krb5 vs Windows trust relationships in AD on FC4

Buck Huppmann buckh at pobox.com
Thu Nov 17 10:26:07 EST 2005


On Wed, Nov 16, 2005 at 05:12:12PM +1100, Garth T Kidd wrote:

> I have two AD domains in separate forests: let's call them lab.au and
> users.com. I'm in complete control of lab.au, but not users.com.
> lab.au trusts users.com so that our users can log into my lab
> infrastructure with their own credentials, and I'd like to extend that
> ease of use to my Apache based lab control system.

then you should be able to use ktpass.exe to create a HTTP/F.Q.D.N at LAB.AU
principal for Apache, copy the keytab over to your server, and go from
there. using mod_auth_kerb, you'll just need to make sure that the
entries in your AuthGroupFile are in the form of user at USERS.COM

> In krb5.conf I've set entries in [realms] keyed by the lowercase
> version of the domain, each with kdc= and admin_server= the
> (resolvable) name of the primary KDC. I've also added [domain_realm]
> entries for both.

even though it doesn't seem like it, the Windows AD's canonical realm
name is ALL.UPPERCASE, i think. this matters for, inter alia, salting
string-to-key mechanisms (e.g., kinit with password, when using non-
arcfour etype preauthentication), i think, so i'd make all realm names
uppercase

> Without a machine account, kinit -V username at LAB.AU works on lab.au
> whether [libdefaults] default_realm = LAB.AU or USERS.COM. Watching
> the network, I see it resolve _kerberos._udp.LAB.AU and
> _kerberos._tcp.LAB.AU, then resolve the server nominated as the kdc in
> krb5.conf and, finally, talk to it.
> 
> kinit -V username at USERS.COM, however, fails with: "kinit(v5): Cannot
> resolve network address for KDC in requested realm while getting
> initial credentials". The server looks up the SRV records for
> _kerberos._udp.USERS.COM and _kerberos._tcp.USERS.COM, both of which
> return ~30 records in nslookup, but doesn't then look up the kdc let
> alone talk to it.

OK. looks like you're using all-uppercase here even though your
krb5.conf is set up lowercase. again, if you just promote every-
thing case-wise in krb5.conf, then your configured servers should
be used and your problem go away, no?

as for the DNS-SRV location stuff, what does the DNS server's reply
to kinit look like? is nslookup perhaps getting a truncated reply
flag and then retrying with TCP? the kerberos library may not be
be able to handle that circumstance as nimbly as nslookup, so if you
have a domain with tons of domain controllers, then you'd probably
better go with hardwired krb5.conf servers--unless one of the newer,
improved krb5 releases can handle huge SRV answers

--buck


> I'd like to be able to authenticate username at USERS.COM either directly
> or via LAB.AU thanks to the trust relationship. Any ideas?
> 
> Regards,
> Garth.
> 
> ------------------------------
> 
> _______________________________________________
> Kerberos mailing list
> Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> End of Kerberos Digest, Vol 35, Issue 19
> ****************************************


More information about the Kerberos mailing list