AW: Windows AD and MIT KDC Cross-Realm Trust

Douglas E. Engert deengert at anl.gov
Fri Jul 23 10:31:59 EDT 2004 


"Schikora, Dominik" wrote:
> 
> HI
> 
> > > We manage to achieve that User with a mapped Principal can
> > login on a
> > > client in the AD with the MIT Realm Principal and Password.
> > He gets a
> > > tgt for the MIT realm and one for the AD 2003 Domain. But
> > if the same
> > > user login on a client in the AD with the Principal and
> > Password from
> > > the AD Domain he only gets a tgt for the AD domain.
> >
> > Yes that would be normal, see below.
> >
> > > If he tries to use a
> > > service in the MIT realm he gets a Error from the AD 2003 Domain
> > > Controller "KDC_S_Principal_unknown".
> >
> > Sounds like the client lib is assuming the service is in the
> > user's realm.
> >
> > The client has to determine the realm of the service.
> >
> > If the client lib is the Microsoft lib, and the KDC is the
> > AD, then "referrals"
> > might work as the wrong KDC can refer the client to some other realm.
> > But referrals only work within the domain forest, as the AD
> > does not know about the MIT realm and the servers registered there.
> > (Referrals are not standard yet.) If the client lib is MIT,
> > the client will try and use the krb5.conf [domain_realm]
> > section or DNS domain name to determine the realm of the service.
> >
> > Once the client lib realizes the service is in another realm
> > from the user, it will use the user's TGT to get the cross
> > realm TGT  when it will use to get the service ticket.
> >
> > > The Problem is that the User don't get a cross real ticket from the
> > > MIT Realm if he log in a User at AD2003 Domain.
> >
> > See above, it will only ask for a cross realm TGT if it needs
> > to get a service ticket from that realm.
> >
> 
> Thanks for the quick response.
> Now I have installed the Kerberos for Windows 2.6.4 tools and configured
> krb5.ini file with the [domain_realm] stanza like..
> 
> [domain_realm]
> .ad2003test.local = AD2003TEST.LOCAL
> ad2003test.local = AD2003TEST.LOCAL
> .unix.realm.local = UNIX.REALM.LOCAL
> unix.realm.local = UNIX.REALM.LOCAL
> 
> If I login with the AD Domain User Name and Password and try to use a
> resource in the MIT Kerberos realm (UNIX.REALM.LOCAL)I get an cross real
> tgt from the AD KDC and then service tickets from the MIT KDC. I figured
> out that this is because the ssh client (Putty 0.53 with Patch) uses the
> MIT sspi plug-in. So the cross realm have to be set up correct.
> 
> I also read about Kerberos Referrals in O#Reilly Kerberos book so I
> think there could by two sources of errors
> 
> First the AD KDC don't issue a cross realm TGT if he do not find the
> service in his Kerberos database. Question is why not and how he chooses
> which service is in which realm. DNS Lookup?

I believe the AD uses the Forest's Global catalog, or some other forest 
to forest protocol. But not that this is MS only. It is not clear if the AD
has a way to refer you to a KDC outside the MS world. 

> 
> Second the the ssh-client do not know how to handle the response from
> the AD KDC.

As I said referrals are not yet part of the standard. Microsoft has 
implemented their version. The IETF krb-wg is reviewing this. 

 
> 
> Thanks
> 
> Domink

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list