<br><font size=2 face="sans-serif">Greetings All,</font>
<br>
<br><font size=2 face="sans-serif">I'm part of a team that's been doing a lot of work with Active Directory Kerberos interoperability and thought I'd share some of our findings with the list. Namely, there are two issues involving realm names and service principal names whereas Active Directory will accept short forms of the realm or service principal names and return the full names.</font>
<br>
<br><font size=2 face="sans-serif">The first occurs when a user joins a domain in an Active Directory realm. If we're joining the domain ibm.foo.bar, with user Administrator, then a client will make a request with the realm being whatever the client types as the domain name. If a client enters ibm.foo.bar, IBM.FOO.BAR, or IBM.foo.BAR, the requests will go out as Administrator@ibm.foo.bar, Administrator@IBM.FOO.BAR, or Administrator@IBM.foo.BAR respectively. Regardless of the request, Active Directory will always return a ticket for Administrator@IBM.FOO.BAR.</font>
<br>
<br><font size=2 face="sans-serif">Additionally, it also appears that tickets can be requested via the netbios-equivalent of the domain name (netbios naming is a flat naming convention being slowly phased out of CIFS). So the above example would also work if the client requested Administrator@IBM if IBM is the netbios name of the domain.</font>
<br>
<br><font size=2 face="sans-serif">Another interesting problem is with service principal names. Typically, an AD client will request a ticket with a service principal in the form HOST/dc.domain@REALM. If our domain controller (or kdc) resides on dc.ibm.foo.bar, then this would be a request for HOST/dc.ibm.foo.bar@IBM.FOO.BAR. Of course, in certain circumstances, a client can request HOST/netbios_name@REALM or if our netbios dc name was NBDC, HOST/NBDC$@IBM.FOO.BAR. In this circumstance, the dns form will be returned.</font>
<br>
<br><font size=2 face="sans-serif">Our solution has been a simple patch that accepts the different forms for ticket names but we've been a little uncertain what the best long term solution to this problem would be. Any input would be greatly appreciated.</font>
<br>
<br><font size=2 face="sans-serif">I can provide network traces if desired (I wasn't sure if this list accepts binary attachments).</font>
<br>
<br><font size=2 face="sans-serif">Regards,</font>
<br>
<br><font size=2 face="sans-serif">Anthony Liguori<br>
Linux/Active Directory Interoperability<br>
Linux Technology Center (LTC) - IBM Austin<br>
E-mail: aliguor@us.ibm.com<br>
Phone: (512) 838-1208<br>
Tie Line: 678-1208</font>