[32314] in Kerberos
Re: Problems with TGS referral ...
daemon@ATHENA.MIT.EDU (michael-kerberos@waldvogel.name)
Sat May 8 13:58:40 2010
To: <kerberos@mit.edu>
MIME-Version: 1.0
Date: Sat, 08 May 2010 19:58:26 +0200
From: <michael-kerberos@waldvogel.name>
In-Reply-To: <m2wrvk45y9.fsf@darwin.oankali.net>
Message-ID: <34a34c9c753684a72a98c3798ad167c2@localhost>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Upgrading to v1.8.1 did the trick. In my test scenario XP now successfully
gets a TGS referral ticket issued.
Many thanks to Richard E. Silverman and Tom Yu!!
Best regards,
Michael Waldvogel
On Tue, 04 May 2010 01:00:14 -0400, "Richard E. Silverman" <res@qoxp.net>
wrote:
>>>>>> <michael-kerberos@waldvogel.name> writes:
>
> > Hi,
>
> > I've been trying to setup two different KDCs with realms A.COM and
> > B.COM and I'm now stuck with a TGS referral problem. I've setup a
> > Windows XP installation to use a KDC for realm A.COM. That works
> > like a charm. I can do a logon and the KDC also issues also all
> > kinds of service tickets within realm A.COM (I tried with Squid
and
> > SSH). I have configured the MIT KDC (1.7) for cross realm
> > authentication with realm B.COM. If I use ssh on the same host
that
> > the KDC for A.COM is running I can do cross realm authentication
to
> > services in realm B.COM. But if I try to do this from Windows XP
> > this doesn't work.
>
> > The problem is that Windows doesn't know anything about domain
realm
> > mappings. So tried to inform XP about it, but without any success
> > (DNS SRV records for KDCs and TXT records for the realm mapping
are
> > set). So Windows keeps asking for tickets of the form
> > host/host-in-realm-b@A.COM instead of
> > host/host-in-realm-b@B.COM. I've been reading about this new
feature
> > of TGS referrals, where the KDC responds with a cross realm ticket
> > for the KDC in B.COM when asked (TGS) for a service ticket for a
> > host known to be in realm B.COM but the KDC of realm A.COM only
> > keeps complaining that the principal cannot be found ...
>
> > I'm aware that in the TGS request bit 15 for canonicalize must be
> > set, so I configured the realm settings with ksetup /setrealmflags
> > A.COM 0x8. Then I checked with Wireshark that this bit is actually
> > set. But the KDC keeps refusing to send me a TGS referral for
realm
> > B.COM ...
>
> The MIT code also requires that the principal type in the request be
> NT-HST-SRV in order for it to automatically issue referrals; Windows,
> however, sets the type to NT-HST-SRV. The logic is this (comments taken
> from the MIT code, v1.8):
>
> /* By now we know that server principal name is unknown.
> * If CANONICALIZE flag is set in the request
> * If req is not U2U authn. req
> * the requested server princ. has exactly two components
> * either
> * the name type is NT-SRV-HST
> * or name type is NT-UNKNOWN and
> * the 1st component is listed in conf file under
> host_based_services
> * the 1st component is not in a list in conf under
"no_host_referral"
> * the 2d component looks like fully-qualified domain name (FQDN)
> * If all of these conditions are satisfied - try mapping the FQDN
and
> * re-process the request as if client had asked for cross-realm
TGT.
> */
>
> Given this, I had to patch the code to get it working, but it does work.
> Also, you have to code the host->realm mappings for hosts you want
> referrals on into krb5.conf; it doesn't seem to use the DNS for this
> (_kerberos TXT RR's). You'd have to be careful with that anyway; it
would
> be very easy to get referral loops, given that the Windows and Unix
views
> of realm membership don't match up.
>
> > I'm using an MIT KRB5 build from Gentoo Linux (32bit) (1.7-r2).
>
> > Has somebody successfully configured any MIT KRB5 version (most
> > likely >= 1.7) with TGS referral?
>
> > Best regards, Michael Waldvogel
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
