Problem with cross-realm authentication (Kerberos Realm & Win2Kdomain)

Lara Adianto m1r4cle_26 at yahoo.com
Thu Apr 1 02:56:35 EST 2004


Thank you for pointing that out Jeff !!

But a little correction: Heimdal does support
Cross-realm referral.

Cheers,
lara
--- Jeffrey Hutzelman <jhutz at cmu.edu> wrote:
> 
> 
> On Tuesday, March 30, 2004 06:13:20 -0800 Lara
> Adianto 
> <m1r4cle_26 at yahoo.com> wrote:
> 
> > I have a doubt on the following line:
> >  Target Name: HOST/Test_w2kserver at DSSSASIA.COM
> > Shouldn't the client send a TGS_REQ for
> > HOST/Test_w2kserver at LARA_W2K instead ?
> >
> > But if my doubt is correct, how can the client
> know
> > that test_w2kserver is in LARA_W2K realm and not
> > LARA_HMD ?
> 
> In the traditional scenario, services are named
> using principal names like 
> service/fully.qualified.domain.name, where <service>
> could be "host" or 
> some more specific name, depending on what service
> you're talking to.  The 
> default assumption is that the realm of such a
> service is computed by 
> dropping the first component of the host's fully
> qualified name, and 
> upcasing the rest.  So
> service/fully.qualfiied.domain.name would be in the 
> realm QUALIFIED.DOMAIN.NAME.  Each client then has a
> configuration file 
> which describes variations on and exceptions to this
> algorithm.
> 
> Microsoft chose a different approach, the main
> intent of which is to 
> concentrate service-to-realm mappings in the KDC's,
> eliminating the need to 
> distribute a complex configuration file to every
> client.  In this model, a 
> client always starts by assuming the service is in
> the user's home realm, 
> and thus sends a TGS request to the user's home KDC.
>  If the service 
> actually is in that realm, it gets a ticket back. 
> If not, the KDC is 
> expected to send a cross-realm referral, in the form
> of a cross-realm TGT 
> for the correct realm (or a least another realm
> that's "closer" to the 
> correct realm).
> 
> The main problem you're seeing is that the heimdal
> KDC does not issue 
> cross-realm referrals.  As a result, you cannot
> contact any service not in 
> your home realm.
> 
> If your client machine is a member of the LARA_W2K
> domain, then it is 
> possible under certain circumstances to convince it
> that it should try 
> sending requests to that realm as well.  I'm not
> familiar with exactly what 
> needs to be done, but I'd hope the Microsoft
> Kerberos interop document 
> would cover this case.
> 
> Good luck...
> 
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
>    Sr. Research Systems Programmer
>    School of Computer Science - Research Computing
> Facility
>    Carnegie Mellon University - Pittsburgh, PA
> 


=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/


More information about the Kerberos mailing list