Kerberos referrals

[Josh Howlett]

Douglas E. Engert wrote:
> First of all see:
> http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-06.txt 

I've already seen that. FWIW, see also 
http://www.cs.washington.edu/homes/mikesw/papers/xrealm.pdf, which I 
found a bit more digestable.

>> Of particular interest to me is that the MIT implementation permits 
>> referral of requests for unknown realms to a "default" KDC, with the 
>> assumption that this other KDC knows what to do with the request. I 
>> believe that the purpose of this is to enable the construction of a 
>> multiple-level hierarchy of KDCs, with a root KDC at the top from 
>> which all realms are reachable.
>>
>> This is well and good, but in a typical environment the clients (W2K 
>> clients) will only talk in the first instance to a W2K KDC, and these 
>> KDCs do not permit the configuration referral to a "default" KDC in 
>> the event that the realm of the server principal is unknown.
>>
> 
> I was under the impressions that the referral is to the KDC of the
> user principal. AD would then use its Global Catalog to look up
> the realm of the service.

That's correct. If the GC doesn't know the realm, I assume the Windows 
KDC returns an error.

> So the Umich mods, (that I have not seen and did not know existed
> but am interested in) may have intended the default realm to be an AD 
> forest.

Yes, this looks likely given the documentation available.

> So if the user principal realm does not support referrals, it would try
> try the default realm. For example user  realm is using an MIT KDC,
> but the service is in AD. These two have cross realm trust setup.
 >
>> Therefore, in order to permit referral of clients to a "default" KDC 
>> and the construction of an arbitrary multi-level hierarchy, it would 
>> appear necessary to intercept and service the application ticket 
>> request from the client *before* it reaches the Windows KDC (because 
>> it will simply return an error). This implies a "kerberos proxy" 
>> agent, which is transparent for local realm requests, but catches 
>> non-local realm requests and forwards them to the KDC which handles 
>> these remote realms.
> 
> No, client tries KDC of user's realm. If it gives a referral then its done.
> If not it tries the default realm,using  cross realm TGT andit works.

Yes, *if* the user's realm KDC is MIT because it can generate a 
"default" referral. If the user's KDC is Windows, it doesn't have the 
concept of a "default" referral. Hence, the idea of an "MIT referral 
KDC" shim between the user and the user's Windows KDC.

> Use cross realm  so you don't need a proxy agent.

I hope I've explained that I don't think this is possible in the 
scenario I've outlined above...

> Where are the UMich mods?

http://www.citi.umich.edu/u/kwc/krb5stuff/referrals.html

best regards, josh.