Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...

Lara Adianto m1r4cle_26 at yahoo.com
Fri Apr 9 11:59:08 EDT 2004


I've tried that before...
It does work when this machine sends an AS-REQ and TGS-REQ to its KDC.
But when other machine wants to access this machine, the other machine
still sends the TGS-REQ in short name because it has no idea of the full name of the machine it wants to access...

Mark Campbell <mcc171 at psu.edu> wrote:

I have seen this. The way I fixed it is to make sure the windows client
is appending the proper DNS suffix. If you right click My computer go to
properties then Computer Name then change then more and see what DNS
suffix the system is appending. Change it to what you want and try then.
I have tried this on XP and 2k3 not 2k but please let me know if it
worked.


Mark Campbell
Systems Analyst, Advanced Information Technologies
Information Technology Services
The Pennsylvania State University
mcc171 at psu.edu, 814-865-4774

On Wed, 7 Apr 2004, Lara Adianto wrote:

> Hello,
>
> Quoting from the paper of Michael Swift, Irina
> Kosinovsky and Johathan Trostle titled Implementation
> of Crossrealm Referral Handling in the MIT Kerberos
> Client:
>
> "The Windows 2000 client does not canonicalize names
> at all, so the short name is sent to the KDC."
>
> Hence, if my understanding is correct, a request for
> service: host/service-name.foo.org will be sent to MIT
> Kerberos KDC as host/service-name at KERBEROS.REALM and
> not as host/service-name.foo.org at KERBEROS.REALM
>
> How does MIT Kerberos determine the appropriate realm
> to be used in issuing a referral ticket for the
> client's request ? DNS ? Krb5.conf ? Does this mean
> that every service-name must have an entry in the DNS
> or Krb5.conf. For example:
> serviceA = realmA
> serviceB = realmB
> Coz I think the KDC doesn't have any clue of the
> domain of the service, only the service-name...
>
> Thanks in advance,
> -lara-
>
> =====
> ------------------------------------------------------------------------------------
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
> - Guy de Maupassant -
> ------------------------------------------------------------------------------------
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business $15K Web Design Giveaway
> http://promotions.yahoo.com/design_giveaway/
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

---------------------------------
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway - Enter todayyFrom news at ra.nrl.navy.mil Fri Apr  9 13:41:33 2004
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i39HfXos021929
	for <kerberos at PCH.mit.edu>; Fri, 9 Apr 2004 13:41:33 -0400 (EDT)
Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121])
	i39HfV04011021
	for <kerberos at MIT.EDU>; Fri, 9 Apr 2004 13:41:31 -0400 (EDT)
Received: (from news at localhost)
	by ra.nrl.navy.mil (8.11.7p1+Sun/8.11.7) id i39Hdb616475
	for kerberos at MIT.EDU; Fri, 9 Apr 2004 13:39:38 -0400 (EDT)
Message-ID: <4076E03D.1000308 at nyc.rr.com>
From: Jeffrey Altman <jaltman2 at nyc.rr.com>
X-Newsgroups: comp.protocols.kerberos
References: <pan.2004.04.09.15.43.16.494001 at nowhere.org>
Date: Fri, 09 Apr 2004 17:32:36 GMT
Organization: Road Runner - NYC
To: kerberos at MIT.EDU
Subject: Re: Windows with MIT krb5 and OpenLDAP
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Fri, 09 Apr 2004 17:41:33 -0000

Windows 2000 and XP workstations can be configured to authenticate
against an MIT KDC directly and then map the Kerberos principal
to a local account.  Or you can setup a cross-realm relationship
between the MIT KDC and a Windows 2003 Server which will allow
you to use the MIT KDC for authentication while providing access
to Windows account profile data within the Windows Active Directory.

There are certainly plenty of people who have used a Windows Domain
in conjunction with the OpenAFS client.  The latest OpenAFS clients
(1.3.63 and higher) integrate with MIT Kerberos for Windows to provide
access to AFS Tokens via Kerberos 5 (without the need for a krb524d).
When used with the OpenAFS integrated logon, credentials can be obtained
prior to account profile access.  This allows the home directory to be
mapped by the Active Directory to a UNC path \\AFS\cellname\path...
which can contain the user's profile and Documents and Settings folders.

I do not know how you would use OpenLDAP in place of the Windows
Active Directory.  I suggest you ask that question on an OpenLDAP
mailing list.

Jeffrey Altman


Sensei wrote:
> Hi.
> 
> I've built an afs cell, a kerberos kdc, an openldap server, all
> kerberized. Now all linux clients can login on the cell using k5
> authentication, finding informations about their home dirs with ldap.
> Their home reside on the afs cell, which allows r/w access since it
> releases a token from the k5 ticket. All macosx clients can login as
> well... but what about windows? ^___^;;;
> 
> Has anyone handled remote authentication with a mit kdc and openldap?
> 
> I know I can set a AD server, but this means creating other settings on
> another server, and keep everything up to date between the kdc and ad can
> be really mad... Moreover, I didn't find anything about afs home
> directories, and all the users should mount their afs homes...
> 
> Any hint?
> 


More information about the Kerberos mailing list