Kerberos referrals

Josh Howlett josh.howlett at bristol.ac.uk
Wed Nov 9 16:42:16 EST 2005 

Kevin Coffman wrote:
> On 11/9/05, Josh Howlett <josh.howlett at bristol.ac.uk> wrote:
> 
>>Kevin Coffman wrote:
>>
>>>We started with a patch that assumed all referrals would go to one place.
>>>
>>>We had a need to send referrals to either a test Windows forest or a
>>>production forest.  That is where the [domain_referral] stuff came
>>>from.  Then we found that some requests were coming in without
>>>fully-qualified names, and therefore we could not determine the
>>>"right" place for the referral.  For those requests, we send the
>>>referral to the default place, which in our case is to the production
>>>forest.
>>
>>Kevin,
>>
>>Do you think it would be possible to introduce an MIT KDC into an
>>existing AD environment, such that W2K clients in the AD realm (if
>>making a request for an unknown principal) can get referred to the MIT
>>KDC's "default" place?
> 
> 
> I think you're asking if an AD KDC can send a client a referral to an
> MIT KDC.  If that is correct, then I don't know the answer.  If it
> isn't correct, could you restate the question?

We have an existing AD KDC which contains all of our user principals.

We would like to enable these users to access applications in other 
remote realms, but because these realms are very numerous we don't want 
to establish cross-realm relationship with each of them.

Instead, would it be possible to implement a MIT KDC that acted *purely* 
(ie. no user principals) as a "referral realm". The referral agent would 
know (and have a trust relationship with) each other remote realm.

           Referral realm
             /    |    \
            /     |     \
      Realm A   Realm B  Realm C   (actually many more of these)
        /                  \
      User                Application

Assuming Realm A is an AD, there is the additional problem that Windows 
doesn't provide referrals to realms it doesn't explicitly know about.

Hence, it seems necessary to have a "shim" between the User and the 
realm's AD KDC that can catch the requests for remote principals, and 
refer the User to the Referral realm. Would it be possible to implement 
this using the MIT referral system, without making significant changes 
to the existing AD?

   Referral realm
         |
     ------- Realm A ---
	|
  User--MIT--Windows KDC & AD

Does that help?

josh.

More information about the Kerberos mailing list