inter-Windows 2003/non-Windows Kerberos realm referrals [Re: Single DNS domain for Multiple Kerberos V5 Realms ?]
Buck Huppmann
buckh at pobox.com
Tue Sep 20 11:12:51 EDT 2005
On Fri, Sep 16, 2005 at 09:58:13AM -0500, Douglas E. Engert wrote:
> But there is:
>
> http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-06.txt
>
> which allows a client to ask the user's KDC for a service ticket. If the KDC
> can't do it, the KDC will refer the client to the realm the KDC thinks the
> server
> is in. The client will then try that realm.
>
> Windows clients and the Windows AD can do this, where all the realms in
> question
> are in the forest. The KDC uses the Global catalog to look up the realm of
> host.
> (SSPI on windows knows how to use this.)
just thought i would document some recent experience with this, since
i haven't seen it explicitly noted anywhere else when i went searching
for it and since a heavyweight Kerberos guru evidently does not know
about it either (or maybe was just being mercifully succinct)[0]. if you
don't care about Active Directory interoperability etc., please ignore
this
if you aren't using MIT Kerberos for Windows and just have Microsoft
stuff on your clients and other Windows boxen, you can cook up something
like the following, so long as your Active Directory forest is running at
the ``Windows 2003 functional'' level, to get AD-forest-to-UNIX-Kerberos-
realm referrals:
we wanted to be able to refer members of our Windows 2003 Active Dir-
ectory, single-domain forest to our UNIX-hosted, Heimdal 0.6.x realm.
e.g.,
1. Win XP client: IE wants to get https://www.unix.example.com/ and
IE's policies are set up to allow integrated authentication (or
whatever it's called) to any service in *.example.com
2. IE asks adc1.win2003.example.com for ticket for
HTTP/www.unix.example.com at WIN2003.EXAMPLE.COM
3. adc1.win2003.example.com returns a referral response with a cross-
realm TGT for krbtgt/UNIX.EXAMPLE.COM at WIN2003.EXAMPLE.COM
4. XP client uses cross-realm TGT to ask kdc1.unix.example.com for
ticket for HTTPS/www.unix.example.com at UNIX.EXAMPLE.COM
5. XP client does authentication with these credentials with the web
server on www.unix.example.com, which is running mod_auth_kerb
(http://modauthkerb.sourceforge.net/)
to do this,
- on the XP client
1. ksetup.exe /addkdc UNIX.EXAMPLE.COM
where not specifying the KDC's explicitly means that XP will use
DNS SRV lookups to find a KDC. you can explicitly configure, of
course, if you prefer
2. optionally, add realm flags:
ksetup.exe /addrealmflags UNIX.EXAMPLE.COM tcpsupported delegate
- on UNIX
1. heimdal/kadmin> ank krbtgt/UNIX.EXAMPLE.COM at WIN2003.EXAMPLE.COM
and give it a suitable password and other properties
2. optionally,
heimdal/kadmin> ank krbtgt/WIN2003.EXAMPLE.COM
if you are going to make the trust two-way and have WIN2003
trust UNIX. give it the same password, if you are going to do
as below and use the /twoway option. (i'm not sure you can do
otherwise)
- on Windows 2003, assuming you are doing the two-way, single-pass-
word trust set-up, and that you have the relevant privileges via
your current Windows logon token to do the following:
1. netdom.exe trust WINDOWS.EXAMPLE.COM /add /domain:UNIX.EXAMPLE.COM ^
/realm /twoway /passwordt:the_suitable_password
2. optionally,
netdom.exe trust WINDOWS.EXAMPLE.COM /domain:UNIX.EXAMPLE.COM ^
/transitive:yes
3. netdom.exe trust WINDOWS.EXAMPLE.COM /domain:UNIX.EXAMPLE.COM ^
/foresttransitive:yes
if this gives you an enigmatic error, maybe your forest isn't
at the Windows 2003 functional level, or maybe you are trying
to configure this on a non-forest-root domain
4. netdom.exe trust WINDOWS.EXAMPLE.COM /domain:UNIX.EXAMPLE.COM ^
/addtln:unix.example.com
this is where you're adding the [domain_realm]-ish stuff to the
Active Directory, so continue to add as required.
netdom.exe help trust | more
will give you more info on how to enable and disable and exclude
domains
5. netdom.exe trust WINDOWS.EXAMPLE.COM /namesuffixex UNIX.EXAMPLE.COM
should list something like
Name, Type, Status, Notes
1. *.unix.example.com, Name Suffix, Enabled
the carets/circumflexi at the ends of the above lines indicate line-
continuation
- if you want the integrated web authentication stuff to work, you have
to configure your IE security policy or whatever browser you're using.
(for IE, search for the section beginning ``Client Side'' in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
)
- if you want to try to SSH to a server in UNIX.EXAMPLE.COM that supports
GSSAPI-Kerberos V5-mechanism user authentication, one that works with
just the above set-up is http://rc.vintela.com/topics/putty/
if you check out that netdom.exe help info, you'll see there's lots of
special-casing for non-Windows stuff, so many thanks to the Microsoft-
niks who added all these hooks
apologies in advance for any of the foregoing that i messed up or any
missing ingredients or provisos[1]
---------------
[0] although this belongs on some sort of howto page out there on the
net, i figure google should be able to pull it out of the mailing-
list archive web sites, until somebody dresses up something pret-
tier and more correct and gives it a home of its own. likewise, if
Stuff Changes and it ends up becoming obsolete, well, the fact
that it's from an archive should be a warning to that effect
[1] in that sense, it'd be better if somebody took it upon him-/herself
to maintain a howto. please feel free to incorporate any of this you
find worthwhile, if that would be you, although that's not induce-
ment to abuse anybody's trademarks or anything i shouldn't have done
More information about the Kerberos
mailing list