MIT/Win2k/XP Kerberos trust relationship bug?

Wachdorf, Daniel R drwachd at sandia.gov
Tue Jul 13 22:35:10 EDT 2004


Actually,  keeping the passwords in sync and seems to be the best route, if
you use the Michigan's referral patch in the KDC.  You get windows SSPI to
other mit realms (windows SSPI cant do the domain to realm mappings for
non-windows realms) and NTLM still works.

-----Original Message-----
From: Rodney M Dyer
To: Wachdorf, Daniel R; 'Brian Davidson'; kerberos at mit.edu
Sent: 7/13/2004 6:58 PM
Subject: RE: MIT/Win2k/XP Kerberos trust relationship bug?

At 05:19 PM 7/13/04, Wachdorf, Daniel R wrote:
>Sorry, I misspoke earlier, I do notice similar behavior, but once I
access
>anything requiring Kerberos (SPNEGO) I get tickets.
>
>I do notice that I don't get CIFS tickets, which may be the bug that
Rodney
>refered to.  If you unsync the passwords between the mit realm and the
ad
>realm, NTLM won't ever work, it forces Kerberos.

Which...is the point of using a trust relationship.  If you use the same

passwords on both systems then you need some way to keep them in 
sync...which makes the point of the trust almost moot.  Our AD server 
database contains random characters for the user passwords.  We have a 
process that sets the passwords to random characters when the account is

created.  No user knows their own AD password.  We use the trust
exclusively.

It is a pain in the !@#$ that NTLM will never work with the trust for
user 
machines accessing services off the AD that aren't members of the 
domain.  And this also causes Exchange 2003 Kerberos features to break 
because most of the Exchange service connectors don't understand how to 
authenticate the user on the server side using the trust.

So while setting up your AD to trust a third party Kerberos KDC might
seem 
like a good thing...it certainly has generated a number of issues in the

wake, Brian's included.  Frankly, I don't think Microsoft gives much of
a 
hoot about the few people who've setup their environment like this.
They 
haven't updated their Kerberos interoperability guide in over 4 
years.  Brian's problem sounds just like the one I had.  It took quite a

bit of network snooping and investigation to find it.

Btw Jeff, it was Todd Stecher who handled this problem.

Rodney

>-dan
>
> > -----Original Message-----
> > From: Brian Davidson [mailto:bdavids1 at gmu.edu]
> > Sent: Tuesday, July 13, 2004 12:39 PM
> > To: kerberos at mit.edu
> > Subject: Re: MIT/Win2k/XP Kerberos trust relationship bug?
> >
> > Yes, this is what I'm talking about.  I see this issue on every
single
> > Windows XP system I've tried it on (quite a few).
> >
> > When I unlock the workstation, I have a TGT for the MIT realm, and a
> > host ticket for the AD realm.  All other AD tickets are gone,
including
> > the cross realm TGT for the AD and the LDAP and CIFS tickets from
the
> > AD realm.
> >
> > What's even more troubling is that sometimes I still can access some
> > shares, even without a ticket.  But that's a separate issue...
> >
> > Brian
> >
> > On Jul 13, 2004, at 2:27 PM, Wachdorf, Daniel R wrote:
> >
> > > Are you talking a login using the windows gina and typing in
> > > username at MIT.REALM?  Which then uses trust between MIT.REALM and
> > > ACTIVEDIRECTORY.REALM?
> > >
> > > When I run that, I don't have the problem.  I can lock my XP box
fine,
> > > come
> > > back and I still have my tgt for mit.realm and the cross realm
ticket
> > > for
> > > activedorectory.realm.  further requests for tickets work fine.
> > >
> > > -dan
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list