[33252] in Kerberos
Kerberos fails with Windows Server 2008 R2 RODC - assistance
daemon@ATHENA.MIT.EDU (Jonathan Thorpe)
Mon Mar 7 01:11:09 2011
From: Jonathan Thorpe <jthorpe@conexim.com.au>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Fri, 4 Mar 2011 07:58:36 +0000
Message-ID: <98518DB27649AF4EAFB2E355F71E605010BE3F22@ISRV-EXCH-1.conexim.local>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi All,
Our Active Directory environment is running Windows Server 2008 R2 and we've recently started deploying Kerberos across many of our Linux machines for Apache web authentication/single sign on. We have hopes to extend this to SSH authentication as well.
In testing, we have had persistent issues with Kerberos sending a name-type of "unknown" where the Windows 2008 R2 RODC is expecting NT-SRV-INST on TGS principle names. This issue appears to affect both MIT and Heimdal implementations of Kerberos and is discussed in length at:
http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/9166
It would appear this bug has been addressed in 1.9 (see http://src.mit.edu/fisheye/changelog/krb5/?cs=24438), however running Debian Lenny, we're still using the 1.6 branch. I have attempted to upgrade to 1.9 from the "experimental" repository, however this breaks too many dependencies to implement in production.
Looking at how dramatically different the 1.6 and 1.9 branches are, I'm not confident enough to backport this patch myself, however I was hoping someone might be able to help with a patch for the 1.6 releases that Debian is currently shipping?
Kind Regards,
Jonathan
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
