domain realm mapping

Douglas E. Engert deengert at anl.gov
Mon Apr 4 10:17:47 EDT 2005 


Preetam Ramakrishna wrote:

> Hi,
> 
>         Douglas, Thanks for  the information. I forgot to mention that
> I was using a windows client, i.e., I am trying to map to a w2k server (
> part of a win2k domain ). Is it possible to specify the w2k domain name
> in this case.
> 

The W2K domain controlers act as the KDCs. The Kerberos realm name is
the uppercaes domain name. So if I understand your qestion, the answer is yes.
Windows refers to UPN and SPN which are principal names. Windows
will treat these as case insensitive, but other Kerberos implementaitons
treat these as case sensitve, so use uppercase for realm names,
and avoid uppercase user names.

You say you are using a windows client. If you have access to the source,
does it call the InitializeSecurityContext, and does it let your
pass in the server_principal_name?

> Thanks,
> Preetam
> 
> 
>>>>"Douglas E. Engert" <deengert at anl.gov> 4/1/2005 6:15 PM >>>
> 
> 
> 
> Preetam Ramakrishna wrote:
> 
>>Hi,
>>
>>         On unix machines, the kerberized client (eg: telnet) look
> 
> for
> 
>>"domain realm mappings" in the /etc/krb5.conf file. So, when I run
>>"telnet server-1.acme.com", the client would appropriately request
> 
> the
> 
>>KDC a service ticket for host/server-1.acme.com at REALM1.COM 
>>
>>        Is there anything equivalent to this on a win2k workstation
>>which is configured to be a part of the non-windows kerberos realm.
> 
> 
> The krb5.ini on Windows is the same as a unix krb5.conf, and the KfW
> Kerberos libs will use the domain realm mappings.
> 
> If you are using the windows kerberos libs, via SSPI, the
> server_principal_name parameter of the InitializeSecurityContext
> routine can take the form: <service>@<host>@<realm>
> so the application can provide all three.
> 
> Windows also implements referrals, were the client asks the KDC
> for a ticket. The KDC can then return a referral to the client to
> try a different realm.  But this requires (1) KDC has a data base
> of host realm mappings, (2)KDC has referral code, and (3) client
> understands what to do with a referral. Windows code has all three.
> AD can find hosts in its forest. AFAIK, referrals are not yet
> implemented
> in non windows Kerberos. The IETF krb-wg and Kitten WG are addressing
> these issues.
> 
> SecureCRT, and PuTTY can use either MIT KfW or SSPI and can allow the
> user
> to provide the realm when using the SSPI.
> 
> 
> 
> 
> 
>>Thanks,
>>Preetam
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu 
>>https://mailman.mit.edu/mailman/listinfo/kerberos 
>>
>>
>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list