Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...
Lara Adianto
m1r4cle_26 at yahoo.com
Sun May 30 09:11:59 EDT 2004
Hi Kevin,
Can MIT KDC actually solve cross-realm referral (the
short name form sent by windows client instead of the
FQDN) without using the patch. I added host to realm
mapping in my krb5.conf:
[domain_realm]
service = realmA
where serviceA is a host located in a windows Realm
who has cross-realm trust with the MIT KDC. But it
didn't work. From the log file, I found that it said:
May 30 18:07:15 kerberos.adianto.com
krb5kdc[385](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 192.168.168.94: UNKNOWN_SERVER: authtime
1085911593, lara at ADIANTO.COM for
HOST/Testw2kserver at ADIANTO.COM, Server not found in
Kerberos database
while it's supposed to resolve it using the mapping
given in the domain_realm.
I've tried this mapping with heimdal and it works. I'm
not sure with MIT, I've just switched to MIT 2 days
ago.
I Need to solve this problem urgently, so I really
appreciate a quick reply. Anyone ?
Thanks a lot,
lara
--- Kevin Coffman <kwc at citi.umich.edu> wrote:
> We needed this referral support in our environment
> (using an MIT KDC
> for initial authentication to Windows). We started
> with a patch
> reported to have originated at Microsoft. It simply
> sent all referrals
> off to a domain specified in krb5.conf. We needed
> to support two
> Windows forests so we added code to use the service
> name to determine
> the correct destination for the referral. Our patch
> uses a new
> 'domain_referral' stanza in the krb5.conf file.
>
> This left the problem of short names, which give no
> clue as to which
> domain the referral should go. We punted on this
> issue. In the case of
> a short name, we send the referral to the "default"
> domain. In our
> case, the default domain is our production forest,
> rather than our test
> forest. I haven't heard of any complaints. An
> alternative would be to
> have another mapping of short names to referral
> domain.
>
> See
>
http://www.citi.umich.edu/u/kwc/krb5stuff/referrals.html
> for more
> info.
>
> K.C.
>
> > Hello,
> >
> > Quoting from the paper of Michael Swift, Irina
> > Kosinovsky and Johathan Trostle titled
> Implementation
> > of Crossrealm Referral Handling in the MIT
> Kerberos
> > Client:
> >
> > "The Windows 2000 client does not canonicalize
> names
> > at all, so the short name is sent to the KDC."
> >
> > Hence, if my understanding is correct, a request
> for
> > service: host/service-name.foo.org will be sent to
> MIT
> > Kerberos KDC as host/service-name at KERBEROS.REALM
> and
> > not as host/service-name.foo.org at KERBEROS.REALM
> >
> > How does MIT Kerberos determine the appropriate
> realm
> > to be used in issuing a referral ticket for the
> > client's request ? DNS ? Krb5.conf ? Does this
> mean
> > that every service-name must have an entry in the
> DNS
> > or Krb5.conf. For example:
> > serviceA = realmA
> > serviceB = realmB
> > Coz I think the KDC doesn't have any clue of the
> > domain of the service, only the service-name...
> >
> > Thanks in advance,
> > -lara-
> >
> > =====
>
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
More information about the Kerberos
mailing list