Problem with cross-realm authentication (Kerberos Realm & Win2Kdomain)
Lara Adianto
m1r4cle_26 at yahoo.com
Thu Apr 1 02:56:35 EST 2004
Thank you for pointing that out Jeff !!
But a little correction: Heimdal does support
Cross-realm referral.
Cheers,
lara
--- Jeffrey Hutzelman <jhutz at cmu.edu> wrote:
>
>
> On Tuesday, March 30, 2004 06:13:20 -0800 Lara
> Adianto
> <m1r4cle_26 at yahoo.com> wrote:
>
> > I have a doubt on the following line:
> > Target Name: HOST/Test_w2kserver at DSSSASIA.COM
> > Shouldn't the client send a TGS_REQ for
> > HOST/Test_w2kserver at LARA_W2K instead ?
> >
> > But if my doubt is correct, how can the client
> know
> > that test_w2kserver is in LARA_W2K realm and not
> > LARA_HMD ?
>
> In the traditional scenario, services are named
> using principal names like
> service/fully.qualified.domain.name, where <service>
> could be "host" or
> some more specific name, depending on what service
> you're talking to. The
> default assumption is that the realm of such a
> service is computed by
> dropping the first component of the host's fully
> qualified name, and
> upcasing the rest. So
> service/fully.qualfiied.domain.name would be in the
> realm QUALIFIED.DOMAIN.NAME. Each client then has a
> configuration file
> which describes variations on and exceptions to this
> algorithm.
>
> Microsoft chose a different approach, the main
> intent of which is to
> concentrate service-to-realm mappings in the KDC's,
> eliminating the need to
> distribute a complex configuration file to every
> client. In this model, a
> client always starts by assuming the service is in
> the user's home realm,
> and thus sends a TGS request to the user's home KDC.
> If the service
> actually is in that realm, it gets a ticket back.
> If not, the KDC is
> expected to send a cross-realm referral, in the form
> of a cross-realm TGT
> for the correct realm (or a least another realm
> that's "closer" to the
> correct realm).
>
> The main problem you're seeing is that the heimdal
> KDC does not issue
> cross-realm referrals. As a result, you cannot
> contact any service not in
> your home realm.
>
> If your client machine is a member of the LARA_W2K
> domain, then it is
> possible under certain circumstances to convince it
> that it should try
> sending requests to that realm as well. I'm not
> familiar with exactly what
> needs to be done, but I'd hope the Microsoft
> Kerberos interop document
> would cover this case.
>
> Good luck...
>
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
> Sr. Research Systems Programmer
> School of Computer Science - Research Computing
> Facility
> Carnegie Mellon University - Pittsburgh, PA
>
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway
http://promotions.yahoo.com/design_giveaway/
More information about the Kerberos
mailing list