Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...

Kevin Coffman kwc at citi.umich.edu
Tue Jun 1 09:33:42 EDT 2004


Lara,
No, the current patch does not address the problem of issuing referrals 
to different domains for requests with short names.  It would require 
another config file, or modifications to the code handling 
[domain_referral] as you attempted.  As I said, we just punted and send 
all short-name requests to the "default" referral realm.

If you write something, let me know :-)

K.C.

> Hi Kevin,
> 
> I've managed to apply your patch (Thank you so much),
> and by adding referral_realm to realms stanza, it
> works !! 
> 
> But if I have many different hosts from different
> realms, I can't just send them all to a default
> referral realm !! I need to resolve the correct realm
> for each host, is this possible using your patch ?
> 
> can the domain_referral stanza be used to solve the
> short-names sent by windows client ? For example:
> [domain_referral]
>  Test_w2kserver = LARASARI.COM
>  Testw2k8 = TEST.COM
> I've tried but it didn't work. Well, just want to
> confirm with you...
> 
> Thank you once again,
> lara
> 
> --- Kevin Coffman <kwc at citi.umich.edu> wrote:
> > We needed this referral support in our environment
> > (using an MIT KDC 
> > for initial authentication to Windows).  We started
> > with a patch 
> > reported to have originated at Microsoft.  It simply
> > sent all referrals 
> > off to a domain specified in krb5.conf.  We needed
> > to support two 
> > Windows forests so we added code to use the service
> > name to determine 
> > the correct destination for the referral.  Our patch
> > uses a new 
> > 'domain_referral' stanza in the krb5.conf file.
> > 
> > This left the problem of short names, which give no
> > clue as to which 
> > domain the referral should go.  We punted on this
> > issue. In the case of 
> > a short name, we send the referral to the "default"
> > domain.  In our 
> > case, the default domain is our production forest,
> > rather than our test 
> > forest.  I haven't heard of any complaints.  An
> > alternative would be to 
> > have another mapping of short names to referral
> > domain.
> > 
> > See
> >
> http://www.citi.umich.edu/u/kwc/krb5stuff/referrals.html
> > for more 
> > info.
> >   
> > K.C.
> > 
> > > Hello,
> > > 
> > > Quoting from the paper of Michael Swift, Irina
> > > Kosinovsky and Johathan Trostle titled
> > Implementation
> > > of Crossrealm Referral Handling in the MIT
> > Kerberos
> > > Client:
> > > 
> > > "The Windows 2000 client does not canonicalize
> > names
> > > at all, so the short name is sent to the KDC." 
> > > 
> > > Hence, if my understanding is correct, a request
> > for
> > > service: host/service-name.foo.org will be sent to
> > MIT
> > > Kerberos KDC as host/service-name at KERBEROS.REALM
> > and
> > > not as host/service-name.foo.org at KERBEROS.REALM 
> > >  
> > > How does MIT Kerberos determine the appropriate
> > realm
> > > to be used in issuing a referral ticket for the
> > > client's request ? DNS ? Krb5.conf ? Does this
> > mean
> > > that every service-name must have an entry in the
> > DNS
> > > or Krb5.conf. For example:
> > > serviceA = realmA
> > > serviceB = realmB
> > > Coz I think the KDC doesn't have any clue of the
> > > domain of the service, only the service-name...
> > > 
> > > Thanks in advance,
> > > -lara-
> > > 
> > > =====
> > 
> 
> 
> =====
> ------------------------------------------------------------------------------------ 
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
>                                                                         - Guy de Maupassant -
> ------------------------------------------------------------------------------------
> 
> 
> 	
> 		
> __________________________________
> Do you Yahoo!?
> Friends.  Fun.  Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/ 
> 




More information about the Kerberos mailing list