included. Any applications running in CDMF can be run in DES. ===================================================== Part I Table of Contents 1.0 System Requirements 2.0 Installation and Configuration 2.1 Disabling Anti-Virus Software 2.2 Installing IBM DCE for Windows NT, Version 2.2.3 on Windows 2000 2.3 Migrating from Windows NT 4.0 to Windows 2000 2.4 Recommended Virtual Memory Size 2.5 NetBIOS Interface 2.6 SETUP.EXE and the Default Installation Directory 2.7 Specifying Installation Components 2.8 Optionally Installing the Additional Documentation Component 2.9 Installing on FAT and NTFS Disks 2.10 Files May Remain After Deinstallation 2.11 Locating the Product Registration when reinstalling DCE 2.12 ECO fixes 3.0 Interoperability with Other DCE Systems 3.1 Interoperability Restrictions Between DCE Versions ===================================================== 1.0 System Requirements ===================================================== Before you install the product, be sure you have one of the following: Windows 2000 Professional Windows 2000 Server Windows 2000 Advanced Server Windows NT Workstation 4.0 service pack 5, or higher Windows NT Server 4.0 service pack 5, or higher NOTE: DCE does not support the Windows 2000 MultiLanguage Version. To use the DCE for Windows NT ADK option, you must also have suitable compilers and linkers installed on your system. For Intel platforms, Microsoft Visual C++ 4.x, 5.0, 6.0 or IBM VisualAge(R) C++ 3.5 provide a compatible environment. For more information, please refer to Part III, Section 14.5, Use the -Gz Flag with the Visual C++ Compiler. ===================================================== 2.0 Installation and Configuration ===================================================== 2.1 Disabling Anti-Virus Software To install IBM DCE for Windows NT on a system, you must disable any anti-virus software running on the system before you perform the installation. ===================================================== 2.2 Installing IBM DCE for Windows NT, Version 2.2.3 on Windows 2000 If you are installing IBM DCE for Windows NT, Version 2.2.3 directly on Windows 2000, no special installation instructions are necessary. ===================================================== 2.3 Migrating from Windows NT 4.0 to Windows 2000 If you have IBM DCE for Windows NT, Version 2.2.0 installed on Windows NT 4.0 and you want to migrate your operating system to Windows 2000, you must upgrade to IBM DCE for Windows NT, Version 2.2.3 before DCE can be functional. It is recommended that you install IBM DCE for Windows NT, Version 2.2.3 before migrating to Windows 2000. If you choose to install IBM DCE for Windows NT, Version 2.2.3 after the migration and auto-start is on, DCE will not start successfully. ===================================================== 2.4 Recommended Virtual Memory Size You should set the virtual memory size to be twice as large as the system's physical memory. For machines running DCE servers, the following amount of physical memory is normally required (and perhaps more), depending on overall usage (for instance, number of accounts or number of directory entries): Windows NT - 64 Mb Windows 2000 - 128 Mb If other subsystems also run on the same machine, additional physical and virtual memory might be needed based on the subsystem's requirements. ===================================================== 2.5 NetBIOS Interface IBM DCE for Windows NT, Version 2.2.0 requires the NetBIOS Interface be available before installation. This is not a requirement for IBM DCE for Windows NT, Version 2.2.3. ===================================================== 2.6 SETUP.EXE and the Default Installation Directory Installation of all DCE for Windows NT Version 2.2 kits uses the familiar Windows NT product installation procedure of running the program SETUP.EXE. The SETUP program does the following: * Expands the product files and copies them to appropriate directories. * Populates the Windows NT registry with information about the DCE software. * Creates required environment variables. * Creates DCE folders. * If necessary, migrates your previous DCE configuration to a full DCE Version 2.2.3. The default installation directory is \Program Files\DCE on the Windows boot drive. ===================================================== 2.7 Specifying Installation Components All non-Slim Client installations require that the Runtime component be installed. ===================================================== 2.8 Optionally Installing the Additional Documentation Component The installation procedure allows you to choose whether to install the additional documentation component that includes the OSF DCE documentation and the Problem Determination Guide. If you choose not to install this documentation, attempts to use hot links to these help files from installed help files will fail and will produce error messages. ===================================================== 2.9 Installing on FAT and NTFS Disks You should install IBM DCE for Windows NT only on NTFS volumes. This is recommended since access to security credential files is permitted only to the user that creates the files. These access checks are only possible on NTFS volumes; FAT volumes do not support the necessary file access controls. IBM DCE for Windows NT will run properly if it is installed on a FAT volume, but is less secure than when installed on an NTFS system. ===================================================== 2.10 Files May Remain After Deinstallation After successful deinstallation of this product, under certain circumstances files and directories may remain in the install tree under the installation directory, %DCELOC%. You can safely delete these files once the deinstallation has completed. ===================================================== 2.11 Locating the Product Registration when reinstalling DCE When DCE is installed, you have the option to fill out the product registration. If you choose to do so, and then, at a later time, uninstall and reinstall DCE on a drive different from the initial install, you will receive an error when you attempt to start the product registration from either the icon or from the command line. The error will indicate that the ART.DLL file cannot be found. To correct this condition, you must modify the reg.reg file in the winnt directory by changing the path to the ART.DLL file to indicate the drive on which DCE is now installed. ===================================================== 2.12 ECO fixes IBM DCE for Windows NT, Version 2.2.3 contains all the fixes described in Part II, Section 2.0. ===================================================== 3.0 Interoperability with Other DCE Systems ===================================================== This product provides interoperability and source-level runtime compatibility with DCE systems from other vendors, as long as DCE implementations and applications conform to the OSF DCE Application Environment Specification (AES). IBM DCE for Windows NT has been tested with and is compatible with most other vendor DCE products that are based on the OSF DCE R1.0.3, R1.1, R1.2.1, or R1.2.2 code bases. ===================================================== 3.1 Interoperability Restrictions Between DCE Versions There is a compatibility issue involving different versions of DCE Security components. In general, you cannot configure a cell that includes a higher version security master with a lower version security replica. For example, you cannot configure a cell that includes OSF DCE R1.1 Security server with a OSF DCE R1.0.3 Security replica. However you can configure a higher version security replica to a lower version security master. In this case, you can not use any feature provided by the higher version security services. ===================================================== Note: See Part III for Known Limitations and Important Notes ===================================================== Part II - README for IBM DCE for Windows NT, Version 2.2 ECO3 Service Update ===================================================== IBM DCE for Windows NT, Version 2.2.0 includes separate packages for Commercial Data Masking Facility (CDMF) data masking (40 bit) and Data Encryption Standard (DES) encryption (56 bit). Because the export regulations have become less restrictive since the 2.2.0 release, beginning with IBM DCE for Windows NT, Version 2.2.3, only the DES version is included. You can install the ECO3 DES version on top of the CDMF version. Any applications running in CDMF can be run in DES. ===================================================== Part II Table of Contents 1.0 Installation 1.1 Disabling Anti-Virus Software 1.2 Installing IBM DCE for Windows NT, Version 2.2 ECO3 Service Update 1.3 Installing IBM DCE for Windows NT, Version 2.2.0 on Windows 2000 1.4 Migrating from Windows NT 4.0 to Windows 2000 1.5 NetBIOS Interface 2.0 Contents of the IBM DCE for Windows NT, Version 2.2 ECO3 Service Update 2.1 ECO3 APAR fixes, additions, and notes 2.2 Windows NT DCE 2.0 product fixes 2.3 ECO1 APAR fixes, additions, and notes 2.4 ECO2 APAR fixes, additions, and notes ===================================================== 1.0 Installation ===================================================== 1.1 Disabling Anti-Virus Software The installation of ECO3 might not proceed correctly when certain anti-virus software is running. It is recommended that you disable anti-virus software before installing this ECO. You can re-enable anti-virus software after installation is finished. ===================================================== 1.2 Installing IBM DCE for Windows NT, Version 2.2 ECO3 Service Update Install ECO3 by running setup.exe from the ECO kit. The installation procedure detects which DCE products are installed (Runtime, Security, CDS, ADK, or Slim Client) and updates those products as necessary. If, after the installation of the ECO, the DCE installation is modified by adding other DCE products, the ECO must be reapplied. The ECO can be applied while DCE is running. If DCE is running when you apply the ECO, you must restart DCE after installing the ECO for the ECO changes to take effect. ECO3 can be applied to either the DES or CDMF versions of the IBM DCE for Windows NT, Version 2.2.0 product. After ECO3 is installed, the system will contain only the DES version. ===================================================== 1.3 Installing IBM DCE for Windows NT, Version 2.2.0 on Windows 2000 If you want to install or reinstall IBM DCE for Windows NT, Version 2.2.0 on Windows 2000, do the following: 1. Set DCEKitDebug=-NoChecks 2. Set COPYCMD=/Y 3. Install IBM DCE for Windows NT Version 2.2.0 4. Install ECO3 (refer to Part II, section 1.2) If you attempt to install IBM DCE for Windows NT, Version 2.2.0 on a Windows 2000 workstation without setting the DCEKitDebug environment variable, you receive the following message: NetBIOS Interface Service is required The installation cannot continue. If you attempt to reinstall IBM DCE for Windows NT, Version 2.2.0 on a Windows 2000 workstation without setting the COPYCMD environment variable, the reinstallation hangs during the migration phase. If you attempt to install IBM DCE for Windows NT, Version 2.2.0 on a Windows 2000 workstation without subsequently installing ECO3, DCE cannot be functional. ===================================================== 1.4 Migrating from Windows NT 4.0 to Windows 2000 If you have IBM DCE for Windows NT, Version 2.2.0 installed on Windows NT 4.0 and you want to migrate your operating system to Windows 2000, ECO3 must be installed before DCE can be functional. It is recommended ECO3 be applied before migrating the operating system. If you choose to install ECO3 after the migration and auto-start is on, DCE cannot start successfully. For ECO3 installation instructions, refer to Part II, section 1.2. ===================================================== 1.5 NetBIOS Interface Ordinarily, IBM DCE for Windows NT, Version 2.2.0 requires that NetBIOS Interface be available before installation. If the procedures outlined in Part II, section 1.3 are followed, the IBM DCE for Windows NT, Version 2.2.0 installation program does not check for this NetBIOS interface. After ECO3 is applied to IBM DCE for Windows NT, Version 2.2, the NetBIOS interface is not required. ===================================================== 2.0 Contents of the IBM DCE for Windows NT, Version 2.2 ECO3 Service Update ===================================================== The sections that follow provide important information describing the improvements included in ECO3. This ECO supersedes all previous ECOs and contains all fixes from earlier ECOs. In addition, ECO3 provides the ability to run on the Microsoft Windows 2000 operating system. ===================================================== 2.1 ECO3 APAR fixes, additions, and notes ECO3 contains the following APAR fixes: IY10819 - Seg_v on 'set variable' in the TCL script causes a segmentation violation When a TCL script has a syntax error and a 'set variable' operation is attempted, a segmentation violation occurs instead of an error message. IW00412 - Max object name length in CDS causes the error CDS_NOROOM If an object is created in CDS, the defined maximum name length results in the error CDS_NOROOM. A CDS_NOROOM error means that the name that was entered was too long. IY10828 - Files and directories in DCE messaging need to be renamed When other applications use similar file names and directory structures as DCE in their locale messaging, DCE cannot co-exist with these applications. DCE renames the associated files and directories to prevent a clash when it is installed with other applications that use the LOCPATH environment variable. ===================================================== 2.2 Windows NT DCE 2.0 product fixes ECO3 contains the following APAR fixes included from the Windows NT DCE 2.0 product: IX88430 - auto-start dce sometimes does not get set when configured When auto-start DCE is selected during configuration, sometimes the auto-start does not get set. A retry loop was added to make sure DCEstart gets added to the registry. If any attempts to add the entry fail, an event log entry is posted. The retry count is 5. IX88431 - dtsdate returns gmt time if tz=cst6cdt If the TZ environment variable is set to 'adjust for daylight saving time', for example TZ=cst6cdt, dtsdate returns the Greenwich mean time (GMT), not the local time. It works if the string does not indicate 'adjust for daylight saving time', for example TZ=cst6. This affects applications that use the UTC APIs to get the local time if their TZ environment variable is set. IX88432 - DTS traps when configuring the 41st or 42nd client The dcesetup program traps when configuring a Distributed Time Service (DTS) client into a cell that already contains more than 40 DTS clients. IX88433 - application servers cannot get authorization after creds expire You cannot start a DCE application that has inherited expired credentials if the application tries to set the expired credentials as its default context before establishing its own identity. IX88434 - cds adv traps with 'illegal state transition...' The CDS Advertiser traps with "Illegal state transition detected in CN server association state machine [cur_state: %1$s, cur_event: %2$s, assoc: %3$x] (dce / rpc)" Error id - 0x0dce6144 error. This error was recorded in file called "fatal.log" in $DCELOCAL/var/svc. You can upload this file to service. ===================================================== 2.3 ECO1 APAR fixes, additions, and notes ECO3 contains the following APAR fixes included from ECO1: IX89575 - cdecl idl compiler option is broken The cdecl idl compiler option produced incorrect stub code for both the server and client. This problem has been fixed. After you apply ECO1, recompile any Windows NT DCE 2.2 application using the 'idl' cdecl feature. IY01505 - IBM DCE for Windows NT Access Control List (ACL) manager does not work with DFS(TM) (Distributed File Service) objects DCE has been enhanced to detect if DFS is installed on the system, and if so, the DFS ACL manager interface is enabled. From this interface, you can manipulate DFS ACLs. IY01820 - krb5ccname is not removed from Windows NT registry after reboot When Windows NT DCE is configured with the 'Clean before start' option selected, the user credentials files are removed when the machine is rebooted. However, the krb5ccname was not being removed from the Windows NT registry. With this ECO, the krb5ccname is removed along with the credentials files. The user now has self-credentials after the system reboots. IY01839 - interface sec_id_is_anonymous_pa needs to be exported The security API 'sec_id_is_anonymous_pa' needs to be exported for public access. IY01851 - when marshalling an rpc return value of type error_status_t, a value of 1 is converted to 394113033 In cross-platform environments, the error_status_t return type converts the value of 1 to 394113033. This does not happen when the client and server are both IBM installations. DFS relies on being able to return any value in error_status_t format. ECO3 contains the following additions and notes from ECO1: * When you limit the protocol to UDP only and run a 'show cell' command in dcecp, the CDS servers do not show. * You can inhibit the "DCE login was successful" message at integrated login time. At the following Windows NT registry path: HKEY_LOCAL_MACHINE\SOFTWARE\DCEProvider\InstalledDCEProviders add the following key of type DWORD: ShowIntegLoginMsg The values to set are: 0 (hex) --- Do not display the login successful message 1 (hex) --- Display the login successful message In summary, if the key is not installed or the value is set to 1, the login successful message displays as before. If the key is installed and the value is set to 0, the message does not display. This affects only the "DCE login was successful" message. All other messages display as before. * After configuring the Master Security Server, the group /.../{cell_name}/subsys/DEC/pc-users-servers did not exist. The configuration code now creates this group. * The cell sometimes appears to hang when a security replica is configured into an existing cell. The replica fails to configure, and the master actually shuts itself down and puts the following in the log: 1998-12-18-15:07:14.987-06:00I----- secd ERROR sec rs_rep rs_rep_mgmt.c 1426 0x3004ff70 msgID=0x17122E65 Software version incompatible with master's version. Server is going to exit * When a DCE client made a Public Key Certificate login request to an AIX(R) DCE Security Server, the server sometimes returned an error. Based on the error code returned, a login retry is now executed. ===================================================== 2.4 ECO2 APAR fixes, additions, and notes ECO3 contains the following APAR fixes from ECO2: IY07746 - test.dce fails if the dce host name is more than 25 characters. When the Dcesetup ->Test program is run, the program fails with the following error when trying to skulk a cds directory: >>> *** Unable to skulk /.:/hosts/ directory >>> Requested entry does not exist (dce / cds) The cause of this error is attributed to the hostname getting truncated to 25 characters. IY07758 - "Cache header corruption" error when backing up CDS Intermittently, when lots of data is being pushed through the CDS cache (such as during an operation to backup the CDS namespace), a "Cache header corruption" error is detected and posted to the fatal.log. IY07762 - Secd spins and utilizes 99% of CPU When a system in the DCE cell (master/client) stays idle for a long time, secd starts spinning and utilizes 99% of the CPU. ECO3 contains the following additions and notes from ECO2: * New utility added - cdsli.exe This utility is used to display directories, sub-directories, objects, and so forth, in the CDS database. It is very useful in replicating/skulking recursive sub-directories to replicas. Usage information can be obtained by using the "cdsli -h" option. * DTS clock adjustment rate is inadequate When an attempt is made to sync the client system clock with the DTS server in the cell, either by a forced sync or by a scheduled sync, the actual clock adjustment is not sufficient to keep the clock in sync if the machine clock drifts more than usual. If the drift is excessive, the clock adjustment cannot keep the clock within the required 5 minutes of the server. * Duplicate free found in auditing When auditing is configured and if the system has a 6.x version of MSVCRT.DLL, problems with a duplicate free are seen. The problems are fixed in ECO2. * Exec return code not passed to application during dce_login -exec When using the -exec option on dce_login, the return code from the exec'd executable is not passed to the application routine making the call. * DCE configuration commands not detecting all interfaces Kerberos.dce does not detect interfaces on a host. * DCE does not support octal numbers in IP addresses This is a known limitation in DCE, and decimal numbers should be used for IP addresses. ===================================================== Note: See Part III for Known Limitations and Important Notes ===================================================== Part III - Known Limitations and Important Notes ===================================================== Part III Table of Contents 1.0 Configuration Problems and Notes 1.1 Setting the RPC_SUPPORTED_PROTSEQS Variable 1.2 Could Not Authenticate as cell_admin During Client Configuration 1.3 Problems Starting DCE When CDS Master Is Unavailable 1.4 X.500 Names Cannot Include Underscore 1.5 Failure in Client Configuration When DNS Server Not Available 1.6 Unconfigure Failure If Cell Includes Group Name with Spaces 1.7 Unconfiguring a Split Server Configuration 1.8 After a Clean Command, Use Restart 1.9 Updating Account Passwords to Expire in a Specific Time Frame 1.10 Maximum Number of Password Strength Servers per Cell 1.11 Hang during Client Configuration 1.12 DTS Daemon status 1.13 CDS Clerk refers to CDS advertiser 1.14 SNMP Configuration 1.15 Reconfiguring a CDS Replica 1.16 DCE Daemons That Run As Windows NT Services 1.17 dcecp unconfig.dce -config_type admin all_cl fails 1.18 Clean on Auto Start Is Now Configurable 1.19 Deleting a Client from a Cell with /.:/hosts directories replicated 1.20 Warning Messages Issued During Stop 1.21 Start Command Reports Success Status of Core DCE Services 1.22 Shut Down Applications Before Unconfiguring a System 1.23 dcecp unconfig.dce leaves keytab and hostdata files 1.24 Successive Local Client Configurations Require Remote Client Delete First 1.25 Partially Configured Components Need to Be Unconfigured 1.26 Configuring when the CDS or Security servers have multiple IP addresses 1.27 DHCP Configuration Change Requires Auto Start Reconfiguration 1.28 Split Server Configuration Problem on Sun Transarc Systems 2.0 Configuration GUI (DCEsetup) Problems and Notes 2.1 Cause of Server Configuration Option Being Disabled 2.2 Client Configuration Remnants Remaining in Cell 2.3 Registering a Cell in X.500 2.4 Delay in Reporting Incorrect Password 2.5 DCEsetup Requires the cell_admin Password Twice During Configuration Operation 2.6 Security and CDS replicas should not be enabled when master servers are configured on the same machine 2.7 Cleaning up if unconfigure fails 2.8 Partially configured components 2.9 Configuring a Security Only Machine 2.10 CDS Replica name Field in Modify Dialog May Appear Blank 2.11 Clobber Requires Additional Time for Stale Endpoint Cleanup 2.12 Steps to Perform If a Server Unconfigure Operation Fails 2.13 Browsing for Cells Feature Not Supported 2.14 Warnings Issued When Unconfiguring a Remote Client 3.0 dcecp Problems and Notes 3.1 dcecp Return Status 3.2 dcecp and Forward Slashes 3.3 dcecp server stop Command Restriction 3.4 passwd_override and group_override Not Supported 3.5 dcecp Host Show Command Restriction 3.6 Non-English Environments Not Supported by Older Control Programs 3.7 dcecp cdsclient show Command Restriction 3.8 dcecp caching of global DCE credentials 3.9 dcecp clock compare and dts show Command Restrictions 3.10 dcecp cdscache dump Command Restriction 4.0 CDS Problems and Notes 4.1 DCEsetup Cannot Delete and Recreate a Clearinghouse With the Same Name Immediately 4.2 CDS Subtree Commands Not Supported 4.3 Unable to Communicate with Any CDS Server Error 4.4 Restriction in Deleting CDS Clearinghouses 4.5 Purging the cds cache 4.6 dcecp cdscache discard Command Restriction 4.7 CDS Replica Unconfig Might Fail to Remove All References to Clearinghouse 5.0 Security Problems and Notes 5.1 Run Windows 2000 DCE Security service on the Windows 2000 server 5.2 Use of Reserved Error Codes 5.3 Credentials from dce_login Available to All Windows 5.4 Default Ticket Lifetime Policy 5.5 Warning Message to Change Password 5.6 User Must Change Initial DCE Password Manually 5.7 Unpredictable Results from rgy_edit> properties Command 5.8 Memory usage with rpc_binding_set_auth_info and sec_login_become_delegate 5.9 sec_key_mgmt_* routines, ktadd and ktdelete subcommands of rgy_edit 5.10 Changes required to use OSF DCE 1.0.3 ACL managers with DCE 2.2 5.11 Establishing the intercell trust relationship 5.12 Intercell Access from OSF DCE 1.2.2 Clients 5.13 Extended Registry Attribute Limitations 5.14 Aggregate Principal/Group/Organization Limitations 5.15 DCE rdacl() Interface Limitations 5.16 GSSAPI Intercell Limitation 5.17 Principal Name Caching 5.18 OSF 1.2.2 Public Key Notes and Problems 5.18.1 Windows NT Support for OSF DCE 1.2.2 Public Key 5.18.2 Incorrect dcecp commands for generating public key accounts in the DCE Administration Guide: Core Components 5.18.3 Incorrect dcecp command for modifying a principal and attaching a pre_auth_req ERA specifying third-party preauthentication 5.18.4 Missing example for using dcecp "account modify" to change the public key password phrase 5.19 Public Key Certificate (PKC) Login Notes and Problems 5.19.1 Required Entrust Technologies Products 5.19.2 Draft Version of IETF PKINIT RFC 5.19.3 dce_login -r 5.19.4 Integrated Login 5.20 DCE/Kerberos Interoperability Enhancements 5.20.1 GSSAPI Interoperability Enhancement 5.20.2 Support for postdated TGTs 5.21 Starting a Client Configured As a Security Replica When CDS Master and Replicas Are Unavailable 6.0 DTS Problems and Notes 6.1 Time Drift if DTS Stopped Abnormally 6.2 Manual Time Synchronization Required After Restarting DCE 6.3 Some DTS Error Messages Not Logged to Serviceability Logs 6.4 Synchronization Delays with Time Providers 6.5 DTS Daemon May Not Come Up After Migrating From Version 1.1C 6.6 DTS Null Time Provider Does Not Get Detected 7.0 RPC Problems and Notes 7.1 "Not an RPC Tower" Errors on non-Windows NT DCE Platforms 7.2 Dynamic Loading and Unloading of DCE for Windows NT DLLs Not Supported 7.3 IBM DCE for Windows NT, Version 2.2.3 and ECO3 RPC Changes 8.0 IDL Problems and Notes 8.1 DCE Applications Should Be Built with __STDC__ Defined 8.2 Use of MFC Classes Structures is not Supported in IDL Files 8.3 IDL encoding/decoding service 8.4 The Include Path Contains Directory Names with Spaces 9.0 Examples Problems and Notes 9.1 Examples and Visual C++ 4.x 9.2 Hardcoded Device Drive in generic_app Example 10.0 Serviceability Problems and Notes 10.1 Debug Messaging is Only Partially Supported 10.2 Routing Messages to a Log File 10.3 dce_svc_register() vs. DCE_SVC_DEFINE_HANDLE 10.4 Compiling and Linking Applications with Visual C++ 11.0 Internationalization Problems and Notes 11.1 Selecting Cultural Conventions During Install 11.2 DCE control programs and commands 11.3 DCE Install Directory 11.4 Integrated login and DCE Internationalization 11.5 Entrust Messages 11.6 PKC Login with Double-Byte Character Sets (DBCS) 11.7 Components that don't support internationalization 11.8 Installing in a language other than English 11.9 Installing translated versions of DCE 11.10 Windows NT Code Page Considerations 12.0 Visual ACL Editor and DCE Director Problems and Notes 12.1 Policy and Organization Restrictions 12.2 Concurrent Access to Security Registry Entries 12.3 Create Group Option in User Account Dialog Boxes Update Delay 12.4 DCE Director Failure When DCE Has Not Been Properly Configured 12.5 Multiple Copies of the Same View Allowed 12.6 DCE Director Servers Display Contains Extraneous Characters in Title Bar 12.7 Access Violation When Looking Up Time Server Details in GMT Time Zone 12.8 Displaying ACLs with More Than Eight Permissions May Cause Exception 12.9 Visual ACL Editor Failure When DCE Not Properly Configured 13.0 Documentation Problems and Notes 13.1 dcecp server stop Command Restriction Not Documented 13.2 Correction to DCEsetup Log File Creation and Archiving Process 13.3 Correction to the OSF DCE Documentation for the Password Strength Server 13.4 Customer-defined Serviceability Component Names 13.5 Modification to the OSF DCE Documentation for EMS 13.6 Missing Links to Helps from the DCE Director GUI 14.0 General Problems and Notes 14.1 Pthreads APIs 14.2 Error Codes for IBM DCE for Windows NT Differ From Other Platforms 14.3 Migration with Autostart 14.4 Multiple Hardware Configurations 14.5 Use the -Gz Flag with the Visual C++ Compiler 14.6 _cdecl function pointers 14.7 dced_object_read_all Failures 14.8 Silent Install 14.9 Dynamic allocation of tcpip hostnames 14.10 Daylight Savings Time Issue for Some Time Zones 15.0 IBM DCE for Windows NT, Version 2.2 README Addenda 15.1 IBM DCE Client for OS/2(R) 15.2 Entrust/Entelligence Limitation 15.3 Configuration of the Identity Mapping Server 15.4 PKC (Public Key Certificate) Login with Reserved DCE Principals 15.5 Change in Auditing of Login Attempts 15.6 Auditing Name-Based Authorization 15.7 dcecp Commands Not Supported by Slim Client 15.8 Additional Information on DCE for Windows 95 15.9 Viewing Online Documentation directly from the CD 16.0 Trademarks ===================================================== 1.0 Configuration Problems and Notes ===================================================== 1.1 Setting the RPC_SUPPORTED_PROTSEQS Variable If you have a need to restrict protocols on your system using the RPC_SUPPORTED_PROTSEQS environment variable, be sure to set the variable in the System Variables section of the environment rather than in the User Variables section. Setting the variable in the latter section will not properly restrict your protocol sequences. ===================================================== 1.2 Could Not Authenticate as cell_admin During Client Configuration "Before configuring a client, make sure the client and server share a common RPC protocol tower. If the protocol mismatch occurs, for example, one system has enabled UDP only, and the other has enabled TCP only, client configuration will fail with the following error: Configuring the Security client... 0xdce9021: Could not authenticate as cell_admin. 0xdce95be: Configuration of the Security client failed. At this point, if you attempt dce_login as cell_admin, you'll get an error: Sorry. You entered an invalid principal name or password. - Cannot find KDC for requested realm (dce / krb) Login was not Successful You need to do a full unconfiguration of the client before reconfiguring it with the matching protocol tower. ===================================================== 1.3 Problems Starting DCE When CDS Master Is Unavailable The successful start of DCE on a client in a cell where the CDS master is down but a CDS replica is available depends on whether the appropriate directories have been individually replicated into a CDS replica and skulked prior to CDS master shutdown. 1. Use dcecp> directory create -replica -clearinghouse or cdscp create replica commands to replicate the following directories: /.:/hosts /.:/hosts/ /.:/hosts/ /.:/hosts/ 2. If skulking has not occurred, use dcecp> directory synchronize commands or cdscp set directory CDS_Convergence = high followed by cdscp set directory to skulk commands to /.:/hosts and /.: directories to ensure that skulking takes place immediately. 3. Now issue a Stop command on the client, followed by a Clean command. Once this is done, use the Start command on the client to start DCE. To start a client with a CDS replica server when the CDS Master and all other replicas are unavailable, you need to start the CDS replica server manually using the Service Applet from the system Control Panel: 1. Start DCE from DCEsetup. 2. After the CDS Advertiser starts successfully, start the DCE CDS server service by hand: a) Bring up the system Control Panel and select Services. b) Select DCE CDS Server Service. c) Click the Start button. ===================================================== 1.4 X.500 Names Cannot Include Underscore Depending on how you encode/decode an X.500 name, underscores within the name may not be supported. The underscore character is not allowed for PrintableStringSyntax. The underscore is allowed for T61StringSyntax. ===================================================== 1.5 Failure in Client Configuration When DNS Server Not Available If a DNS Server is not available on the network, a configuration may fail. To work around the problem, add the IP address and the hostname of the CDS Master server and Security Master server to the system's IP hostname database (typically, %windir%\system32\drivers\etc\hosts). Then, disable the CDS Server is within Broadcast Range option in DCEsetup, and specify the IP addresses for the server systems during the configuration. ===================================================== 1.6 Unconfigure Failure If Cell Includes Group Name with Spaces Unconfiguring a CDS replica fails if the cell includes a group name with spaces in it. The workaround is to remove any such group, using the DCE Director to highlight the Groups object, then using the Actions->Delete menu option, specifying the group name in question to delete the group. After removing all group names containing spaces, unconfigure the client using DCEsetup. ===================================================== 1.7 Unconfiguring a Split Server Configuration When unconfiguring a split server configuration, if you have security and CDS replicas configured in the cell, you must first unconfigure these replicas and then unconfigure the master CDS server and master Security server. Unconfiguring and reconfiguring only the CDS master is not supported. Be sure to unconfigure the CDS server before unconfiguring any Security server. ===================================================== 1.8 After a Clean Command, Use Restart After executing a clean command, do a restart rather than a start. If a start is executed, auditd and dtsd may encounter startup problems. ===================================================== 1.9 Updating Account Passwords to Expire in a Specific Time Frame When an account is created, the default behavior is that the password associated with the account is set so that it does not expire. However, you can change this. When changing how long a password is valid, from forever to a limited time, be aware that the new time (for instance, 1 hour) is added to the time of the last change in the account. If the account has not been changed since the initial DCE configuration, the new expiration time may already have elapsed. As a result, an application using the account will notice that the password update does not occur. It will not occur even if an associated password update thread uses sec_key_mgmt_manage_key, which watches for the expiration of the key (password) and updates the key automatically. ===================================================== 1.10 Maximum Number of Password Strength Servers per Cell dcesetup will only configure the default password strength server included with the product, and only one default password strength server can be configured in a cell at one time. ===================================================== 1.11 Hang during Client Configuration If during configuration, the "CDS Server is within Broadcast Range" box is checked, there are some cases where the client configuration may hang while waiting to contact the cds server. This may occur if RPC_SUPPORTED_PROTSEQS is set to ncacn_ip_tcp at the client system. It may also occur if for some reason, the server is not truly within broadcast range of the client. To work around this problem, specify the CDS server hostname during the client configuration. ===================================================== 1.12 DTS Daemon status After configuring or starting dts, even though it completes the status may appear as Not Running or Not available for up to 30 seconds. After 30 seconds its status will appear as Running. ===================================================== 1.13 CDS Clerk refers to CDS advertiser In DCEsetup or when configuration operations are done from the command line, when "CDS clerk" is mentioned it refers to the CDS advertiser (cdsadv). ===================================================== 1.14 SNMP Configuration An intermittent problem may happen with the message "The update of cfg.dat failed for: ." when SNMP is selected to be configured. SNMP periodically opens cfg.dat to read it to find out what servers are configured on the machine. If it has the file open when the configuration need to make updates to it, then the configuration fails. The workaround is to unconfigure the component that failed and then select to configure it again (plus any other components that didn't get attempted as a result of the failed configuration). We recommend you configure SNMP after the rest of the machine is already configured. ===================================================== 1.15 Reconfiguring a CDS Replica If you unconfigure a CDS replica, and you need to immediately reconfigure a CDS replica on the same client, then you need to perform the following steps (either through the dcecp command line or DCEsetup): 1. On the client, perform the following operations: * dcecp stop.dce * dcecp clean.dce 2. On the master server, perform the following operations: * dcecp stop.dce * dcecp clean.dce * dcecp start.dce 3. On the client, perform the following operation: * dcecp start.dce ===================================================== 1.16 DCE Daemons That Run As Windows NT Services The following full DCE daemons run as Windows NT services: cdsd, secd, dced, idmsd, snmp, cdsadv, security replica (secd), and nsid. The remaining daemons, which are started by dced, run as detached processes: cds secondary (cdsd), dtsd, auditd, and password strength. This is transparent to the user except for the Windows NT event log data, which will record stopping and starting of Windows NT services, but not detached processes. The user should rely on DCEsetup or dcecp to determine which DCE daemons are currently running. ===================================================== 1.17 dcecp unconfig.dce -config_type admin all_cl fails The command dcecp unconfig.dce -config_type admin all_cl fails because the host does not have access to the configuration information of the remote client. Use the following command instead: dcecp unconfig.dce -config_type admin all ===================================================== 1.18 Clean on Auto Start Is Now Configurable DCE Auto Start can now be configured to perform a database Clean operation before starting DCE services. In previous releases, this capability was enabled by defining the system environment variable DCE_AUTOSTART_CLEAN. This feature is now enabled using options in DCEsetup or dcecp config.dce. ===================================================== 1.19 Deleting a Client from a Cell with /.:/hosts directories replicated To successfully delete a client from a cell where multiple CDS replicas are available and the host directories have been replicated, you must issue the following commands before you unconfigure the client: 1. dcecp> directory delete /.:/hosts/ -replica -clearinghouse /.:/ for replicated directory 2. dcecp> directory synchronize /.:/hosts 3. dcecp> directory synchronize /.: ===================================================== 1.20 Warning Messages Issued During Stop Due to the order in which DCE services are stopped, warning messages may be recorded by DCED in a warning.log file regarding interfaces that cannot be unexported. These messages can be safely ignored. ===================================================== 1.21 Start Command Reports Success Status of Core DCE Services When a Start command is issued, the success status returned by this command is determined by the ability to start the core DCE services such as dced, CDS, and Security. If other noncritical daemons such as DTS or Audit do not start successfully, this does not affect the success status reported by the Start command. ===================================================== 1.22 Shut Down Applications Before Unconfiguring a System Before unconfiguring or clobbering DCE on your system, be sure to stop any DCE applications running on that system, including dcecp, DCEsetup, or any other DCE control program. Leaving DCE applications running may prevent unconfig/clobber from cleaning up CDS user caches properly and is likely to cause problems during subsequent configurations. ===================================================== 1.23 dcecp unconfig.dce leaves keytab and hostdata files Running the command dcecp unconfig.dce -config_type local all will not remove hostdata and keytab files unless these files have been stored in the dcelocal/var/dced directory. You can use the -storage option when creating a hostdata or keytab file to specify the file location. ===================================================== 1.24 Successive Local Client Configurations Require Remote Client Delete First After the initial Local Client configuration has been performed on a system, any attempt to perform another Local Client configuration for the same system requires that the cell administrator first issue a DCEsetup Remote Client Delete command for this host. Successive Local Client configurations without this intermediate step are not supported. ===================================================== 1.25 Partially Configured Components Need to Be Unconfigured If a component's state is shown as partial config, you must unconfigure that component before you request any other configuration changes. ===================================================== 1.26 Configuring when the CDS or Security servers have multiple IP addresses When configuring an IBM DCE for Windows NT, Version 2.2 client system, if your CDS or Security servers have multiple IP addresses, you must specify the IP address, rather than the hostname, of the server. ===================================================== 1.27 DHCP Configuration Change Requires Auto Start Reconfiguration If you change the DHCP configuration for a machine after Auto Start has been configured, you must reconfigure Auto Start before the next reboot. Otherwise, DCE does not start up at reboot. ===================================================== 1.28 Split Server Configuration Problem on Sun Transarc Systems Split server configurations using Transarc's DCE Version 2.0 product on Solaris Version 2.6 will fail if you attempt to configure the CDS Directory server on the Solaris machine. The following error appears in the log on the Solaris machine: ERROR acl_edit - modifying ACLs in the registry. Message from acl_edit: ERROR: at least one control permission bit required on acl (dce / sec) ===================================================== 2.0 Configuration GUI (DCEsetup) Problems and Notes ===================================================== 2.1 Cause of Server Configuration Option Being Disabled The Create Server option on the Configuration menu will be disabled if the required server images are not installed. If either the CDS or Security component is installed, the Server Configuration option is available. If only one component is installed, the server configuration option is still available, but you will receive error messages if you select the component that is not installed. During configuration, DCEsetup does not check if a specific component (that is, CDS or Security) is installed, and the designated configuration options appear to execute as requested. Any errors due to a component not being installed are logged to the cfgdce.log file in %DCELOC%\dcelocal\etc. ===================================================== 2.2 Client Configuration Remnants Remaining in Cell Under some circumstances, remnants of a client configuration may remain in the cell, causing subsequent attempts to configure a client to fail. Some examples of what might cause this include: * Using Clobber instead of Unconfigure to unconfigure the client * Failure of Unconfigure due to communication failure between client and server * Adding and then removing a CDS replica, leaving data in the cache code If you suspect that remnants of a client configuration remain in the cell, follow this procedure: 1. On the client, issue the following dcecp command: unconfig.dce -config_type local component_to_unconfig 2. From another host, issue the following dcecp command: unconfig.dce -config_type admin -dce_hostname host_name_of_client_that_failed -host_id [ip_address or dns_name] component_to_unconfig You should now have a clean host. In the case of adding, then removing a CDS replica, also check the CDS cache at the server to see if it contains stale clearinghouse data (an entry for a CDS replica that has since been removed from the cell). If stale data exists, do a Clean operation at the server to stop and delete caches. ===================================================== 2.3 Registering a Cell in X.500 IBM DCE for Windows NT allows Windows NT cells to be registered with X.500 servers. To do this, follow these steps: 1. At the system where the X.500 server is running, create a dua.defaults file. Do this with the dua_configure shell script. The presentation address in the dua.defaults file must be in RFC1006 format. To do this, perform these steps: a) On the system where the X.500 server resides, determine the RFC1006 presentation address string by obtaining the host dna address (for example, abc.lkg.ced.com). Use this address as part of the presentation address, as shown in the following address: "DSA"/"DSA"/"DSA"/RFC1006+abc.lkg.ced.com,RFC1006 b) Also on this system, add this address to the dsa's presentation addresses in ncl: ncl> set dsa presentation address 'paddr_w_rfc_addr' where paddr_w_rfc_addr is the presentation address with the RFC address appended to the end. An example of this follows: "DSA"/"DSA"/"DSA"/NS+490011AA000021,CLNS| RFC1006+abc.lkg.ced.com,RFC1006 If you use the ncl show dsa presentation address command now, the address will appear in a different format. c) The following is a sample dua.defaults file with the RFC presentation address followed by the CLNS address: DUA.KnownDSAs.paddr ="DSA"/"DSA"/"DSA"/NS+006630141054, RFC1006|NS+490004AA000300C71021,CLNS DUA.KnownDSAs.ae_title = /O=dec/CN=dsa1 #DUA.PreferChaining = true #DUA.ChainingProhibited = false #DUA.LocalScope = false #DUA.DontUseCopy = false #DUA.DontDereferenceAliases = false #DUA.ScopeOfReferral = DMD #DUA.TimeLimit =.60 #DUA.SizeLimit = 30 #DUA.Priority = Medium #DUA.DomainRoot = / #DUA.InitialEntry = / 2. Copy the dua.defaults file to your Windows NT system directory (%SystemRoot%. For example, C:\WINNT). Rename dua.defaults to dxd_dua.dat. 3. At your local host, execute X.500_addcell.exe from the command line. The syntax for the call is: X.500_addcell -o 7 -c cellname -p n where: -o X.500 object class; should always be 7 -c Local Windows NT cell name that is to be registered -p Either n or y, depending on whether the user wants to overwrite an existing entry with the same name For example, the syntax should be: o=ced/cn=mycell ===================================================== 2.4 Delay in Reporting Incorrect Password If you enter the wrong password in DCEsetup, you will not immediately see an error message. Instead, DCEsetup reports the error once DCE credentials are required. At this point, the command fails and you should retry your operation with the correct password. The following error message is recorded in the log: Unable to authenticate as cell_admin If the failure occurs during configuration, you might have a partially-configured cell. You must unconfigure before retrying your original operation. ===================================================== 2.5 DCEsetup Requires the cell_admin Password Twice During Configuration Operation DCEsetup requires that you enter the cell_admin password twice when you are performing a configuration operation. The second time is required for unconfiguring any previous configurations. This second cell_admin password is the one that was used for the previous configuration. ===================================================== 2.6 Security and CDS replicas should not be enabled when master servers are configured on the same machine DCEsetup will allow you to indicate that you want to add a Security or CDS Replica at a host that is already a Security Master or CDS. This is not supported and an error will be returned if option is attempted. ===================================================== 2.7 Cleaning up if unconfigure fails If for some reason, an unconfigure fails, perform the following steps for cleaning up the server configuration: * Use clobber to clean up the old configuration. * If the DCE daemons still do not go away, use win32_ps to show the process id and win32_kill to kill the daemon processes then perform 'clobber' again. If unconfigure does not work for a client configuration, you should: * Use clobber to clean up the local configuration * Use unconfigure -config_type admin at the cell's server to remove any remnants of the client config from the cell. ===================================================== 2.8 Partially configured components If a component's state is Partial Config, you will need to unconfigure that component before requesting any other configuration changes. ===================================================== 2.9 Configuring a Security Only Machine It is possible to configure a security server only machine with no directory server (or DCE cell). We recommend you use "dcecp config.dce" command line to do so. ===================================================== 2.10 CDS Replica name Field in Modify Dialog May Appear Blank If you have demoted a CDS Master replica to a CDS Read-only replica and you attempt a Modify operation within DCEsetup, the Directory tab on the Modify menu will not properly show the CDS Replica name field; it will be blank. Although the field does not display the replica name, you can successfully remove this read-only replica. ===================================================== 2.11 Clobber Requires Additional Time for Stale Endpoint Cleanup The Clobber operation's functions include removing stale DCE daemon endpoints from the RPC endpoint mapper. Removal of the endpoints prevents communications problems that might result from clients attempting to contact daemons using stale endpoints. Because of this additional work, Clobber may take longer than expected. ===================================================== 2.12 Steps to Perform If a Server Unconfigure Operation Fails If for some reason a server unconfigure operation fails, DCE processes may be left running. Perform the following steps to clean up the server configuration: 1. Use the DCEsetup Clobber operation under the Administration menu to clean up the old configuration. 2. If DCE daemons are still running, use the win32_ps utility provided with the kit to display the process ID's for the daemons. Next, use the provided win32_kill utility to stop the daemon processes. 3. Perform the Clobber operation again. ===================================================== 2.13 Browsing for Cells Feature Not Supported Browsing for available cells on the network, which was an option available in Version 1.1C, is not supported in Version 2.2. You must enter the name of the cell that you want to join. ===================================================== 2.14 Warnings Issued When Unconfiguring a Remote Client The DCEsetup Remote Client Delete option executes an unconfig command using the all qualifier. The all qualifier is necessary because the local system does not know what is configured on the remote system and must attempt to unconfigure everything. During this type of unconfiguration, a number of warnings are issued, and these can be safely ignored. ===================================================== 3.0 dcecp Problems and Notes ===================================================== 3.1 dcecp Return Status The status returned by the dcecp command scripts always refers to the success of invoking the script rather than the outcome of the script once invoked. For example, config.dce reports the status of its ability to invoke the specified script rather than the status of its execution. ===================================================== 3.2 dcecp and Forward Slashes If you encounter problem with a dcecp command while using backward slashes, use the forward slashes. For example, the command "dcecp -c audtrail show C:/progra~1/dce/dcelocal/var/audit/adm/central_trail" works. If backward slashes are used in the full path of the file, it will fail. ===================================================== 3.3 dcecp server stop Command Restriction As stated in the OSF DCE Command Reference online help file, the dcecp> server stop command does not support the soft and error methods for server termination on Windows NT. On UNIX(R) implementations, the soft method is used to send a SIGTERM signal to a server; it is a convenient way to signal the server to attempt an orderly shutdown. ===================================================== 3.4 passwd_override and group_override Not Supported IBM DCE for Windows NT does not support passwd_override and group_override functionality. The dcecp> hostdata show and acl show commands will fail with a "permission not valid for this acl" error if you attempt to show the information for these objects. ===================================================== 3.5 dcecp Host Show Command Restriction The dcecp> host show hosts/ command displays the state of running processes that have been registered through the DCE application server interface (dced) on the hostname system. For example, the states of dts and auditd, if configured, will be shown. This command is appropriate only for hosts running OSF DCE R1.1 or later. ===================================================== 3.6 Non-English Environments Not Supported by Older Control Programs dcecp replaces several older control programs (cdscp, dtscp, rpccp, acl_edit, rgy_edit, sec_admin). These older programs were not designed for international use, and they might give unexpected or undesirable results when used in non-English environments. ===================================================== 3.7 dcecp cdsclient show Command Restriction The dcecp> cdsclient show command is appropriate only for clients running OSF DCE R1.1 or later. ===================================================== 3.8 dcecp caching of global DCE credentials Within a dcecp script file, if you dce_login and then perform a kdestroy, klist will show the old credential information. This is due to the fact that dce_login and kdestroy update the system-wide credentials pointer in the Windows NT Registry, which dcecp caches and which cannot be updated during a kdestroy. This may cause additional problems within dcecp following the kdestroy. To avoid this problem, use the dcecp login command instead of dce_login (within dcecp, login {username}). ===================================================== 3.9 dcecp clock compare and dts show Command Restrictions The dcecp> clock compare and dcecp> dts show commands may return erroneous results when attempting to query information for DTS servers residing on systems running versions of DCE for Digital UNIX and DCE for OpenVMS prior to OSF DCE R1.2.2 (i.e. pre-V3.0). ===================================================== 3.10 dcecp cdscache dump Command Restriction Currently, the dcecp> cdscache dump command can be used only from the Administrator account. Because this command displays only the private/user cache information particular to the current user, this command cannot be used to display complete cache information for any user other than the Administrator. The cdscp dump clerk cache command does not require the user to be Administrator. Use this command to display private/user cache information. ===================================================== 4.0 CDS Problems and Notes ===================================================== 4.1 DCEsetup Cannot Delete and Recreate a Clearinghouse With the Same Name Immediately Due to a limitation in OSF DCE, it is not possible to delete a CDS clearinghouse and immediately recreate the clearinghouse with the same name. CDS reports the error "Unable to communicate with any CDS server." Workarounds for this limitation are: Use a different name for the new clearinghouse. OR... Wait until the CDS master server refreshes its security credentials (dependent on credential lifetime defined by cell policy, generally 24 hours). ===================================================== 4.2 CDS Subtree Commands Not Supported DCE for Windows NT V1.1C provided cdscp subtree commands as a product enhancement. These commands are no longer supported through cdscp; however, they are partially supported through dcecp commands. The following dcecp commands provide functionality previously supplied through the subtree commands: dcecp directory merge-tree dcecp directory delete-tree ===================================================== 4.3 Unable to Communicate with Any CDS Server Error If a CDS replica is down, then the cds commands "dir sync" or "set new epoch" result in an error "Unable to communicate with any CDS server." A "set new epoch" does, as part of its operation, a back_ground skulk, which is the equivalent of a "dir sync". A skulk attempts to contact every clearinghouse in the cell. If one or more clearinghouse are down, the skulk will fail and return with the error "Unable to communicate with any CDS server." This is, according to the OSF documentation, "what is expected and normal operation". Since the skulk will periodically retry to reach the clearinghouse it could not contact, the work-around is to wait for a while and re-try it. ===================================================== 4.4 Restriction in Deleting CDS Clearinghouses After you create a CDS clearinghouse, if you need to delete it immediately, it is recommended that you wait several seconds before attempting the deletion. This allows CDS time to replicate the root directory properly. Otherwise, you may receive the error, "Directory must be empty to be deleted." ===================================================== 4.5 Purging the cds cache In previous releases, purging the cds cache could be accomplished by running the following command: dcecp -c cdscache discard With the addition of inline clerk and cache design changes for IBM DCE for Windows NT, Version 2.2, you must now do the following to ensure that every processs gets a new cache: 1. Stop all dce processes including dfs by running: dcecp stop.dce and dcecp stop.dfs Additionally, all user processes that use dce (for example, Encina) must also be stopped 2. Run the following command: dcecp -c cdscache discard 3. Restart dce, dfs, and all user processes that were stopped. If any dce processes remain running when step 2 is run, it is likely that a new cache will not be created and stale data will remain in the cache. Step 1 (stopping processes) removes in memory cache, while step 2 removes the cache files. ===================================================== 4.6 dcecp cdscache discard Command Restriction The use of the [server_name] argument with the dcecp> cdscache discard command is not supported. ===================================================== 4.7 CDS Replica Unconfig Might Fail to Remove All References to Clearinghouse As part of unconfiguring a CDS Replica server, DCE might not properly remove the unconfigured clearinghouse from the entire list of directories that had been replicated in this clearinghouse. As a result, some error messages might appear during the unconfigure operation. The cell administrator must manually exclude this clearinghouse from all directories that had been replicated within it using the "cdscp set directory to new epoch master" command for each directory. ===================================================== 5.0 Security Problems and Notes ===================================================== 5.1 Run Windows 2000 DCE Security service on the Windows 2000 server Kerberos Service on the Windows 2000 server is listening on the well-known port - 88. You must assign another port to Kerberos Service on the Windows 2000 DCE security server to avoid the conflict. To do this, add the following line: kerberos5 89/udp to the file: %windir%\system32\drivers\etc\services where: 89 is an available port number (you may select another port number). If this is not done, DCE can still be configured, but KDC in DCE will not work properly. ===================================================== 5.2 Use of Reserved Error Codes Some of the reserved error codes in OSF DCE R1.0.3 are used in OSF DCE R1.1 (or later). A DCE for Windows NT 2.x client is unable to translate the error it if receives one of the following errors from a DCE R1.1 server: sec_rgy_PADc (231637157) sec_rgy_PADd (231637158) sec_rgy_PADe (231637159) sec_rgy_PADf (231637160) To obtain the error message, use the sts2msg command as in the following example: sts2msg 231637158 The error message is then displayed; for example: msgID=0xDCE80A6 Password is too short ===================================================== 5.3 Credentials from dce_login Available to All Windows By default, credentials obtained from dce_login are available to all windows. Optionally, you can use dce_login -w to limit dce_login to the current window. ===================================================== 5.4 Default Ticket Lifetime Policy You should not change the default ticket lifetime policy to be longer than 24 days (or 2,147,483.648 seconds). If you do so, the result may be an infinite loop in the security daemon and, possibly, in other daemons. ===================================================== 5.5 Warning Message to Change Password OSF DCE R1.2.2 has set up a mechanism whereby a warning message is placed in stderr if the cell_admin account password has not been changed. This is just a warning message, encouraging DCE administrators to change certain privileged accounts (such as cell_admin password) after DCE configuration. However, the dcecp exec command checks to see if there is anything in the stderr file before returning from the exec command. Since the warning, "Password must be changed!" is in the stderr file, the exec command returns an error. To avoid this, change the cell_admin account password, using the rgy_edit> change command. NOTE: The dcecp command dcecp> account modify cell_admin -password does change the password but does not affect the stderr message. Use the rgy_edit> change command to change the password and avoid the stderr message. ===================================================== 5.6 User Must Change Initial DCE Password Manually If a user account is created with the "User must change password at next logon" flag set, which is the default for Windows NT Version 4.0, the user is prompted for a new password the next time he or she logs in to the system. A change made to the operating system password at this prompt is not automatically propagated to the DCE registry database, even if the integrated login option is set. Initially, the user must change the DCE password using the rgy_edit command in order to synchronize the password across the operating system and DCE. ===================================================== 5.7 Unpredictable Results from rgy_edit> properties Command If you have a Security master running the DCE for Windows NT Version 2.0 product or later and you issue the rgy_edit> properties command from a client running OSF DCE pre-R1.2.1 software, you may experience unpredictable results. In order to view the registry properties, you must issue the command from a machine running DCE for Windows NT, Version 2.0 or later. ===================================================== 5.8 Memory usage with rpc_binding_set_auth_info and sec_login_become_delegate The DCE runtime library caches data structures from RPC activity and authentication activity in order to improve performance on repeated RPC calls to the same server. This information is generally kept for up to ten minutes after the last call before it is freed. Under certain circumstances, this caching can result in increased memory usage. If a client does repeated calls to rpc_binding_set_auth_info with different identities each time, new data structures are created and cached for each new identity. In addition, sec_login_become_delegate will also create these cached data structures for each new delegation. Clients or intermediate servers that make many repeated calls like this will show memory growth proportional to the number of new identities created in a ten minute interval. This memory is eventually reused for new identities, but the steady state process size can be large in very active scenarios. ===================================================== 5.9 sec_key_mgmt_* routines, ktadd and ktdelete subcommands of rgy_edit You do not have to use a "FILE:" prefix with these commands and routines. In the documentation, the "FILE:" prefix is part of the required format for these commands and routines. However, if you use these commands or routines without any prefix, the correct prefix is attached to the name. If you choose to use a "FILE:" prefix for the set and delete keytab routines, use "WRFILE" so that the write routines are included in the write krb5_kt_ops data structure: sec_key_mgmt_set_key(authn_service, arg = "WRFILE:c:\tmp\crispy", principal_name, key_vno, keydata, err) sec_key_mgmt_delete_key(authn_service, arg = "WRFILE:c:\tmp\crispy", principal_name, key_vno, err) The routine sec_key_mgmt__resolve_mode() is where the operations on the keytab file will be included. FILE is for read-only; WRFILE is for write. The first thing that is set is a prefix variable depending on if it is a read-only or write operation. 'prefix' is either set to FILE or WRFILE. Then it makes the first call krb5_kt_resolve() with the name of the keytab. If the keytab has no prepend string, it is returned with a KRB5_KT_BADNAME error and constructs a new keytab variable with the prefix included. The next call to krb5_kt_resolve() will get whatever operations are needed. The sec_key_mgmt_get_key() function works with or without the prepend "FILE:" since the operation on the keytab file is read-only. ===================================================== 5.10 Changes required to use OSF DCE 1.0.3 ACL managers with DCE 2.2 Customers who have built ACL managers from the example code provided with OSF DCE 1.0.3 will need to make changes to the daclmgr.h file and to the applications that use the ACL manager before they can be run on later versions of DCE. 1. Change daclmgr.h: Replace the data type rpc_authz_cred_handle_t with sec_id_pac_t in the API prototypes - sec_acl_mgr_is_authorized and sec_acl_mgr_get_access - as follows: extern void DCEAPI sec_acl_mgr_get_access( #ifdef IDL_PROTOTYPES /* in */ sec_acl_mgr_handle_t sec_acl_mgr, /* in */ rpc_authz_cred_handle_t *accessor_info,<-This line becomes /* in */ sec_id_pac_t *accessor_info, <-this line. /* in */ sec_acl_key_t sec_acl_key, /* in */ uuid_t *manager_type, /* in */ sec_id_t *user_obj, /* in */ sec_id_t *group_obj, /* out */ sec_acl_permset_t *net_rights, /* out */ error_status_t *st #endif extern boolean32 DCEAPI sec_acl_mgr_is_authorized( #ifdef IDL_PROTOTYPES /* in */ sec_acl_mgr_handle_t sec_acl_mgr, /* in */ sec_acl_permset_t desired_access, /* in */ rpc_authz_cred_handle_t *accessor_info,<-This line becomes /* in */ sec_id_pac_t *accessor_info, <-this line. /* in */ sec_acl_key_t sec_acl_key, /* in */ uuid_t *manager_type, /* in */ sec_id_t *user_obj, /* in */ sec_id_t *group_obj, /* out */ error_status_t *st #endif 2. In the application, change the variable rdaclif_v0_0_epv_t to rdaclif_v1_0_epv_t. 3. In the application, change the variable rdaclif_v0_0_s_ifspec to rdaclif_v1_0_s_ifspec. ===================================================== 5.11 Establishing the intercell trust relationship If the rgy_edit cell or dcecp registry connect command is issued, but one of the cells still has an pre-existing krbtgt entry for the other cell in its registry (from a previous trust configuration), the command may appear to succeed. However, authenticated intercell access will fail because the keys for the two krbtgt entries are now out of sync. This situation can be detected by doing a full view on each of the two krbtgt accounts created for intercell. The accounts are named krbtgt/ and one is created in each cell's registry to allow intercell access to the other cell. If the creation time on this krbtgt account for the foreign cell is different from the last change time, it is likely that this entry is not valid. To recover from this situation, delete the krbtgt account and principal for the foreign cell. This must be done in each cell. Then reissue the rgy_edit cell or dcecp registry connect command. The krbtgt account and principal can be removed using the following dcecp commands: dcecp -c account delete krbtgt/ dcecp -c principal delete krbtgt/ ===================================================== 5.12 Intercell Access from OSF DCE 1.2.2 Clients Vendor implementations of DCE at the OSF 1.2.2 level generally implement a new restriction for accessing foreign cells. For a DCE client to access a foreign cell, the intercell surrogate account for the foreign cell in the local registry (named krbtgt/foreign_cellname) must have its "acctvalid" flag set to "yes". Otherwise, access to the foreign cell will be denied. Although DCE for Windows NT 2.2 is at the OSF DCE 1.2.2 level, it does not enforce this restriction. However, other vendor's implementations of OSF DCE 1.2.2 may enforce it. To allow intercell access, the cell administrator can use the following dcecp command to change "acctvalid" flag to "yes" for an existing intercell surrogate account: dcecp -c account modify krbtgt/ -modify \ { acctvalid yes } When establishing a new intercell relationship, the cell administrator can use the "-acctvalid" and "-facctvalid" flags of the dcecp "registry connect" command to automatically set the "acctvalid" flags to yes on the intercell surrogate accounts. ===================================================== 5.13 Extended Registry Attribute Limitations When creating an extended registry attribute (ERA) schema, the "unique" attribute (sec_attr_sch_entry_unique) is advisory only. Even if this attribute is set to "yes" for an ERA schema, it behaves as if it were set to "no". The DCE code does not check or enforce the uniqueness of the ERA value attached to objects. When creating an ERA schema, the "applydefs" attribute (sec_attr_sch_entry_use_defaults) is advisory only. Even if this attribute is set to "yes" for an ERA schema, it behaves as if it were set to "no". The DCE code does not provide a default value for an ERA if the ERA is not explicitly attached to an object. When creating an ERA schema, the "intercell" attribute is advisory only. Even if this attribute is set to "accept" (sec_attr_intercell_act_accept) or "evaluate" (sec_attr_intercell_act_evaluate), it behaves as if it were set to "reject" (sec_attr_intercell_act_reject). The DCE code will discard all ERA values for a principal, group or organization when a principal's EPAC is used for intercell access. When creating an ERA schema, the "confidential_bytes" value for the "encoding" attribute is not implemented. Setting an ERA schema's "encoding" attribute to "confidential_bytes" (sec_attr_enc_confidential_bytes) has the same behavior as "bytes" (sec_attr_enc_bytes). Handling of "attribute set" encoding for ERA schemas is not completely supported. Setting attr_set (sec_attr_enc_attr_set) encoding in an ERA schema allows for grouping a set of schema uuid under one unique uuid. The sec_rgy_attr_lookup_by_id() API currently behaves like sec_rgy_lookup_no_expand(). The seamless expansion of the attribute set into its components is not currently supported. When creating an ERA schema, the "update" value (sec_attr_trig_type_update) for the "trigtype" attribute is not implemented. Update triggers for ERA schemas give the ability to check with a registered server before an ERA value is updated, but this function is not yet implemented. ===================================================== 5.14 Aggregate Principal/Group/Organization Limitations This release of DCE does not support moving an aggregate pgo to be a descendant of itself. For example, the following sequence of registry operations are not allowed: dcecp -c group create foo/bar dcecp -c group create foo dcecp -c group rename foo -to foo/xyz ===================================================== 5.15 DCE rdacl() Interface Limitations If you are developing an ACL manager that uses the DCE rdacl interface, you need to be aware that the DCE rdacl interface does not support permissions for owners of objects (specified in user object and group object access control list entries). Therefore, when you use the dce_acl_register_object_type API to register your ACL manager with the DCE rdacl interface, do not specify the following flags: dce_acl_c_has_owner dce_acl_c_has_groups The reason you should not specify these flags is that they allow users to add user object and group object entries to the objects managed by your ACL manager. Since the DCE rdacl interface (which your ACL manager is using) does not support these entries, having users add these entries to your objects will cause problems. If you want to develop an ACL manager that supports user object and group object entries, you must develop your own rdacl interface rather than using the DCE rdacl interface. ===================================================== 5.16 GSSAPI Intercell Limitation The DCE implementation of GSSAPI does not allow a context initiator to delegate credentials across a cell boundary. Attempting to delegate across cells will cause the gss_accept_sec_context() call in the foreign cell to fail. ===================================================== 5.17 Principal Name Caching The DCE Security client runtime maintains a cache of mappings between principal names and UUIDs for each authenticated process. This mapping can cause confusion for long-running programs if a principal is deleted and then recreated with the same name during the life of the process. Because of this cache, such a process may obtain the old UUID for the principal, which can cause unexpected results. The cache can be cleared by stopping and re-starting the process. ===================================================== 5.18 OSF 1.2.2 Public Key Notes and Problems ===================================================== 5.18.1 Windows NT Support for OSF DCE 1.2.2 Public Key The DCE for Windows NT 2.2 client does not support authentication using the OSF DCE 1.2.2 Public Key protocol. This protocol has been superceded by the Public Key Certificate protocol. The DCE for Windows NT 2.2 client does allow the administrator to use dcecp commands associated with OSF DCE 1.2.2 Public Key for administration of public key users. However, the format of the file containing a user's private key is platform specific. It must be generated on a system of the same type as the one on which it will be used. The DCE for Windows NT 2.2 Security server does support the OSF DCE 1.2.2 Public Key protocol. It will service public key requests from clients which are based on OSF DCE 1.2.2 and support this function. ===================================================== 5.18.2 Incorrect dcecp commands for generating public key accounts in the DCE Administration Guide: Core Components In the section titled "Creating and Maintaining Principals, Groups and Organizations", under the topic "DCE Authentication" of the DCE Administration Guide: Core Components, incorrect dcecp commands are given in steps 2 and 3 under "Enabling the Public Key Authentication Protocol". The correct dcecp command for step 2b is: dcecp> account modify krbtgt/ -pkgenprivkey \ > -mypwd dcecp> The correct dcecp command for step 3 is: dcecp> account create \ -group \ -mypwd \ -organization \ -password \ -pkmechanism \ -pkkeycipherusage \ {{generatekey } {newpassphrase }} \ -pksignatureusage \ {{generatekey } {newpassphrase }} This release supports modulus sizes ranging from 512 to 1024. For normal users, the recommended modulus size for generating a public key pair is 768 bits. For long-term applications, a 1024 bit modulus is advisable. The only modulus size which is supported for the local cell krbtgt account is 1024. ===================================================== 5.18.3 Incorrect dcecp command for modifying a principal and attaching a pre_auth_req ERA specifying third-party preauthentication In the section titled "Creating and Maintaining Principals, Groups and Organizations," under the topic "DCE Authentication" of the DCE Administration Guide: Core Components, the incorrect dcecp command is given for modifying a principal and attaching a pre_auth_req ERA specifying third-party preauthentication. This occurs near the end of the "Managing User Authentication" subtopic The correct dcecp command is: dcecp> principal modify -add {pre_auth_req 2} ===================================================== 5.18.4 Missing example for using dcecp "account modify" to change the public key password phrase In the section titled "Creating and Maintaining Principals, Groups and Organizations," under the topic "DCE Authentication" of the DCE Administration Guide: Core Components, an example for using the dcecp "account modify" command to change the public key password phrase should be given. This occurs in step 4 under "Enabling the Public Key Authentication Protocol". The appropriate example is: dcecp> account modify name \ -pkkeycipherusage {{oldpassphrase } \ {newpassphrase }} \ -pksignatureusage {{oldpassphrase }} ===================================================== 5.19 Public Key Certificate (PKC) Login Notes and Problems ========================================================== 5.19.1 Required Entrust Technologies Products Entrust products are only required if you plan to use the Public Key Certificate Login feature. This feature requires the following: Entrust/Entelligence, Version 5.0.1 or later on each DCE Client which allows PKC Login Entrust/Entelligence, Version 5.0.1 or later on each DCE Security Server and Identity Mapping Server The Entrust Public Key Infrastructure is not required on DCE systems, but must be available for issuing certificates to users. The recommended level of Entrust/PKI is Version 3.0 or later. ===================================================== 5.19.2 Draft Version of IETF PKINIT RFC The PKC Login support in DCE for Windows NT 2.2 is based on an early 1998 draft version of IETF RFC 1510 - Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). Since this draft is not finalized, interoperability with future versions of PKINIT are not guaranteed. ===================================================== 5.19.3 dce_login -r The dce_login -r command cannot be used to refresh expired DCE credentials unless the DCE password is provided. Using the Entrust user profile and passphrase for this refresh operation is not supported. ===================================================== 5.19.4 Integrated Login Use of PKC Login with the Windows NT integrated login option is supported with the following known limitations: - After a system reboot, the Windows NT login panel may display before Entrust and DCE have completely started on the system. If the user attempts to login during this time, the login will fail. Once Entrust and DCE have started on the system, the user will be able to login using their Entrust user profile and passphrase. - The Entrust passphrase is not automatically updated when the Windows NT and DCE password are changed. It must be updated separately using Entrust tools. ===================================================== 5.20 DCE/Kerberos Interoperability Enhancements ===================================================== 5.20.1 GSSAPI Interoperability Enhancement The DCE GSSAPI component has been enhanced to support the following DCE/Kerberos interoperability scenarios: * Over-the-wire interoperation between Kerberos gss_init_sec_context and DCE gss_accept_sec_context with all flags and parameters supported. * Over-the-wire interoperation between DCE gss_init_sec_context and Kerberos gss_accept_sec_context with all flags and parameters supported except for GSS_C_DELEG_FLAG. * Over-the-wire interoperation between Kerberos gss_seal and DCE gss_unseal with all flags and parameters supported. * Over-the-wire interoperation between DCE gss_seal and Kerberos gss_unseal with all flags and parameters supported. To support these interoperation scenarios DCE now supports a new mechanism type: GSS_MECH_MIT_KRB5. This mechanism type has the same OID value and behavior as gss_mech_krb5, which is the default mechanism type used by Kerberos V5 Release 1. For backwards compatibility, DCE for Windows NT still supports GSS_C_OID_KRBV5_DES, which is the Kerberos mechanism type that was provided with earlier releases of DCE. However, the GSS_C_OID_KRBV5_DES mechanism type will no longer interoperate with any unmodified release of Kerberos V5. The new GSS_MECH_MIT_KRB5 mechanism type is supported by each GSSAPI API that has a mechanism type parameter. The following lists these APIs and provides information on how to use the GSS_MECH_MIT_KRB5 mechanism type with these APIs: * gss_accept_sec_context (output actual_mech_type parameter) Returns GSS_MECH_MIT_KRB5 if the context was accepted from an initiator that was using the Kerberos V5 mechanism. * gss_acquire_cred (input desired_mechs parameter) If acquiring a GSS_C_INITIATE or GSS_C_BOTH type credential that will be used to initiate a context with an acceptor that uses the Kerberos V5 mechanism, specify GSS_MECH_MIT_KRB5. Note: If acquiring a GSS_C_ACCEPT type credential, the mechanism type parameter is not used. This is true for all mechanism types. * gss_display_status (input mech_type parameter) If displaying status from a context that is using the Kerberos V5 R1 mechanism, specify GSS_MECH_MIT_KRB5. * gss_indicate_mechs (output mech_set parameter) Returns a mechanism set containing GSS_MECH_MIT_KRB5 as one of the mechanisms supported by DCE GSSAPI. * gss_init_sec_context (input mech_type parameter) Specify GSS_MECH_MIT_KRB5 if initiating a context with an acceptor that uses the Kerberos V5 mechanism. * gss_inquire_cred (output mech parameter) If the credential can be used to initiate a context with a Kerberos V5 acceptor, returns a mechanism set containing GSS_MECH_MIT_KRB5. * gssdce_login_context_to_cred (input desired_mechs parameter) If acquiring a credential that will be used to initiate a context with a Kerberos V5 GSSAPI acceptor, specify GSS_MECH_MIT_KRB5. (More than one mechanism type can be specified.) ===================================================== 5.20.2 Support for postdated TGTs The kinit command supports new options to allow a TGT to be postdated and validated. The new kinit options are: -s start_time Set the ticket valid time to the time specified by start_time. The start_time may be specified in various time formats including the following: hh:mm hh:mm:ss yy:mm:dd:hh:mm yy:mm:dd:hh:mm:ss -V Validate a postdated ticket. The user account must enable the postdatedtkt option. The -V option will not succeed until after the time specified in start_time. ===================================================== 5.21 Starting a Client Configured As a Security Replica When CDS Master and Replicas Are Unavailable If no CDS Master or replica is available, you may be unable to restart DCE on a client on which a Security replica resides. To start DCE services, do the following: 1. Start the DCE Security server service by hand: a) Bring up the system Control Panel and select Services. b) Select DCE Security Server Service. c) In Startup Parameters, enter " -b" as an argument to the DCE Security server. This brings up the DCE Security server in bootstrap mode. d) Click the Start button. 2. Start the rest of the configured DCE components from the command line: dcecp start.dce ===================================================== 6.0 DTS Problems and Notes ===================================================== 6.1 Time Drift if DTS Stopped Abnormally If the time service aborts abnormally or is forcefully terminated by the user, the system clock adjustment rate may remain at an inappropriate value, resulting in the system clock gaining or losing time. The general way to avoid this problem is for the DCE user to rely exclusively on DCEsetup to start and stop the DTS service. Once in this state, reactivation of the DTS service should correct it. ===================================================== 6.2 Manual Time Synchronization Required After Restarting DCE The time synchronization option is designed to synchronize local time with cell time during configuration. If you stop and then restart DCE and discover that the time is drifting, you need to manually resynchronize the time. ===================================================== 6.3 Some DTS Error Messages Not Logged to Serviceability Logs Error messages logged by the utc component of DTS will not appear in DCE serviceability logs. They will only appear in the Windows NT event log. ===================================================== 6.4 Synchronization Delays with Time Providers For IBM DCE for Windows NT, Version 2.2, the default value for the DTS syncinterval attribute has been changed from two minutes to one day. This is done to reduce network traffic. As a result, the NTP and Null Time Providers may experience delays in synchronizing with the other servers. In order to expedite this synchronization, you can execute the following command: dcecp> dts modify -syncinterval +0-00:02:00.000I429.497 Alternatively, you can issue a manual synchronization using dtscp synch. Its value can be displayed and modified through the dcecp dts administration object. ===================================================== 6.5 DTS Daemon May Not Come Up After Migrating From Version 1.1C The first time that DCE is started after migrating from V1.1C, DTSD may not stay up. Restart DCE and the DTSD will stay up correctly. ===================================================== 6.6 DTS Null Time Provider Does Not Get Detected To prevent failure to detect the DTS Null Time Provider, start the Null Time Provider before starting the DTS daemon. ===================================================== 7.0 RPC Problems and Notes ===================================================== 7.1 "Not an RPC Tower" Errors on non-Windows NT DCE Platforms Certain existing Windows NT 4.0 services (which are not DCE services) make use of Microsoft Windows NT protocols IPX/SPX. Further, these services register their IPX/SPX endpoints with rpcss. These services are started automatically at boot time. Several non-Windows NT DCE implementations have a bug in their RPC runtime code that causes these platforms to fail when acquiring endpoints from the endpoint map stored within rpcss on Windows NT 4.0. The bug is due to the inability of the RPC runtime on these platforms to ignore transport protocols (such as IPX/SPX) that the operating system does not support. Due to this problem, such DCE implementations can fail to participate as DCE clients, or in a split-server configuration when either the Security server or CDS server (or both) are running on Windows NT 4.0. Since the solution to this problem lies in fixing the DCE implementations on non-Windows NT platforms, we recommend that customers who encounter this problem approach the appropriate vendors for a solution. As a workaround, we suggest that you modify your Windows NT 4.0 network configuration to remove IPX/SPX protocol stack using the Network applet in the Control Panel. ===================================================== 7.2 Dynamic Loading and Unloading of DCE for Windows NT DLLs Not Supported Dynamic loading and unloading of DCE for Windows NT DLLs from an application is not supported by DCE for this version. ===================================================== 7.3 IBM DCE for Windows NT, Version 2.2.3, and ECO3 RPC Changes Changes to the RPC code have been made to enable RPC to run on Windows 2000. All changes are transparent to the user. The user interfaces did not change. However, note that the new security architecture of RpcEpUnregister() in Windows 2000 does not allow one process to unexport endpoints exported by another process. RPCSS tidies up endpoints when a process dies or terminates on Windows 2000. RpcEpUnregister() is called by DCE API rpc_mgmt_ep_unregister(). The same problem exists in rpc_mgmt_ep_unregister(). ===================================================== 8.0 IDL Problems and Notes ===================================================== 8.1 DCE Applications Should Be Built with __STDC__ Defined If a DCE application is built without __STDC__ defined, then the function prototypes contained in IDL-generated header files will be compiled without the argument lists, and the function declarations for those routines must be written without the argument lists. ===================================================== 8.2 Use of MFC Classes Structures is not Supported in IDL Files Because of a conflict in the IDL and MFC header files, using MFC structures within IDL files is not currently supported. ===================================================== 8.3 IDL encoding/decoding service If the IDL encoding/decoding service is used to preserve data in a file, the file must be opened in binary mode for write and read operations. Or the data may not be fully recoverable. ===================================================== 8.4 The Include Path Contains Directory Names with Spaces The IDL compiler may encounter problems when the include path contains directory names with spaces. For example c:\Program Files\msdev\include To avoid this problem, use the short file name for the directory, in this case c:\Progra~1\msdev\include ===================================================== 9.0 Examples Problems and Notes ===================================================== 9.1 Examples and Visual C++ 4.x By default, the makefiles provided with the xidl example programs assume that you are running Visual C++ Version 5.0. If you are running Version 4.x, see the README file provided with each example for information on how to build the example using Visual C++ Version 4.x. ===================================================== 9.2 Hardcoded Device Drive in generic_app Example The example program demo/generic_app hardcodes the KEYTAB variable for WIN32 as "c:/temp/sample_keytab". The error message "Can't find keytab file" results when running the server if the /temp dir resides on a different disk... or the program is executed on a different disk. ===================================================== 10.0 Serviceability Problems and Notes ===================================================== 10.1 Debug Messaging is Only Partially Supported dce_svc_debug_set_levels() is not supported. dce_svc_printf() should be used only for production messages, not for debug messages. ===================================================== 10.2 Routing Messages to a Log File When routing messages to a log file, if the log file is specified with a full path name, the directory must exist. DCE will create the file if it does not exist, but it will not create the directory. ===================================================== 10.3 dce_svc_register() vs. DCE_SVC_DEFINE_HANDLE If an application is using advanced serviceability function, such as filtering with dce_svc_filter(), dce_svc_register() should be used, not DCE_SVC_DEFINE_HANDLE. DCE_SVC_DEFINE_HANDLE does not actually register the handle, it simply defines the data structures. ===================================================== 10.4 Compiling and Linking Applications with Visual C++ Programs that call serviceability functions must be compiled with the /MD option. See the serviceability example programs in the ADK for sample makefiles. ===================================================== 11.0 Internationalization Problems and Notes ===================================================== 11.1 Selecting Cultural Conventions During Install When you select the cultural conventions, DCE sets the XPG4 LANG environment variable appropriately. If you do not explicitly select cultural conventions, DCE will not alter your environment. You can set LANG yourself later, or rely on the DCE default behavior. See the Internationalization sections of the DCE documentation for detailed information on settings and default behavior. When making a selection in the Cultural Conventions dialog box using the arrow keys, each item is checked (selected). However, multiple selections are not allowed for this. Although it appears that multiple items are selected, only the item that is highlighted when the Next button is pressed is actually selected. There is no such anomaly when the mouse is used for selection. The actual selection can be verified in the Start Copying files dialog box. ===================================================== 11.2 DCE control programs and commands dcecp is the standard control program for DCE, and it has been designed to support a variety of country environments. As noted in the DCE documentation, dcecp replaces several older control programs (cdscp, dtscp, rpccp, acl_edit, rgy_edit, sec_admin). These older programs were not designed for international use, and may give unexpected or undesired results when used in non-English environments. While dcecp supports non-English data, there are some restrictions. dcecp string handling commands, such as string range, have byte-based, not character-based, semantics. They may give undesired results when used on characters outside of the DCE Portable Character Set. ===================================================== 11.3 DCE Install Directory The name of the directory in which DCE is installed must not contain characters outside of the DCE Portable Character Set. ===================================================== 11.4 Integrated login and DCE Internationalization If you are using the integrated login feature and you are not using English, the XPG4 and DCE environment variables must be set before the operating system is re-booted in order for DCE character data and messages to be handled and displayed correctly during login. ===================================================== 11.5 Entrust Messages Messages provided by the Entrust Public Key infrastructure are not translated to all of the languages supported by DCE. At times, a non-English version of DCE may display an English message when using the Public Key certificate login. ===================================================== 11.6 PKC Login with Double-Byte Character Sets (DBCS) Mapping Entrust users to DCE principals which include DBCS characters is not supported by Public Key Certificate Login. ===================================================== 11.7 Components that don't support internationalization The DCE Director and Visual ACL Editor are designed to run on US English versions of Windows NT only. Undesirable results may occur if used on other versions of Windows NT. ===================================================== 11.8 Installing in a language other than English The installation program allows you to choose a language other than English in which to run the installation program. The additional languages available are Brazilian Portuguese, French, German, Italian, Japanese, Korean, Simplified Chinese, Spanish and Traditional Chinese. The language of the installation program will change to the language you choose. The names of all folders and icons installed on your system will be in the same language as the installation. ===================================================== 11.9 Installing translated versions of DCE The US English version of DCE is always installed on your system regardless of the DCE translation chosen during install. If translations other than English are chosen during install, the additional translated messages, helps, dialogs and publications will also be installed. An additional language documentation folder is installed for each additional translation installed. This folder contains icons for all translated publications. If a particular publication is not translated, no icon will be installed in the language documentation folder. Icons in any other folder for documentation are links to the English files. Translations are available in Brazilian Portuguese, French, German, Italian, Japanese, Korean, Simplified Chinese, Spanish and Traditional Chinese. The language that DCE runs in is controlled by the LANG environment variable. For example, setting the LANG environment variable to itit1252 will cause the Italian translations to be used. Setting the LANG environment variable to jajp932 will cause the Japanese translations to be used. For more information about the LANG environment variable, see the Modifications to Internationalization section of the DCE Enhancements help file. ===================================================== 11.10 Windows NT Code Page Considerations Windows NT defines two types of code pages. The OEM code pages are the traditional MS-DOS/IBM-PC code pages, such as code page 437 and 850. The ANSI code pages, such as code page 1252, are more similar to the ISO standard code sets. For Asian code pages, such as code page 932, there is no difference between the OEM and ANSI code pages. Windows NT generally uses the OEM code pages in console sessions and the ANSI code pages in Windows. When you start a program from the command line in a console session, Windows NT automatically converts any command line parameters from the OEM code page encoding to an ANSI code page encoding. If you are using non-English characters with DCE commands such as dcelogin and dcecp, you must be aware that data which is passed to DCE will be encoded in ANSI code pages if it is entered on the command line, but it will be encoded in OEM code pages if it is entered on DCE prompts. For example, if you are using the extended character set for PGO names, and you create a registry which contains ANSI-encoded principal names, you should use dcelogin with the principal name on the command line. If you create a registry with OEM-encoded names, you should allow dcelogin to prompt you for the principal name. These considerations do not apply if you are using Asian data because the OEM and ANSI code pages are equivalent. For more internationalization information see the DCE Enhancements help file. ===================================================== 12.0 Visual ACL Editor and DCE Director Problems and Notes ===================================================== 12.1 Policy and Organization Restrictions You cannot change the organization attribute of an account, and you cannot set policies such as minimum password length. ===================================================== 12.2 Concurrent Access to Security Registry Entries While DCE Director is accessing Security registry entities (principals, accounts, groups, and so forth), operations referencing these entities fail if the entries are deleted from the registry by another DCE user. ===================================================== 12.3 Create Group Option in User Account Dialog Boxes Update Delay After creating a new group from the User Account dialog boxes, there is no immediate update to the group page or UNIX page. When you select a new page from the view or modify dropdown list, or press OK to proceed, the new group is added to the group page and the UNIX page. ===================================================== 12.4 DCE Director Failure When DCE Has Not Been Properly Configured If DCE has not been properly configured and you try to start DCE Director, the application fails, but you may not receive any error messages. ===================================================== 12.5 Multiple Copies of the Same View Allowed DCE Director allows the same view to be shown multiple times. ===================================================== 12.6 DCE Director Servers Display Contains Extraneous Characters in Title Bar Extraneous characters appear in the title bar of the DCE Director Servers display, as shown below: CDS servers display: 0^C*Status Host Security servers display: X|*Status Host Time servers display: |_-Status Host ===================================================== 12.7 Access Violation When Looking Up Time Server Details in GMT Time Zone When a DCE for Windows NT configuration is running in the GMT time zone, DCE Director currently generates an access violation when a user looks up details of Time Servers in a DCE Cell. ===================================================== 12.8 Displaying ACLs with More Than Eight Permissions May Cause Exception If you are editing an ACL belonging to a user-written ACL Manager that supports more than eight permissions, the display width required may be larger than expected by the Visual ACL Editor. If this is the case, the Visual ACL Editor causes an exception and does not display the ACL. To edit the ACL, use the ACL edit program (acl_edit) supplied with the DCE for Windows NT kit. ===================================================== 12.9 Visual ACL Editor Failure When DCE Not Properly Configured If your machine has not been properly configured for DCE, and you try to start the Visual ACL Editor, you may get the following error message: An application error has occurred and an application error log is being generated. To correct the problem, you need to configure DCE properly on your machine. ===================================================== 13.0 Documentation Problems and Notes ===================================================== 13.1 dcecp server stop Command Restriction Not Documented The dcecp server stop command, as documented in the online help file OSF DCE Command Reference, does not support the soft and error methods for server termination on Windows NT. On UNIX implementations, the soft method is used to send a SIGTERM signal to a server, and is a convenient way to signal the server to attempt an orderly shutdown. On Windows NT, the soft, hard, and error methods of shutdown all result in a similar hard shutdown. ===================================================== 13.2 Correction to DCEsetup Log File Creation and Archiving Process The DCEsetup help file incorrectly describes how DCEsetup deals with the log file as it continues to grow. The file is not automatically saved when it reaches a certain size. Instead, the user is asked to exit and restart DCEsetup, at which point a new log file is created. ===================================================== 13.3 Correction to the OSF DCE Documentation for the Password Strength Server The description of the Password Strength Server and Password Generation in the OSF DCE Administration Guide - Core Components should be modified from the following: dcecp> principal create smitty -attribute {{pwd_val_type 2}\ {pwd_mgmt_binding \ {dce /.:/pwd_strength pktprivacy secret name} \ {/.:/pwd_mgmt/pwd_strength}}}} to: dcecp> principal create smitty -attribute {{pwd_val_type 2}\ {pwd_mgmt_binding \ {{dce /.:/pwd_strengthd pktprivacy secret name} \ { /.:/subsys/dce/pwd_mgmt/pwd_strengthd}}}} Notice the server name ends with 'd', the pwd_mgmt_binding object name is different, and double braces should be used ({{ instead of {) after the following: pwd_mgmt_binding The example in the Generating Passwords with dcecp topic is incorrect. It should be: dcecp> account modify smitty -password $p -mypwd -dce- instead of: dcecp> account modify smitty -password $p -mycurrentpwd -dce- ===================================================== 13.4 Customer-defined Serviceability Component Names The XPG4 topic in the DCE Enhancements help file discusses internationalization issues, but does not fully describe two serviceability issues: 1. You should be aware of Open Group/OSF DCE RFC81.1 which explains that you have to register serviceability component names with the Open Group/OSF. 2. If you are passing status through the Windows NT exception mechanism, be sure that bit 28 of the status code is clear. ===================================================== 13.5 Modification to the OSF DCE Documentation for EMS The section on "Using a Routing File" in the OSF DCE Application Development Guide - Core Components should include the following information for EMS: * outform (output form) - In addition to BINFILE, TEXTFILE, FILE, DISCARD, STDOUT, and STDERR, EMS can be specified as an output form. When EMS is specified, messages are sent as events to EMS. * dest (destination) - If EMS is specified as an output form, the destination field can be left blank The section on "Table of Message Processing Specifiers" in the OSF DCE Application Development Guide - Core Components should include a row for EMS where the meaning is "Send messages as events to EMS." ===================================================== 13.6 Missing Links to Helps from the DCE Director GUI When "Users" is the selected object, the link to the appropriate help panel from the Create DCE User Account dialog box is not active in the DCE Director GUI. To access the appropriate help, do the following: 1. Select Contents from the Help pull-down. 2. In the contents page of the DCE Director Helps, select "Create DCE User Account Dialog Box (Name and Password)" under the headings About The...Dialog Boxes. When "Users" is the selected object, pressing F1 while in the "DCE Login" dialog box will not link to a help panel. However, clicking on Help will access the appropriate help panel. ===================================================== 14.0 General Problems and Notes ===================================================== 14.1 Pthreads APIs These pthreads APIs are not supported in the IBM DCE for Windows NT, Version 2.2 product: pthread_attr_setsched/pthread_attr_getsched pthread_setscheduler/pthreads_getschedluer pthread_attr_setprio/pthreads_attr_getprio pthread_setprio/pthreads_getprio pthread_attr_getguardsize_np/pthread_attr_setguardsize_np pthread_attr_setinheritsched/pthread_attr_getinheritsched Calling one of the above routines will return a -1 and set errno to ENOSYS pthread_attr_setstacksize does not change the stack size of newly created threads. pthreads threads on Windows NT are created with their stack size set to the same size as the primary thread of the process they are created in. The stack size grows as needed. ===================================================== 14.2 Error Codes for DCE for Windows NT Differ From Other Platforms Error codes for an application using DCE for Windows NT will differ from those for applications using DCE on AIX, OS/2, or other OSF platforms. Error codes generated for DCE on Windows NT will be of the form 0x0xxxxxxx. Error codes for the other platforms will be of the form 0x1xxxxxxx. ===================================================== 14.3 Migration with Autostart If you encounter a problem when migrating from V1.1 to V2.2, turn off the autostart of the daemons from Control Panel -> Services first and retry. ===================================================== 14.4 Multiple Hardware Configurations The DCE Auto Start Service should be enabled or disabled using only DCEsetup or the dcecp configuration scripts provided. The modification of this setting using the Control Panel Services tab causes automatic startup problems if the machine is configured with multiple hardware configurations. Using the Control Panel Services tab to enable or disable the DCE Auto Start Service is therefore not supported. ===================================================== 14.5 Use the -Gz Flag with the Visual C++ Compiler All DCE applications built with the Visual C++ compiler must be compiled using the -Gz flag. Failure to use the -Gz flag when compiling may cause DCE applications and/or the DCE daemons to abort. ===================================================== 14.6 _cdecl function pointers DCE for Windows NT 2.0 allowed pointers to functions declared using the _cdecl calling convention to be passed to DCE API's, even though the API's declaration specified pointers to _stdcall functions. This was due to a defect in the Microsoft Visual C++ v4.0 compiler. DCE for Windows NT 2.2, was compiled using the Microsoft Visual C++ v5.0 compiler in which this defect has been fixed. Therefore, applications that passed pointers to _cdecl functions to DCE API's will have intermittent failures. These applications will need to be recompiled, passing only pointers to _stdcall functions, to work on DCE for Windows NT 2.2. Applications that were compiled with the -Gz option (forces all functions to be declared using the _stdcall calling convention), do not use DCE API's that accept function pointers, or pass only pointers to functions declared with the _stdcall calling convention are not affected and do not need to be recompiled to run on DCE for Windows NT 2.2. ===================================================== 14.7 dced_object_read_all Failures The dced_object_read_all() function is designed to return a list of buffers describing all of the objects under a given dced directory, such as hostdata and srvrexec. If the function fails to read any one of the objects, however, it is designed to return an error. For example, if you attempt to read the several keytab files under the dced "keytab" object, but you lack ACL read permission for just one of the objects, the dce_object_read_all returns an error. As a workaround, you can retrieve data for individual entities. For example, you can enter dced_hostdata_read() for each hostdata entity. You can also list the entities, using, for example, the dcecp hostdata catalog command, and display the attributes of each one, as with the hostdata show command. ===================================================== 14.8 Silent Install If you modify the setup.iss file, which is provided by DCE Runtime Services, by changing the last line from BootOption=0 to BootOption=3, and then use the file to do a silent install, the resulting setup.log file may end with ResultCode=12, indicating a "Dialogs are out of order" error. In this particular situation, the ResultCode can be ignored: the installation will have completed successfully. The problem does not occur if you leave BootOption=0. (Changing BootOption=0 to BootOption=3 causes your system to reboot after installation of DCE is finished.) ===================================================== 14.9 Dynamic allocation of tcpip hostnames A DHCP environment may support dynamic allocation of tcpip hostnames. This is not supported by DCE. ===================================================== 14.10 Daylight Savings Time Issue for Some Time Zones A problem present in the Microsoft C Runtime library causes problems for Windows NT systems running DCE in some European time zones (such as GMT+1 and GMT+2) when Daylight Savings Time ends. This problem occurs for one hour between 02:00 and 03:00 a.m. Contact your IBM representative to receive the fix for this problem. ===================================================== 15.0 IBM DCE for Windows NT, Version 2.2 README Addenda ===================================================== The following sections contain additional changes and updates to the readme.txt file shipped with IBM DCE for Windows NT, Version 2.2.0. ===================================================== 15.1 IBM DCE Client for OS/2 The Quick Beginnings document states incorrectly that the IBM Distributed Computing Environment Client including Distributed File System for OS/2 Warp, Version 4.0 is included with the DCE for Windows NT, Version 2.2. ===================================================== 15.2 Entrust/Entelligence Limitation The use of Entrust/Lite or the Entrust/PKI in "lite mode" with PKC Login is not supported. ===================================================== 15.3 Configuration of the Identity Mapping Server When configuring a DCE Security Server to support Public Key Certificate Login, you must configure at least one Identity Mapping Server(IDMS) in the cell. For improved performance, we recommend configuring an IDMS on each Security Server. Using DCEsetup, you must explicitly select "Identity Mapping Server", it is not automatically configured when you select "Certificate Based Login." ===================================================== 15.4 PKC Login with Reserved DCE Principals Reserved DCE principals are not allowed to use Public Key Certificate Login. In DCE for Windows NT 2.2, principals which have the Reserved flag set include: * the administrative id specified when the cell is initially configured, * the krbtgt principal for the cell, and * the self principal for the system which is the initial master security server. One side-effect of this restriction is that you cannot supply the name of an Entrust user profile as the cell_admin id during DCE configuration. ===================================================== 15.5 Change in Auditing of Login Attempts In previous versions of DCE, if the authorization mechanism for an audited event relied only on names, the event would never be properly audited when an invalid name (i.e., a string which is not a valid DCE principal name) was used. In this release, when any event that relies only on names for security (name-based authorized RPC, pre-authentication) is audited and given a non-DCE principal name, the event will be audited properly. If the name that was used is a valid DCE principal name, the principal's UUID will be stored in the audit record as the "Client UUID". If the name provided is not valid, the client UUID will be set to all zeroes, the authorization status will be rpc_c_authz_name (displayed as "Authorized with a name" by dce_aud_print() and dcecp audtrail show), and the name will be stored as the first event specific item in the audit record. This is not the default behavior for name-based authorization, but it has been enabled for AS_Request, TGS_TicketReq, TGS_RenewReq, and TGS_ValidateReq events. Some Examples: * A user logs in with dce_login and a non-DCE principal, giving an incorrect third-party protocol password. The audit record for that event (AS_Request 0x101) will contain: an outcome of failure, an authorization status of rpc_c_authz_name, a nil client UUID, and the only event-specific item will be the string that the user gave as the principal to dce_login. * A user logs in using dce_login and a valid DCE principal, giving an incorrect third-party protocol password. The audit record for that event (AS_Request 0x101) will contain: an outcome of denial, an authorization status of rpc_c_authz_name, and a client UUID which identifies the principal name given to dce_login. * A user logs in using dce_login and the name of an Entrust user profile, giving an incorrect Entrust passphrase for that profile. The audit record will contain an outcome of denial, and an authorization status of rpc_c_authz_name. If the Entrust profile name does not match a valid DCE principal name, the client UUID will be all zeroes and the profile name (given to dce_login) will be the only event-specific item in the audit record. * A user logs in using dce_login and the name of an Entrust user profile, giving the Entrust passphrase for that profile. The audit record for that event (AS_Request 0x101) will contain an outcome of success and an authorization status of rpc_c_authz_name. If the Entrust profile name does not match a valid DCE principal name, the client UUID will be all zeroes and the profile name provided to dce_login, will be the only event-specific item in the audit record. The name stored in the audit record is the name the user supplied when he or she attempted to login. If the name happens to be a valid DCE principal name, then the principal's UUID will be stored. Otherwise, the name will appear in the event-specific information. With PKC Login, if the Entrust user profile name is the same as any DCE principal name, the UUID for that principal will be stored as the client UUID in the audit record and there will be no event-specific information. ===================================================== 15.6 Auditing Name-Based Authorization Application developers who will be auditing events which use name-based authorization should note that storing a non-DCE name as the first event-specific item is not the default behavior. Name-based authorized events may be audited in two ways. If the client made a name-based RPC call, the server will have a binding handle which has the name the client used. This handle should be given to dce_aud_start(). Alternately, if the event does not have a binding handle, but has some identifying name for the client, that name should be given to dce_aud_start_with_name() as the "client" parameter. To ensure the name given to dce_aud_start*() is put in the audit record, pass an additional bit flag to the dce_aud_start routines in the "options" parameter. A new bit flag has been defined in audit.h, called aud_c_evt_save_nondce_names. If this flag is passed to any of the dce_aud_start functions, a non-DCE name will be stored in the audit record as the first event-specific item. ===================================================== 15.7 dcecp Commands Not Supported by Slim Client The following dcecp commands are not supported by Slim Client: aud disable aud enable aud help aud modify aud operations aud rewind aud show aud stop audevents catalog audevents help audevents operations audevents show audevents catalog audfilter catalog audfilter create audfilter delete audfilter help audfilter modify audfilter operations audfilter show audtrail help audtrail operations audtrail show ems emsconsumer emsevent emslog hostdata create hostdata delete hostdata help hostdata modify hostdata operations hostdata show keytab add keytab catalog keytab create keytab delete keytab help keytab list keytab operations keytab remove keytab show server catalog server create server delete server disable server enable server help server modify server operations server ping server show server start server stop ===================================================== 15.8 Additional Information on DCE for Windows 95 A CD labeled IBM Distributed Computing Environment ADK and Runtime Services for Windows 95 is provided with the complete DCE for Windows NT, Version 2.2 product. It is not provided with the packages that included either the DCE Runtime Services and ADK for Windows NT or the DCE Runtime Services for Windows NT separately. The README file (readme.txt) for DCE for Windows 95 is located in the root (\) directory of that CD. To install DCE Runtime Services and the DCE Application Development Kit for Windows 95: 1. Insert the CD labeled IBM Distributed Computing Environment ADK and Runtime Services for Windows 95 in your CD-ROM drive. After a few moments, the Welcome window appears. 2. After reading the information in the Welcome window, click NEXT to continue. 3. In the Select Components window, click on the components you want to install. NOTE: DCE Runtime Services must be selected and is a prerequisite for installing any other components. 4. The default Destination Directory is C:\PROGRAM FILES\DCE To change to a different drive or a different directory, click on BROWSE. Click NEXT to continue. 5. In the Cultural Conventions window, select a preferred cultural convention. Click NEXT to continue. 6. In the Start Copying Files window, review the installation information. If you want to change any settings, click Back to make the changes. Otherwise, click NEXT to start the process of copying files to your hard drive. 7. The Setup window appears showing the progress indicator. When the installation completes the IBM Software Registration Tool window appears. Click NEXT to complete the software registration. 8. After completing the software registration, a question appears asking whether you want to view the online README file. Click YES to view the README; otherwise click NO. NOTE: Viewing the online README file is optional. Since it contains last minute product changes that are not documented elsewhere, we recommend you read it. 9. After closing the online README file (or if you chose not to view it), the Installation Completed window appears. You are asked whether you want to restart your system. Make your choice and then click FINISH. NOTE: DCE Runtime Services for Windows 95 modifies the system configuration. If you choose not to restart your system at this time, you must restart it later for DCE changes to take effect. After completing the installation procedure, you must configure DCE services on your system. To configure DCE services on Windows 95: 1. Click START, point to PROGRAM, click DCE FOR WINDOWS 95, and the click the DCESETUP icon. 2. Click the CONFIGURE menu, and then click on one of the configuration options. ===================================================== 15.9 Viewing Online Documentation directly from the CD In instances when the online documentation is not installed (for example, the Slim Client client package) or if you choose not to install online documentation, it can be viewed directly from the CD labeled IBM Distributed Computing Environment (DCE) for Windows NT. The help files for the documentation are located in: x:\language\documentation\ Where x is the driver for the CDROM language is the language in which you want the documentation displayed. For example: g:\English\documentation\ ===================================================== Part IV - README for IBM DCE for Windows NT, Version 2.2 ECO5 Service Update ===================================================== Part IV provides important information describing the improvements contained in ECO5, including support for the Microsoft Windows XP Professional (32 bit) platform. This ECO supersedes all previous ECOs. ECO5 is cumulative; it contains the APAR fixes from ECO4. In addition, ECO4 provides support for IBM DFS for Windows Version 3.0 on the Microsoft Windows 2000 operating system. APAR fixes for ECO5 follow the list of ECO4 APAR fixes. ===================================================== Part IV Table of Contents 1.0 System requirements 2.0 Unsupported features of Windows 3.0 Installation 3.1 Disabling Anti-Virus Software 3.2 Installing IBM DCE for Windows NT, Version 2.2 ECO5 Service Update 3.3 Installing IBM DCE for Windows NT, Version 2.2.0 on Windows XP 3.4 Installing IBM DCE for Windows NT, Version 2.2.3 on Windows XP 3.4.1 InstallShield problem when reinstalling on Windows XP 3.5 Migrating from Windows NT 4.0 or Windows 2000 to Windows XP 4.0 Slim client 4.1 Windows service and process programming considerations 4.2 Autostart support 4.3 Integrated login support 4.4 Command line configuration support 5.0 New environment variables 5.1 DCE_ENABLE_ADMIN_GROUP 5.2 RPC_UNSUPPORTED_NETADDRS 6.0 Supported compilers 7.0 Windows XP filesystem ACL issue 8.0 New error messages 9.0 ECO APAR fixes 9.1 ECO4 APAR fixes 9.2 ECO5 APAR fixes 10.0 Notices 10.1 Trademarks and service marks ===================================================== 1.0 System requirements In addition to the system requirements identified in Part I of this readme, ECO5 provides support for Microsoft Windows XP Professional (32 bit). To run IBM DCE for Windows NT on Windows XP Professional (32 bit), you must have one of the following: o IBM DCE for Windows NT, Version 2.2.0 and ECO5 o IBM DCE for Windows NT, Version 2.2.3 and ECO5 o IBM DCE for Windows NT, Version 2.2.4 and ECO5 ===================================================== 2.0 Unsupported features of Windows IBM DCE for Windows NT does not support the following: o Windows XP Multi User functionality o Windows Terminal Service ===================================================== 3.0 Installation ===================================================== 3.1 Disabling Anti-Virus Software Refer to Part II, Section 1.1. ===================================================== 3.2 Installing IBM DCE for Windows NT, Version 2.2 ECO5 Service Update The ECO5 installation is the same as for ECO3. Refer to the ECO3 installation instructions in Part II, Section 1.2, using ECO5 instead of ECO3. ===================================================== 3.3 Installing IBM DCE for Windows NT, Version 2.2.0 on Windows XP The steps for installing IBM DCE for Windows NT, Version 2.2.0 on Windows XP is the same as the instructions for installing on Windows 2000. Refer to the instructions in Part II, Section 1.3, using Windows XP instead of Windows 2000 and ECO5 instead of ECO3. ===================================================== 3.4 Installing IBM DCE for Windows NT, Version 2.2.3 on Windows XP IBM DCE for Windows NT, Version 2.2.3 will install on Windows XP without any special instructions. However, ECO5 must be installed before DCE can be functional. For ECO5 installation instructions, refer to Part IV, Section 3.2. ===================================================== 3.4.1 InstallShield problem when reinstalling on Windows XP If you reinstall IBM DCE for Windows NT, Version 2.2.3 on Windows XP using a language other than English as the install-time language, InstallShield might display a blank error screen and exit without processing the remaining DCE menus. To recover, install again using English as the install-time language. ===================================================== 3.5 Migrating from Windows NT 4.0 or Windows 2000 to Windows XP If you have IBM DCE for Windows NT, Version 2.2 installed on Windows NT 4.0 or Windows 2000 and you want to migrate your operating system to Windows XP, ECO5 must be installed before DCE can be functional. It is recommended ECO5 be applied before migrating the operating system. If you choose to install ECO5 after the migration and auto-start is on, DCE cannot start successfully. For ECO5 installation instructions, refer to Part IV, Section 3.2. ===================================================== 4.0 Slim client ===================================================== 4.1 Windows service and process programming considerations When you apply ECO5 on a configured IBM DCE for Windows NT Slim client, cdsadv.exe runs as a manual service instead of a process. Consider this change in all of your DCE applications that treat cdsadv.exe as a process on an IBM DCE for Windows NT Slim client. Because the Slim client now runs as a service instead of a process, a user can start, stop, configure, and unconfigure the Slim client only if the user is a member of the Windows Administrator group. ===================================================== 4.2 Autostart support The Slim client can be configured to start automatically. This new support can only be configured from the command line. For details on how to use the new Slim client autostart feature, see Section 4.4, "Command line configuration support". ===================================================== 4.3 Integrated login support Integrated login can be configured to run on a Slim client. This new support can only be configured from the command line. For details on how to configure the integrated login feature on the Slim client, see Section 4.4, "Command line configuration support". ===================================================== 4.4 Command line configuration support ECO5 includes a new dcecp command to configure the Slim client. The new command is "slimclient". Description The "slimclient" command is used to start, stop, configure, and unconfigure the Slim client. This command can be used when you install either the Slim client or the full client. Syntax config: dcecp -c slimclient config [-cds_server ] [-sec_server ] [-int_login ] [-autostart ] unconfig: dcecp -c slimclient unconfig start: dcecp -c slimclient start stop: dcecp -c slimclient stop show: dcecp -c slimclient show help: dcecp -c slimclient help dcecp -c slimclient help config dcecp -c slimclient help -verbose Notes: 1. If the Slim client is not configured, the -cds_server and -sec_server options are required. 2. You can turn integrated login and autostart on and off using the slimclient config command. 3. If the Slim client is configured, the -cds_server and -sec_server options cannot be specified on config. 4. The slimclient command logs to %DCELOC%\dcelocal\etc\cfgdce.log. 5. The slimclient config command detects if the full client is configured already and does not allow the Slim client to be configured if it is. 6. Slim client config commands do not run if the Slim client configuration GUI is running. 7. "dcecp -c slimclient unconfig" cleans up a Slim client configuration and stops cdsadv.exe. 8. "dcecp show.cfg" or "dcecp -c slimclient show" shows the current Slim client configuration. 9. You must be in the Administrator group to issue all commands except show and help. ===================================================== 5.0 New environment variables ===================================================== 5.1 DCE_ENABLE_ADMIN_GROUP A new system environment variable can be used to obtain self credentials to the entire Windows Administrator group for an IBM DCE for Windows NT full client. The new environment variable is DCE_ENABLE_ADMIN_GROUP. If the new environment variable is set, the self credentials are accessible by all of the users in the Windows Administrator group. Otherwise, self credentials are accessible to the Windows Administrator only. ===================================================== 5.2 RPC_UNSUPPORTED_NETADDRS In addition to the RPC_SUPPORTED_NETADDRS environment variable, ECO5 now supports the RPC_UNSUPPORTED_NETADDRS environment variable. This new environment variable indicates to RPC which local TCP/IP addresses to ignore. For example, "set RPC_UNSUPPORTED_NETADDRS=10.1.1.4", or set RPC_UNSUPPORTED_NETADDRS=10.1.1.4:10.1.1.28". ===================================================== 6.0 Supported compilers ECO5 supports Microsoft Visual C++ Versions 5.0 and 6.0 for DCE application development. Visual C++ .NET is not supported because the C/C++ runtime environment for this new version of the compiler is not compatible with the version used by DCE. C runtime objects compiled in one environment cannot correctly share data with objects compiled in the other, which will generally lead to access violations in the Microsoft code. For general information about the types of operations that can fail, see Microsoft's Knowledge Base Article Q190799 PRB: "Potential Errors Passing Objects Across DLL Boundaries" and their "Visual C++ Community FAQ" section on the CRT. In DCE, some operations that will not work correctly are calls to the serviceability functions dce_*fprintf(), and the use of getenv() and putenv() to share environment variables with DCE. ===================================================== 7.0 Windows XP filesystem ACL issue Windows XP users that are not in the "Administrators" group might experience trouble performing DCE authentication. dce_login might report the following: "Sorry. You entered an invalid principal name or password." This error occurs because DCE does not have write access to the %DCELOC%\dcelocal\var\security\creds directory as the current Windows XP user. This can be remedied by allowing "Write" access for the Windows XP group named "Users" in the appropriate DCE folder's security properties through the "My Computer" folder or Windows Explorer. Note: You might need to disable "Use simple file sharing" in the Windows Explorer "Folder Options" to see folder security properties. ===================================================== 8.0 New error messages The following Problem Determination messages are added for Slim client support: status 0x0dced7ea symbol dcp_general_not_nt_admin text "This command must be run by a user in the 'administrator' group." explanation "The command can only be run by a user that is in the administrator group." action "Log in as a user with 'administrator' authority and run the command again." status 0x0dced7eb symbol dcp_slimcl_already_configured text "The Slim client is already configured." explanation "The requested operation cannot be performed because the Slim client is already configured." action "Configure the Slim client and try the operation again." status 0x0dced7ec symbol dcp_slimcl_already_configured_option text "The value for %s cannot be changed." explanation "The requested operation cannot be performed because the Slim client is already configured." action "In order to change the option shown in the message, the Slim client must be unconfigured and reconfigured with the new option." status 0x0dced7ed symbol dcp_slimcl_not_configured text "The Slim client is not configured." explanation "The requested operation cannot be performed because the Slim client is not configured." action "Configure the Slim client and try the operation again." status 0x0dced7ee symbol dcp_slimcl_not_configured_option text "The %s option cannot be configured because the Slim client is not configured." explanation "An attempt was made to configure an additional option on the Slim client, but the Slim client was not configured." action "Configure the Slim client and try the operation again." status 0x0dced7ef symbol dcp_general_value_not_recognized text "The value, '%s', for the %s option is not recognized." explanation "A value was given for a command option that the program did not understand." action "Correct the command and re-try the migration." status 0x0dced7f0 symbol dcp_slimcl_not_yes_no text "The value for the %s option must be Yes or No." explanation "none" action "Use the correct option and re-try the command." status 0x0dced7f1 symbol dcp_general_option_required text "The %s option is required." explanation "none" action "Use the correct option and re-try the migration." status 0x0dced7f3 symbol dcp_slimcl_protocol text "RPC_SUPPORTED_PROTSEQS=%s. The supported protocols are %s and %s." explanation "The RPC_SUPPORTED_PROTSEQS environment variable is set to a value that is not supported by DCE." action "Set the environment variable to a value that is supported by DCE and run the program again." status 0x0dced7f4 symbol dcp_slimcl_api_error text "File: %s Line: %d %s failed." explanation "A system API returned an error." action "Contact your DCE system administrator." status 0x0dced7f5 symbol dcp_slimcl_api_error2 text "File: %s Line: %d Error: %d %s failed." explanation "A system API returned an error." action "Contact your DCE system administrator." status 0x0dced7f6 symbol dcp_slimcl_tcp_sec_error text "Unable to obtain TCP/IP information for the security server, %s." explanation "The specific API that returned an error is logged after this message in the configuration log file." action "Contact your DCE system administrator." status 0x0dced7f7 symbol dcp_slimcl_tcp_cds_error text "Unable to obtain TCP/IP information for the CDS server, %s." explanation "The specific API that returned an error is logged after this message in the configuration log file." action "Contact your DCE system administrator." status 0x0dced7f9 symbol dcp_slimcl_cell_mismatch text "The Directory Server, %s, and the Security Server, %s, exist in different cells." explanation "The CDS Server and Security Server must be in the same cell." action "Specifiy the correct CDS Server and Security Server and run the program again." status 0x0dced7fc symbol dcp_slimcl_config_service_error text "An error occurred while configuring the Slim client as a service." explanation "The specific API that returned an error is logged after this message in the configuration log file." action "Contact your DCE system administrator." status 0x0dced7fd symbol dcp_slimcl_unconfig_service_error text "An error occurred while deleting the Slim client service." explanation "The specific API that returned an error is logged after this message in the configuration log file." action "Contact your DCE system administrator." status 0x0dced7fe symbol dcp_slimcl_access_denied text "The user does not have the authority required to perform this action." explanation "A system API returned an error indicating that the user running the program doesn't have the authority necessary to perform the function requested. The specific API that returned the error is logged after this message in the configuration log file." action "Log in as a user with the required authority and run the program again." status 0x0dced7ff symbol dcp_slimcl_query_autostart_error text "An error occurred while attempting to determine the Slim client autostart state." explanation "The program was unable to determine the autostart state of the Slim client. The specific error that occurred is logged after this message in the configuration log file." action "Contact your DCE system administrator." status 0x0dced800 symbol dcp_slimcl_autostart_error text "An error occurred while attempting to change the autostart state for the Slim client." explanation "The specific error that occurred is logged after this message in the configuration log file." action "Contact your DCE system administrator." status 0x0dced801 symbol dcp_slimcl_full_client_configured text "The Slim client cannot be configured because DCE has already been configured using config.dce or dcesetup." explanation "The Slim client can only be configured if DCE is not already configured using config.dce or dcesetup." action "Unconfigure DCE using unconfig.dce or dcesetup, then attempt to configure the Slim client again." ===================================================== 9.0 ECO APAR Fixes ===================================================== 9.1 ECO4 APAR fixes, additions, and notes ECO4 contains the following APAR fixes: IY18252 - "Cannot find KDC for requested realm(dce/krb)" returned during Component Broker configuration on Windows 2000. IY15578 - Cannot configure GSO under Component Broker 3.5. IY15595 - Add api for rpc_server_register_auth_ident. IY21599 - PATH environment variable value can be replaced by full product install if initial PATH value is long If this situation is detected, the PATH variable will not be updated by product install. The PATH must be updated through the System Properties panel and the following should be appended: %DCELOC%\dcelocal\bin;%DCELOC%\dcelocal\dcedcf ECO4 contains the following additions/corrections: * Support DFS for Windows Version 3.0 on the Microsoft Windows 2000 operating system. * Configuration support of DCE if loopback adapter installed. * Corrections to memory allocation management in secd process. * Correction to the return code when pthread_cond_timedwait is called for a wait that is greater than the 24 day limit. Note: DFS for Windows Version 3.0 creates a registry key under the DCE registry key DCEcm. If DCE is removed and reinstalled, this DCE registry key will be replaced. See DFS for Windows Version 3.0 documentation for instructions on replacing the DFS-added registry value. ===================================================== 9.2 ECO5 APAR fixes ECO5 contains the following APAR fixes: IY24500 - Application on DCE client fails to start if CDS replica has higher preference When a cell is configured to have more than one CDS server, and some of the DCE clients have their first preference set for the "read only" copy of the CDS replica,the server applications fail to start on these DCE clients. This problem is corrected. IW00557 - SECD hangs as timer threads sleep infinitely A condition not handled in the SECD process timer loop causes the timer loop to sleep for an infinite period. This condition causes a large number of receive_packet threads to hang in the SECD process. This problem is corrected. IY30970 - Windows NT DCE Slim client issues erroneous calls to CDS servers Slim client does not put its entry in CDS. However, when the Slim client is started, one of its threads continuously looks in the CDS namespace on the CDS server and checks if an update for its entry is needed. Because there is no entry in CDS, the thread goes into an infinite loop searching for an entry and makes erroneous calls to the CDS server, eventually increasing the CDS server load. This problem is corrected. IY31111 - DTS fails to start due to "stale" entries in srvrexec.db Previously, clean.dce did not delete the srvrexec.db file. Code was introduced to delete the srvrexec.db file during dcecp clean.dce and during autostart with clean up enabled. %DCELOC%\dcelocal\var\dced\srvrexec.db maintains information about servers (such as each server's process ID) that are currently running on the host. This information is used by DCED. Upon reboot of Windows NT machines, DCED reads the srvrexec.db file, and at times, encounters the stale entry of dtsd as "Registered but not running" and causes the DTS client to not start. IY32446 - Timing issue puts DFS client threads into wait state on dual processor Large file transfers would cause DFS clients to hang. The problem was seen only on dual processor machines. This problem was corrected by fine tuning relevant parameters for dual processors in the pthreads library. IY32666 - 'dcecp scrape.dce' deletes DFS registry key If you reconfigure your DCE/DFS Windows client by doing an "Unconfigure" (issuing unconfig.dce on the command line) followed by a "Clobber" (issuing scrape.dce on the command line), possibly because you wanted to make your client part of a new cell, the scrape.dce removes all keys under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DCEcm including the DFS key. When reconfiguring this client, the DFS registry key is not recreated and prevents DceSetCreds calls for DFS to complete successfully because the CredDLLPath value remains undefined. Changes are made to prevent the deletion of the DFS registry key. IY32154 - Display of invalid characters and system crash with DCE Director The "Status" title of the DCE server's status in DCE Director used to show invalid characters. Also upon "Refresh" of the 'Time Server's' status, DCE Director used to crash. This problem is corrected. IY34807 - DFS applet sometimes shows incorrect credential expiry time IBM DFS calls IBM DCE APIs such as sec_login_net_info() to get the user credential information. If the user does a "dce_login -r" or "kinit" to refresh credentials, APIs such as sec_login_net_info() return "stale" information from the cache. This problem is corrected. The following APIs now return the correct values: o sec_login_get_expiration() o sec_login_inquire_net_info() o sec_login_cred_get_expiration() IY25740 - Updating and shuffling of contents of pe_site file in Slim client To enable an IBM DCE for Windows NT, Version 2.2 ECO5 Slim client on Windows NT, Windows 2000, or Windows XP to use a pe_site file (for security server load balancing), perform the following steps: 1. Create a file named pesiteupdate in the %DCELOC%\dcelocal\etc directory. 2. Enter a value in this file which corresponds to the time interval of shuffling the pe_site file periodically, in minutes. If this file is empty, the default time interval is 24 hours. The contents of the pe_site file is now updated and shuffled after 24 hours or the time specified by the user. If the user specifies 0 (zero) as the time period, then the contents of pe_site is updated and shuffled only once until the Slim client is restarted. 3. If you want to discontinue updating and shuffling the contents of the pe_site file, delete the file named pesiteupdate created in Step 1. Note: If the file named pesiteupdate is not present or its content is 0 (zero), then cdsadv will check for the file named pesiteupdate and its new contents every 10 minutes. Otherwise the existence and content of the file named pesiteupdate is checked at the time interval in minutes entered by the user in Step 2. The file named pesiteupdate in the %DCELOC%\dcelocal\etc directory must be created without an extension and file type. IY35719 - IBM DFS 3.0 client is unable to refresh it's view on dce_login -r or kinit command When the user refreshes the credentials using the dce_login -r or kinit command, the DFS 3.0 client is unable to refresh its view. IBM DCE now calls an API to communicate to DFS 3.0 that the credentials have been refreshed. Note: For DCE to communicate to DFS 3.0 about credentials that are refreshed, the relevant DFS fix (APAR IY36460) must be installed on the system. Please contact the DFS team to get the necessary DFS fix for the above functionality to work. IY35871 - rpc_mgmt_is_server_listening API misbehaves on dual processor When the encina command makes an internal call to rpc_mgmt_is_server_listening, the encina command used to fail with the encina tracing showing the rpc_mgmt_is_server_listening API throwing a misleading communication error, even though the server was up and running. The error was noticed on a dual processor machine, approximately once in 2000 iterations of the encina command. Analysis showed that socket corruption was occurring on the client side. This problem is corrected. ===================================================== Part V - README for IBM DCE for Windows NT, Version 2.2 ECO6 Service Update ===================================================== Part V provides important information describing the improvements contained in ECO6, including support for the Microsoft Windows 2003 Server (32 bit) platform. This ECO supersedes all previous ECOs. ECO6 is cumulative; it contains the APAR fixes from ECO5. APAR fixes for ECO6 follow the list of ECO5 APAR fixes. ===================================================== Part V - README for IBM DCE for Windows NT, Version 2.2 ECO6 Service Update ===================================================== Part V provides important information describing the improvements contained in ECO6, including support for the Microsoft Windows Server 2003 Enterprise Edition (32 bit) platform. This ECO supersedes all previous ECOs. ECO6 is cumulative; it contains the APAR fixes from ECO5. ===================================================== Part V Table of Contents 1.0 System requirements 2.0 Unsupported features of Windows 3.0 Installation 3.1 Disabling Anti-Virus Software 3.2 Installing IBM DCE for Windows NT, Version 2.2 ECO6 Service Update 3.3 Installing IBM DCE for Windows NT, Version 2.2.0 on Windows Server 2003 Enterprise Edition 3.4 Installing IBM DCE for Windows NT, Version 2.2.3 on Windows Server 2003 Enterprise Edition 4.0 Integrated Login Enhanced 5.0 Documentation 5.1 pthread_get_errno_np() - Documentation 5.2 Additional Notes on CDS Preferencing 6.0 ECO6 APAR fixes 7.0 Supported compilers 8.0 Notices 8.1 Trademarks and service marks ===================================================== 1.0 System requirements In addition to the system requirements identified in Part IV of this readme, ECO6 provides support for Microsoft Windows Server 2003 Enterprise Edition (32 bit). To run IBM DCE for Windows NT on Windows Server 2003 Enterprise Edition (32 bit), you must have one of the following: o IBM DCE for Windows NT, Version 2.2.0 and ECO6 o IBM DCE for Windows NT, Version 2.2.3 and ECO6 o IBM DCE for Windows NT, Version 2.2.4 and ECO6 ===================================================== 2.0 Unsupported features of Windows IBM DCE for Windows NT does not support the following: o Windows Server 2003 Multi User functionality o Windows Terminal Service ===================================================== 3.0 Installation ===================================================== 3.1 Disabling Anti-Virus Software Refer to Part II, Section 1.1. ===================================================== 3.2 Installing IBM DCE for Windows NT, Version 2.2 ECO6 Service Update The ECO6 installation is the same as for ECO3. Refer to the ECO3 installation instructions in Part II, Section 1.2, using ECO6 instead of ECO3. ===================================================== 3.3 Installing IBM DCE for Windows NT, Version 2.2.0 on Windows Server 2003 Enterprise Edition The steps for installing IBM DCE for Windows NT, Version 2.2.0 on Windows Server 2003 Enterprise Edition are the same as the instructions for installing on Windows 2000. Refer to the instructions in Part II, Section 1.3, using Windows Server 2003 instead of Windows 2000 and ECO6 instead of ECO3. ===================================================== 3.4 Installing IBM DCE for Windows NT, Version 2.2.3 on Windows Server 2003 Enterprise Edition IBM DCE for Windows NT, Version 2.2.3 will install on Windows Server 2003 Enterprise Edition without any special instructions. However, ECO6 must be installed before DCE can be functional. For ECO6 installation instructions, refer to Part V, Section 3.2. ===================================================== 4.0 Integrated Login Enhanced From ECO6 onwards, when the Windows Password expires or when the Windows user changes the native password, the DCE Integrated Login will change the DCE password likewise. ===================================================== 5.0 Documentation 5.1 Documentation for the API pthread_get_errno_np() int pthread_get_errno_np (void) This API returns the current value of 'errno' operating system variable. While programming using dce pthreads on windows, for error handling, this API should be used. 5.2 Additional notes on CDS preferencing When using CDS pref file on client, if all the CDS servers are on different subnet than client, and the ranking given to all CDS servers is less than 40000, then "dcecp -c cdscache show -clearinghouse xxxx" command shows "Error: msgID=0xDCE23F8 Specified clearinghouse does not exist" for all clearinghouses, except CDS master. *Note: Use pref file giving all CDS servers preferencing rank above 40000 ===================================================== 6.0 ECO6 APAR fixes 6.1 ECO6 contains the following APAR fixes: IY3774 - Kinit does not work for DCE22 ECO5 Slim client Kinit does not work on DCE22 ECO5 slim client. It throws an error ordinal number 2000 not found in libdce.dll. This problem is fixed. IY40167 - Integrated login msgs are garbled for Japanese locale. The messages displayed during logon when integrated login is enabled are garbled for Japanese locale. The message is seen for integrated login on DCE Full client for ECO4 and integrated login on DCE full client as well as slim client for ECO5. This problem is fixed. IY38704 - When user create fails, it leave a directory around The "dcecp user create" command creates a CDS directory entry apart from creating user. If it fails, after the creation of CDS entry and before the account create succeeds,the user create command does not delete the directory entry it created. This problem is fixed. IY41081 - DFS client on NT/2k hangs when CDS replica is down. In an environment where there are multiple CDS server, the API rpc_ns_profile_elt_inq_next() is unable to get the fs junction when one/more of the secondary CDS servers are down despite the Master CDS server being up. This problem is fixed. IY46693 - Problem with dce_login for admin user groups. When doing dce_login using the keytab file following error message was displayed "Effective UID not equal to real UID, cannot access keytable". This problem is fixed. 6.2 RPC vulnerability due to portscanners. When some portscanners are targeted towards the ports on which DCE Components are running, the DCE components may go down. This problem is fixed. ===================================================== 7.0 Supported compilers ECO6 continues to support Microsoft Visual C++ Versions 5.0 and 6.0 for DCE application development. Microsoft Visual C++ .NET can now also be used for DCE application development using ECO6. However, if the DCE application uses the following DCE API's, the allocated memory should be freed using the dce_free() API. The following APIs require the use of dce_free() API: dce_msg_get () dce_msg_get_msg() dce_sprintf() dce_pgm_sprintf() dce_aud_print() dce_cf_find_name_by_key() dce_cf_get_cell_name() dce_cf_get_host_name() dce_cf_dced_entry_from_host() dce_cf_get_csrgy_filename() dce_db_header_fetch() If free() is used to free the memory allocated by the above mentioned routines, the results are undefined. Also refer to Section 6.0 of Part IV for more information on issues related to .NET compiler. ===================================================== 8.0 Notices (C) Copyright IBM Corporation 2000, 2002. All rights reserved. Note to U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. This information was developed for products and services offered in the U.S.A. IBM might not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country, or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan THE FOLLOWING PARAGRAPH DOES NOT APPLY TO THE UNITED KINGDOM OR ANY OTHER COUNTRY WHERE SUCH PROVISIONS ARE INCONSISTENT WITH LOCAL LAW: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Department MU5A 9442 Capitol of Texas Highway North Austin, TX 78759 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IBM DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE AND MERCHANTABILITY WITH RESPECT TO THE INFORMATION IN THIS DOCUMENT. BY FURNISHING THIS DOCUMENT, IBM GRANTS NO LICENSES TO ANY PATENTS OR COPYRIGHTS. ======================================================== 8.1 Trademarks and service marks The following terms are trademarks of International Business Machines Corporation in the United States, other countries, or both: AIX DFS IBM OS/2 OS/2 Warp VisualAge Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Intel is a registered trademark of Intel Corporation in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. ===================================================== Part VI - README for IBM DCE for Windows NT, Version 2.2 ECO7 Service Update ===================================================== Part VI provides important information describing the improvements contained in ECO7, including support for the Microsoft Windows Server 2000 / 2003 Terminal Server Editions (32 bit) This ECO supersedes all previous ECOs. ECO7 is cumulative; it contains the APAR fixes from ECO6. APAR fixes for ECO7 follow the list of ECO6 APAR fixes. ===================================================== Part VI - README for IBM DCE for Windows NT, Version 2.2 ECO7 Service Update ===================================================== Part VI provides important information describing the improvements contained in ECO7, including support for the Microsoft Windows Terminal Server Editions.(Microsoft Windows Server 2000 / 2003 Terminal Server Editions (32 bit)) This ECO supersedes all previous ECOs. ECO7 is cumulative; it contains the APAR fixes from ECO6. Please substitute Microsoft Windows Server 2000 / 2003 Terminal Server Editions (32 bit) for Microsoft Windows Terminal Server Editions wherever in this document ===================================================== Part VI Table of Contents 1.0 System requirements 2.0 Unsupported features of Windows 3.0 Installation 3.1 Disabling Anti-Virus Software 3.2 Installing IBM DCE for Windows NT, Version 2.2 ECO7 Service Update 3.3 Installing IBM DCE for Windows NT, Version 2.2.0 on Microsoft Windows Terminal Server Editions 3.4 Installing IBM DCE for Windows NT, Version 2.2.3 on Microsoft Windows Terminal Server Editions 4.0 Documentation 4.1 Known limitations 5.0 ECO7 APAR fixes 6.0 Supported compilers 7.0 Notices 7.1 Trademarks and service marks ===================================================== 1.0 System requirements In addition to the system requirements identified in Part V of this readme, ECO7 provides support for Microsoft Windows Terminal Server Editions. To run IBM DCE for Windows NT on Microsoft Windows Terminal Server Editions you must have one of the following: o IBM DCE for Windows NT, Version 2.2.0 and ECO7 o IBM DCE for Windows NT, Version 2.2.3 and ECO7 o IBM DCE for Windows NT, Version 2.2.4 and ECO7 ===================================================== 2.0 Unsupported features of Windows IBM DCE for Windows NT does not support the following: o Terminal Server Editions of all Microsoft Windows Server Editions preceding Microsoft Windows 2000 Server ===================================================== 3.0 Installation ===================================================== 3.1 Disabling Anti-Virus Software Refer to Part II, Section 1.1. ===================================================== 3.2 Installing IBM DCE for Windows NT, Version 2.2 ECO7 Service Update The ECO7 installation is the same as for ECO3. Refer to the ECO3 installation instructions in Part II, Section 1.2, using ECO7 instead of ECO3. ===================================================== 3.3 Installing IBM DCE for Windows NT, Version 2.2.0 on Microsoft Windows Terminal Server Editions The steps for installing IBM DCE for Windows NT, Version 2.2.0 on Windows Server 2003 Enterprise Edition are the same as the instructions for installing on Windows 2000. Refer to the instructions in Part II, Section 1.3, using Microsoft Windows Terminal Server Editions instead of Windows 2000 and ECO7 instead of ECO3. Please note that the consistency of installation is restricted to installation from only session at any instance. ===================================================== 3.4 Installing IBM DCE for Windows NT, Version 2.2.3 on Microsoft Windows Terminal Server Editions IBM DCE for Windows NT, Version 2.2.3 will install on Windows Server 2003 Enterprise Edition without any special instructions. However, ECO7 must be installed before DCE can be functional. For ECO7 installation instructions, refer to Part VI, Section 3.2. Please note that the consistency of installation is restricted to installation from only session at any instance. ===================================================== 4.0 Documentation 4.1 Known limitations > The Microsoft Windows Terminal Server Editions of server flavours prior to Microsoft Windows 2000 Server are not supported. > The message box that pops up during login stating "DCE integrated login in progress, Press Ctrl+Alt+Del to cancel operation" is not applicable for a Terminal Session environment when DCE is configured with integrated login on a terminal server. This is because the Ctrl+Alt+Del keycode from the client machine cannot be mapped to the DCE process running on a remote TerminalServer. > Validity of credentials is not maintained across session login/log-offs for DCE running in a TerminalServer remote session. Hence for proper functioning of DCE, it is mandatory that the user obtain a new set of credentials every time the user logs in to a new terminal session. This is because credentials are stored relative to session id and it is not guaranteed that the terminal server will assign the same session id to the same username everytime. Note that this deviation is applicable only for DCE running on terminal service remote sessions and NOT for DCE running on console sessions/ traditional desktop environments. > Usage of the username "administrator" when DCE is configured with integrated login exhibits inconsistent behavior in validating the username during integrated login. This is because windows converts the username from "administrator" to "Administrator internally irrespective of the format it is entered in the logon box before giving it to the DCE integrated login module. 4.2. DCE authentication will work properly as long as the default 'Windows directory permissions' of the parent directory under which DCE has been installed have not been changed. If the administrator has changed the default directory permission's of the parent directory, the ACL settings specified in "Part IV , Section 7" of this README are also applicable for the Windows Terminal Server environment. This effectively resolves authentication failure problems when non-administrative users attempt to dce_login from a Terminal Server environment. Please note that the %DCELOC%\dcelocal\var\security\creds directory should have RWX (Read/Write/Execute) access for all users in order for dce_login to succeed. Note: If the default permission settings have been changed by the administrator, then, in order to prevent tampering of DCE credentials, it is recommended that the Windows Server administrator explicitly disable the Delete permission ('Delete' is one of the effective permissions provided for directories by the Windows operating system) on the %DCELOC%\dcelocal\var\security\creds directory for all Windows users except administrators. By default, the "Delete" permission is denied automatically and no action is required by the user unless the default permission settings have been modified. ===================================================== 5.0 ECO7 APAR fixes 5.1 ECO7 contains the following APAR fixes: IY 70773 : Clicking on the "Clean" option in Administration of dcesetup used to delete all the contents of dcelocal\var\adm\directory\cds directory including the cds-cache.wan file. The problem has been fixed ===================================================== 6.0 Supported compilers ECO7 continues to support Microsoft Visual C++ Versions 5.0 and 6.0 for DCE application development. Microsoft Visual C++ .NET can now also be used for DCE application development using ECO7. However, if the DCE application uses the following DCE API's, the allocated memory should be freed using the dce_free() API. The following APIs require the use of dce_free() API: dce_msg_get () dce_msg_get_msg() dce_sprintf() dce_pgm_sprintf() dce_aud_print() dce_cf_find_name_by_key() dce_cf_get_cell_name() dce_cf_get_host_name() dce_cf_dced_entry_from_host() dce_cf_get_csrgy_filename() dce_db_header_fetch() If free() is used to free the memory allocated by the above mentioned routines, the results are undefined. Also refer to Section 6.0 of Part IV for more information on issues related to .NET compiler. ===================================================== 7.0 Notices (C) Copyright IBM Corporation 2000, 2002. All rights reserved. Note to U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. This information was developed for products and services offered in the U.S.A. IBM might not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country, or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan THE FOLLOWING PARAGRAPH DOES NOT APPLY TO THE UNITED KINGDOM OR ANY OTHER COUNTRY WHERE SUCH PROVISIONS ARE INCONSISTENT WITH LOCAL LAW: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Department MU5A 9442 Capitol of Texas Highway North Austin, TX 78759 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IBM DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE AND MERCHANTABILITY WITH RESPECT TO THE INFORMATION IN THIS DOCUMENT. BY FURNISHING THIS DOCUMENT, IBM GRANTS NO LICENSES TO ANY PATENTS OR COPYRIGHTS. ======================================================== 7.1 Trademarks and service marks The following terms are trademarks of International Business Machines Corporation in the United States, other countries, or both: AIX DFS IBM OS/2 OS/2 Warp VisualAge Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Intel is a registered trademark of Intel Corporation in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. ===================================================== Part VII - README for IBM DCE for Windows NT, Version 2.2 ECO8 Service Update ===================================================== Part VII provides important information describing the improvements contained in ECO8, including support for the Microsoft Windows Vista Ultimate, Microsoft Windows Vista Business and Microsoft Windows Vista Enterprise Editions (32 bit) This ECO supersedes all previous ECOs. ECO8 is cumulative; it also contains the APAR fixes from ECO7. Please substitute Microsoft Windows Vista Ultimate Edition (32 bit) or Microsoft Windows Vista Business Edition (32 bit ) or Microsoft Windows Vista Enterprise Edition (32 bit) for Microsoft Windows Vista Editions wherever in this document ===================================================== Part VII Table of Contents 1.0 System requirements 2.0 Unsupported features of Windows 3.0 Installation 3.1 Disabling Anti-Virus Software 3.2 Installing IBM DCE for Windows NT, Version 2.2 ECO8 Service Update 3.3 Installing IBM DCE for Windows NT, Version 2.2.0 on Microsoft Windows Vista Ultimate Edition (32 bit) or Microsoft Windows Vista Business Edition (32 bit) or Microsoft Windows Vista Enterprise Edition (32 bit) 3.4 Installing IBM DCE for Windows NT, Version 2.2.3 on Microsoft Windows Vista Ultimate Edition or Microsoft Windows Vista Business Edition or Microsoft Windows Vista Enterprise Edition. 4.0 Documentation 4.1 Known limitations 5.0 ECO8 APAR fixes 6.0 Supported compilers 7.0 Notices 7.1 Trademarks and service marks ===================================================== 1.0 System requirements In addition to the system requirements identified in Part V of this readme, ECO8 provides support for Microsoft Windows Vista Ultimate Edition (32 bit) or Microsoft Windows Vista Business Edition (32 bit) or Microsoft Windows Vista Enterprise Edition (32 bit). To run IBM DCE for Windows NT on Microsoft Windows Vista Ultimate Editions or Microsoft Windows Vista Business or Microsoft Windows Vista Enterprise Editions you must have one of the following: o IBM DCE for Windows NT, Version 2.2.0 and ECO8 o IBM DCE for Windows NT, Version 2.2.3 and ECO8 o IBM DCE for Windows NT, Version 2.2.4 and ECO8 ===================================================== 2.0 Unsupported features of Windows IBM DCE for Windows NT does not support the following: o Microsoft has stopped support for ncadg_ip_udp protocol for querying Microsoft endpoint mapper on Windows Vista Editions. Hence IBM DCE does not support ncadg_ip_udp protocol on Microsoft Windows Vista Editions. ===================================================== 3.0 Installation ===================================================== 3.1 Disabling Anti-Virus Software Refer to Part II, Section 1.1. ===================================================== 3.2 Installing IBM DCE for Windows NT, Version 2.2 ECO8 Service Update The ECO8 installation is the same as for ECO3. Refer to the ECO3 installation instructions in Part II, Section 1.2, using ECO8 instead of ECO3. ===================================================== 3.3 Installing IBM DCE for Windows NT, Version 2.2.0 on Microsoft Windows Vista Ultimate Edition or Microsoft Windows Vista Business Edition or Microsoft Windows Vista Enterprise Edition. The steps for installing IBM DCE for Windows NT, Version 2.2.0 on Microsoft Windows Ultimate Edition or Microsoft Windows Vista Business Edition or Microsoft Windows Vista Enterprise Edition are the same as the instructions for installing on Windows 2000. Refer to the instructions in Part II, Section 1.3, using Microsoft Windows Vista Ultimate Edition or Microsoft Windows Vista Business Edition or Microsoft Windows Vista Enterprise Edition instead of Windows 2000 and ECO8 instead of ECO3. Please note that the consistency of installation is restricted to installation from only session at any instance. ===================================================== 3.4 Installing IBM DCE for Windows NT, Version 2.2.3 on Microsoft Windows Vista Ultimate Edition or Microsoft Windows Vista Business Edition or Microsoft Windows Vista Enterprise Edition. IBM DCE for Windows NT, Version 2.2.3 will install on Microsoft Windows Vista Ultimate Edition or Microsoft Windows Vista Business Edition or Microsoft Windows Vista Enterprise Edition without any special instructions. However, ECO8 must be installed before DCE can be functional. For ECO8 installation instructions, refer to Part VII, Section 3.2. Please note that the consistency of installation is restricted to installation from only session at any instance. ===================================================== 4.0 Documentation 4.1 Known limitations > Please refer to documentation/limitations mentoned in previous sections . They may also be applicable to ECO8. > Flashes of the Command Prompt Window will be seen on Microsoft Windows Vista while configuring DCE using the dcesetup GUI tool. Such flashes will also be seen during operations like stop, start and refresh with the DCE dcesetup GUI tool. > Change required in a registry key for DCE to work on Microsoft Windows XP SP2 and above, including Microsoft Windows Vista: IBM DCE for Windows Client Fails to Start or Configure as Microsoft has introduced changes in XP SP2 to its RPC security model affecting default RPC behavior, which IBM DCE for Windows uses. This change in default behavior is applicable for all versions of Windows from XP SP2 onwards including Microsoft Windows Vista. To enable DCE to configure and run on these versions of Microsoft Windows viz. Windows XP SP2 onwards, including Microsoft Windows Vista releases the following registry key value is required to set back to the default pre XP SP2 value as given below. Set the data value of the RestrictRemoteClients registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC to DWORD 0. If the RPC key is not present the the RPC key needs to be created. By default this key is not present. This workaround will force RPC to exhibit the same behavior as earlier versions of Windows through the setting of the key value to DWORD 0. After setting this registry key, reboot of the machine is required. ===================================================== 5.0 ECO8 APAR fixes 5.1 ECO8 contains the following APAR fixes: IZ 01188 : DCE Applications that are built using DCE2.2 for Windows may experience sporadic hang issues in certain environments like heavy load running on fast multiprocessors. This APAR introduces environment variable RPC_PROCESSOR_AFFINITY (or alternatively RPC_PROCESS_AFFINITY) that may provide relief for such problems, by providing a method to tune the DCE application’s processor affinity. The environment variable value is a bit mask that sets the processor affinity of a DCE application process to a subset of available processors on the machine. E.g. set RPC_PROCESS_AFFINITY=1100 or set RPC_PROCESS_AFFINITY=0011 or set RPC_PROCESS_AFFINITY=0101 or set RPC_PROCESS_AFFINITY=0110 This will set the processor affinity of the process to two processors. To restrict to only one processor you will set the variable value set RPC_PROCESS_AFFINITY=1000 or set RPC_PROCESS_AFFINITY=0100 or set RPC_PROCESS_AFFINITY=0010 or set RPC_PROCESS_AFFINITY=0001 Similarly, appropriate values can be set for cases where different number of CPUs are available ===================================================== 6.0 Supported compilers Please refer to the section VI 6.0 of ECO7. ECO8 Supported compilers are same to ECO7. ===================================================== 7.0 Notices (C) Copyright IBM Corporation 2000, 2002, 2007. All rights reserved. Note to U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. This information was developed for products and services offered in the U.S.A. IBM might not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country, or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan THE FOLLOWING PARAGRAPH DOES NOT APPLY TO THE UNITED KINGDOM OR ANY OTHER COUNTRY WHERE SUCH PROVISIONS ARE INCONSISTENT WITH LOCAL LAW: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IBM DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE AND MERCHANTABILITY WITH RESPECT TO THE INFORMATION IN THIS DOCUMENT. BY FURNISHING THIS DOCUMENT, IBM GRANTS NO LICENSES TO ANY PATENTS OR COPYRIGHTS. ======================================================== 7.1 Trademarks and service marks The following terms are trademarks of International Business Machines Corporation in the United States, other countries, or both: AIX DFS IBM OS/2 OS/2 Warp VisualAge Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Intel is a registered trademark of Intel Corporation in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others.