Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...
Kevin Coffman
kwc at citi.umich.edu
Thu Apr 8 09:32:31 EDT 2004
We needed this referral support in our environment (using an MIT KDC
for initial authentication to Windows). We started with a patch
reported to have originated at Microsoft. It simply sent all referrals
off to a domain specified in krb5.conf. We needed to support two
Windows forests so we added code to use the service name to determine
the correct destination for the referral. Our patch uses a new
'domain_referral' stanza in the krb5.conf file.
This left the problem of short names, which give no clue as to which
domain the referral should go. We punted on this issue. In the case of
a short name, we send the referral to the "default" domain. In our
case, the default domain is our production forest, rather than our test
forest. I haven't heard of any complaints. An alternative would be to
have another mapping of short names to referral domain.
See http://www.citi.umich.edu/u/kwc/krb5stuff/referrals.html for more
info.
K.C.
> Hello,
>
> Quoting from the paper of Michael Swift, Irina
> Kosinovsky and Johathan Trostle titled Implementation
> of Crossrealm Referral Handling in the MIT Kerberos
> Client:
>
> "The Windows 2000 client does not canonicalize names
> at all, so the short name is sent to the KDC."
>
> Hence, if my understanding is correct, a request for
> service: host/service-name.foo.org will be sent to MIT
> Kerberos KDC as host/service-name at KERBEROS.REALM and
> not as host/service-name.foo.org at KERBEROS.REALM
>
> How does MIT Kerberos determine the appropriate realm
> to be used in issuing a referral ticket for the
> client's request ? DNS ? Krb5.conf ? Does this mean
> that every service-name must have an entry in the DNS
> or Krb5.conf. For example:
> serviceA = realmA
> serviceB = realmB
> Coz I think the KDC doesn't have any clue of the
> domain of the service, only the service-name...
>
> Thanks in advance,
> -lara-
>
> =====
More information about the Kerberos
mailing list