Problem with cross-realm authentication (Kerberos Realm & Win2Kdomain)
Jeffrey Hutzelman
jhutz at cmu.edu
Tue Mar 30 09:33:55 EST 2004
On Tuesday, March 30, 2004 06:13:20 -0800 Lara Adianto
<m1r4cle_26 at yahoo.com> wrote:
> I have a doubt on the following line:
> Target Name: HOST/Test_w2kserver at DSSSASIA.COM
> Shouldn't the client send a TGS_REQ for
> HOST/Test_w2kserver at LARA_W2K instead ?
>
> But if my doubt is correct, how can the client know
> that test_w2kserver is in LARA_W2K realm and not
> LARA_HMD ?
In the traditional scenario, services are named using principal names like
service/fully.qualified.domain.name, where <service> could be "host" or
some more specific name, depending on what service you're talking to. The
default assumption is that the realm of such a service is computed by
dropping the first component of the host's fully qualified name, and
upcasing the rest. So service/fully.qualfiied.domain.name would be in the
realm QUALIFIED.DOMAIN.NAME. Each client then has a configuration file
which describes variations on and exceptions to this algorithm.
Microsoft chose a different approach, the main intent of which is to
concentrate service-to-realm mappings in the KDC's, eliminating the need to
distribute a complex configuration file to every client. In this model, a
client always starts by assuming the service is in the user's home realm,
and thus sends a TGS request to the user's home KDC. If the service
actually is in that realm, it gets a ticket back. If not, the KDC is
expected to send a cross-realm referral, in the form of a cross-realm TGT
for the correct realm (or a least another realm that's "closer" to the
correct realm).
The main problem you're seeing is that the heimdal KDC does not issue
cross-realm referrals. As a result, you cannot contact any service not in
your home realm.
If your client machine is a member of the LARA_W2K domain, then it is
possible under certain circumstances to convince it that it should try
sending requests to that realm as well. I'm not familiar with exactly what
needs to be done, but I'd hope the Microsoft Kerberos interop document
would cover this case.
Good luck...
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list