AW: Windows AD and MIT KDC Cross-Realm Trust

Schikora, Dominik schikora at hrz.uni-siegen.de
Fri Jul 23 09:19:47 EDT 2004 

HI

> > We manage to achieve that User with a mapped Principal can 
> login on a 
> > client in the AD with the MIT Realm Principal and Password. 
> He gets a 
> > tgt for the MIT realm and one for the AD 2003 Domain. But 
> if the same 
> > user login on a client in the AD with the Principal and 
> Password from 
> > the AD Domain he only gets a tgt for the AD domain.
> 
> Yes that would be normal, see below. 
> 
> > If he tries to use a
> > service in the MIT realm he gets a Error from the AD 2003 Domain 
> > Controller "KDC_S_Principal_unknown".
> 
> Sounds like the client lib is assuming the service is in the 
> user's realm. 
> 
> The client has to determine the realm of the service. 
> 
> If the client lib is the Microsoft lib, and the KDC is the 
> AD, then "referrals"
> might work as the wrong KDC can refer the client to some other realm.
> But referrals only work within the domain forest, as the AD 
> does not know about the MIT realm and the servers registered there.  
> (Referrals are not standard yet.) If the client lib is MIT, 
> the client will try and use the krb5.conf [domain_realm] 
> section or DNS domain name to determine the realm of the service.
> 
> Once the client lib realizes the service is in another realm 
> from the user, it will use the user's TGT to get the cross 
> realm TGT  when it will use to get the service ticket.  
> 
> > The Problem is that the User don't get a cross real ticket from the 
> > MIT Realm if he log in a User at AD2003 Domain.
> 
> See above, it will only ask for a cross realm TGT if it needs 
> to get a service ticket from that realm. 
> 

Thanks for the quick response.
Now I have installed the Kerberos for Windows 2.6.4 tools and configured
krb5.ini file with the [domain_realm] stanza like..

[domain_realm]
.ad2003test.local = AD2003TEST.LOCAL
ad2003test.local = AD2003TEST.LOCAL
.unix.realm.local = UNIX.REALM.LOCAL
unix.realm.local = UNIX.REALM.LOCAL

If I login with the AD Domain User Name and Password and try to use a
resource in the MIT Kerberos realm (UNIX.REALM.LOCAL)I get an cross real
tgt from the AD KDC and then service tickets from the MIT KDC. I figured
out that this is because the ssh client (Putty 0.53 with Patch) uses the
MIT sspi plug-in. So the cross realm have to be set up correct.
 
I also read about Kerberos Referrals in O#Reilly Kerberos book so I
think there could by two sources of errors 

First the AD KDC don't issue a cross realm TGT if he do not find the
service in his Kerberos database. Question is why not and how he chooses
which service is in which realm. DNS Lookup?

Second the the ssh-client do not know how to handle the response from
the AD KDC. 

Thanks 

Domink

More information about the Kerberos mailing list