Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...

Lara Adianto m1r4cle_26 at yahoo.com
Sun May 30 09:11:59 EDT 2004 

Hi Kevin,

Can MIT KDC actually solve cross-realm referral (the
short name form sent by windows client instead of the
FQDN) without using the patch. I added host to realm
mapping in my krb5.conf:
[domain_realm]
service = realmA
where serviceA is a host located in a windows Realm
who has cross-realm trust with the MIT KDC. But it
didn't work. From the log file, I found that it said:
May 30 18:07:15 kerberos.adianto.com
krb5kdc[385](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 192.168.168.94: UNKNOWN_SERVER: authtime
1085911593,  lara at ADIANTO.COM for
HOST/Testw2kserver at ADIANTO.COM, Server not found in
Kerberos database
while it's supposed to resolve it using the mapping
given in the domain_realm.

I've tried this mapping with heimdal and it works. I'm
not sure with MIT, I've just switched to MIT 2 days
ago.

I Need to solve this problem urgently, so I really
appreciate a quick reply. Anyone ?

Thanks a lot,
lara
 
--- Kevin Coffman <kwc at citi.umich.edu> wrote:
> We needed this referral support in our environment
> (using an MIT KDC 
> for initial authentication to Windows).  We started
> with a patch 
> reported to have originated at Microsoft.  It simply
> sent all referrals 
> off to a domain specified in krb5.conf.  We needed
> to support two 
> Windows forests so we added code to use the service
> name to determine 
> the correct destination for the referral.  Our patch
> uses a new 
> 'domain_referral' stanza in the krb5.conf file.
> 
> This left the problem of short names, which give no
> clue as to which 
> domain the referral should go.  We punted on this
> issue. In the case of 
> a short name, we send the referral to the "default"
> domain.  In our 
> case, the default domain is our production forest,
> rather than our test 
> forest.  I haven't heard of any complaints.  An
> alternative would be to 
> have another mapping of short names to referral
> domain.
> 
> See
>
http://www.citi.umich.edu/u/kwc/krb5stuff/referrals.html
> for more 
> info.
>   
> K.C.
> 
> > Hello,
> > 
> > Quoting from the paper of Michael Swift, Irina
> > Kosinovsky and Johathan Trostle titled
> Implementation
> > of Crossrealm Referral Handling in the MIT
> Kerberos
> > Client:
> > 
> > "The Windows 2000 client does not canonicalize
> names
> > at all, so the short name is sent to the KDC." 
> > 
> > Hence, if my understanding is correct, a request
> for
> > service: host/service-name.foo.org will be sent to
> MIT
> > Kerberos KDC as host/service-name at KERBEROS.REALM
> and
> > not as host/service-name.foo.org at KERBEROS.REALM 
> >  
> > How does MIT Kerberos determine the appropriate
> realm
> > to be used in issuing a referral ticket for the
> > client's request ? DNS ? Krb5.conf ? Does this
> mean
> > that every service-name must have an entry in the
> DNS
> > or Krb5.conf. For example:
> > serviceA = realmA
> > serviceB = realmB
> > Coz I think the KDC doesn't have any clue of the
> > domain of the service, only the service-name...
> > 
> > Thanks in advance,
> > -lara-
> > 
> > =====
> 


=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------


	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

More information about the Kerberos mailing list