MIT KDC & Windows Client - change password & cross realm referral

Lara Adianto m1r4cle_26 at yahoo.com
Fri May 28 08:55:45 EDT 2004 

Hello,

I've been experimenting with heimdal kerberos on the 
cross-realm authentication, for windows 2000 clients
to authenticate to heimdal KDC, and just found out
that there seems to be a problem with the changing
password interoperability between the win2k client and
heimdal KDC. 

Therefore, I intend to switch to MIT Kerberos but need
to confirm the interoperability features of MIT KDC
and windows clients:

1. Is the any issue of change password incompatibility
between MIT KDC and windows clients ? Will a user from
a win2k / winXP machine be able to change his/her
password in MIT KDC using ctrl-alt-del or when the
password is expired ?

In the following link:
http://mailman.mit.edu/pipermail/kerberos/2004-April/005326.html,
Jeffrey Altman wrote:
"I have just tested MIT KDC 1.3.3 with two machines.
One which is part of a Windows domain which uses
cross-realm
trust with a MIT KDC to perform login.  In this case
the
password change does not appear to work on
expiration."

Has anyone found a way to solve the above problem ? or
is this still a limitation of the interoperability
between MIT Kerberos KDC and windows client ?

2. Quoting from the paper of Michael Swift, Irina
Kosinovsky and Johathan Trostle titled Implementation
of Crossrealm Referral Handling in the MIT Kerberos
Client:
 
"The Windows 2000 client does not canonicalize names
at all, so the short name is sent to the KDC." 

Hence, if my understanding is correct, a request for
service: host/service-name.foo.org will be sent to MIT
Kerberos KDC as host/service-name at KERBEROS.REALM and
not as host/service-name.foo.org at KERBEROS.REALM 

How does MIT Kerberos determine the 'right' realm
to be used in issuing a referral ticket for the
client's request ? DNS ? Krb5.conf ? Does this mean
that every service-name must have an entry in the DNS
or Krb5.conf. For example:
serviceA = realmA
serviceB = realmB

This will be tedious if we have to specify the mapping
for every possible service or host that we have in a
domain one by one right ?

Regards,
lara

=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------


	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

More information about the Kerberos mailing list