The logomachy over "interoperability" seems to be founded on two different scopes for the term. MS addresses the question of whether their Kerberos implementation is interoperable with others without regard to context, and I believe that it is.
Others are talking about interoperability with the whole suite of services which support ADS, taken together. That is, the MS implementation is interoperable if you could set up a non-MS LDAP server, a non-MS Kerberos server, and a non-MS DNS server, populate DNS with the necessary SRV records, install Win2k clients and servers on the same network, and WITHOUT RUNING DCPROMO ANYWHERE create an ADS forest with functioning domain accounts. And this cannot be done, because the documentation for the critical blob of glue which sticks the NT security model onto a Kerberos principal is surrounded with an agreement not to implement what is documented. In the broader interpretation, Kerberos is the vehicle of the problem but does not in itself, in any implementation, embody the problem. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Our lives are forever changed. But *that* is exactly as it always was.
