Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...

Mon May 31 09:41:06 EDT 2004

Hi Kevin,

I've managed to apply your patch (Thank you so much),
and by adding referral_realm to realms stanza, it
works !! 

But if I have many different hosts from different
realms, I can't just send them all to a default
referral realm !! I need to resolve the correct realm
for each host, is this possible using your patch ?

can the domain_referral stanza be used to solve the
short-names sent by windows client ? For example:
[domain_referral]
 Test_w2kserver = LARASARI.COM
 Testw2k8 = TEST.COM
I've tried but it didn't work. Well, just want to
confirm with you...

Thank you once again,
lara

--- Kevin Coffman <kwc at citi.umich.edu> wrote:
> We needed this referral support in our environment
> (using an MIT KDC 
> for initial authentication to Windows).  We started
> with a patch 
> reported to have originated at Microsoft.  It simply
> sent all referrals 
> off to a domain specified in krb5.conf.  We needed
> to support two 
> Windows forests so we added code to use the service
> name to determine 
> the correct destination for the referral.  Our patch
> uses a new 
> 'domain_referral' stanza in the krb5.conf file.
> 
> This left the problem of short names, which give no
> clue as to which 
> domain the referral should go.  We punted on this
> issue. In the case of 
> a short name, we send the referral to the "default"
> domain.  In our 
> case, the default domain is our production forest,
> rather than our test 
> forest.  I haven't heard of any complaints.  An
> alternative would be to 
> have another mapping of short names to referral
> domain.
> 
> See
>
http://www.citi.umich.edu/u/kwc/krb5stuff/referrals.html
> for more 
> info.
>   
> K.C.
> 
> > Hello,
> > 
> > Quoting from the paper of Michael Swift, Irina
> > Kosinovsky and Johathan Trostle titled
> Implementation
> > of Crossrealm Referral Handling in the MIT
> Kerberos
> > Client:
> > 
> > "The Windows 2000 client does not canonicalize
> names
> > at all, so the short name is sent to the KDC." 
> > 
> > Hence, if my understanding is correct, a request
> for
> > service: host/service-name.foo.org will be sent to
> MIT
> > Kerberos KDC as host/service-name at KERBEROS.REALM
> and
> > not as host/service-name.foo.org at KERBEROS.REALM 
> >  
> > How does MIT Kerberos determine the appropriate
> realm
> > to be used in issuing a referral ticket for the
> > client's request ? DNS ? Krb5.conf ? Does this
> mean
> > that every service-name must have an entry in the
> DNS
> > or Krb5.conf. For example:
> > serviceA = realmA
> > serviceB = realmB
> > Coz I think the KDC doesn't have any clue of the
> > domain of the service, only the service-name...
> > 
> > Thanks in advance,
> > -lara-
> > 
> > =====
> 

=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 