inter-Windows 2003/non-Windows Kerberos realm referrals [Re: Single DNS domain for Multiple Kerberos V5 Realms ?]

Douglas E. Engert deengert at anl.gov
Tue Sep 20 14:37:25 EDT 2005


Great, it looks like the netdom trust command is the missing piece.


Buck Huppmann wrote:

> On Fri, Sep 16, 2005 at 09:58:13AM -0500, Douglas E. Engert wrote:
> 
> 
>>But there is:
>>
>>http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-06.txt
>>
>>which allows a client to ask the user's KDC for a service ticket. If the KDC
>>can't do it, the KDC will refer the client to the realm the KDC thinks the 
>>server
>>is in. The client will then try that realm.
>>
>>Windows clients and the Windows AD can do this, where all the realms in 
>>question
>>are in the forest. The KDC uses the Global catalog to look up the realm of 
>>host.
>>(SSPI on windows knows how to use this.)
> 
> 
> just thought i would document some recent experience with this, since
> i haven't seen it explicitly noted anywhere else when i went searching
> for it and since a heavyweight Kerberos guru evidently does not know
> about it either (or maybe was just being mercifully succinct)[0]. if you
> don't care about Active Directory interoperability etc., please ignore
> this
> 
> if you aren't using MIT Kerberos for Windows and just have Microsoft
> stuff on your clients and other Windows boxen, you can cook up something
> like the following, so long as your Active Directory forest is running at
> the ``Windows 2003 functional'' level, to get AD-forest-to-UNIX-Kerberos-
> realm referrals:
> 
> we wanted to be able to refer members of our Windows 2003 Active Dir-
> ectory, single-domain forest to our UNIX-hosted, Heimdal 0.6.x realm.
> e.g.,
> 
> 1. Win XP client: IE wants to get https://www.unix.example.com/ and
>    IE's policies are set up to allow integrated authentication (or
>    whatever it's called) to any service in *.example.com
> 
> 2. IE asks adc1.win2003.example.com for ticket for
>    HTTP/www.unix.example.com at WIN2003.EXAMPLE.COM
> 
> 3. adc1.win2003.example.com returns a referral response with a cross-
>    realm TGT for krbtgt/UNIX.EXAMPLE.COM at WIN2003.EXAMPLE.COM
> 
> 4. XP client uses cross-realm TGT to ask kdc1.unix.example.com for
>    ticket for HTTPS/www.unix.example.com at UNIX.EXAMPLE.COM
> 
> 5. XP client does authentication with these credentials with the web
>    server on www.unix.example.com, which is running mod_auth_kerb
>    (http://modauthkerb.sourceforge.net/)
> 
> to do this,
> 
> - on the XP client
> 
>   1. ksetup.exe /addkdc UNIX.EXAMPLE.COM
> 
>      where not specifying the KDC's explicitly means that XP will use
>      DNS SRV lookups to find a KDC. you can explicitly configure, of
>      course, if you prefer
> 
>   2. optionally, add realm flags:
> 
>      ksetup.exe /addrealmflags UNIX.EXAMPLE.COM tcpsupported delegate
> 
> - on UNIX
> 
>   1. heimdal/kadmin> ank krbtgt/UNIX.EXAMPLE.COM at WIN2003.EXAMPLE.COM
> 
>      and give it a suitable password and other properties
> 
>   2. optionally,
> 
>      heimdal/kadmin> ank krbtgt/WIN2003.EXAMPLE.COM
> 
>      if you are going to make the trust two-way and have WIN2003
>      trust UNIX. give it the same password, if you are going to do
>      as below and use the /twoway option. (i'm not sure you can do
>      otherwise)
> 
> - on Windows 2003, assuming you are doing the two-way, single-pass-
>   word trust set-up, and that you have the relevant privileges via
>   your current Windows logon token to do the following:
> 
>   1. netdom.exe trust WINDOWS.EXAMPLE.COM /add /domain:UNIX.EXAMPLE.COM ^
>   	/realm /twoway /passwordt:the_suitable_password
> 
>   2. optionally,
>   
>      netdom.exe trust WINDOWS.EXAMPLE.COM /domain:UNIX.EXAMPLE.COM ^
>   	/transitive:yes
> 
>   3. netdom.exe trust WINDOWS.EXAMPLE.COM /domain:UNIX.EXAMPLE.COM ^
>   	/foresttransitive:yes
> 
>      if this gives you an enigmatic error, maybe your forest isn't
>      at the Windows 2003 functional level, or maybe you are trying
>      to configure this on a non-forest-root domain
> 
>   4. netdom.exe trust WINDOWS.EXAMPLE.COM /domain:UNIX.EXAMPLE.COM ^
> 	/addtln:unix.example.com
> 
>      this is where you're adding the [domain_realm]-ish stuff to the
>      Active Directory, so continue to add as required.
> 	     netdom.exe help trust | more
>      will give you more info on how to enable and disable and exclude
>      domains
> 
>   5. netdom.exe trust WINDOWS.EXAMPLE.COM /namesuffixex UNIX.EXAMPLE.COM
> 
>      should list something like
>         Name, Type, Status, Notes
>      1. *.unix.example.com, Name Suffix, Enabled
> 
>   the carets/circumflexi at the ends of the above lines indicate line-
>   continuation
> 
> - if you want the integrated web authentication stuff to work, you have
>   to configure your IE security policy or whatever browser you're using.
>   (for IE, search for the section beginning ``Client Side'' in
>   http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
>   )
> 
> - if you want to try to SSH to a server in UNIX.EXAMPLE.COM that supports
>   GSSAPI-Kerberos V5-mechanism user authentication, one that works with
>   just the above set-up is http://rc.vintela.com/topics/putty/
> 
> if you check out that netdom.exe help info, you'll see there's lots of
> special-casing for non-Windows stuff, so many thanks to the Microsoft-
> niks who added all these hooks
> 
> apologies in advance for any of the foregoing that i messed up or any
> missing ingredients or provisos[1]
> 
> ---------------
> [0] although this belongs on some sort of howto page out there on the
>     net, i figure google should be able to pull it out of the mailing-
>     list archive web sites, until somebody dresses up something pret-
>     tier and more correct and gives it a home of its own. likewise, if
>     Stuff Changes and it ends up becoming obsolete, well, the fact
>     that it's from an archive should be a warning to that effect
> 
> [1] in that sense, it'd be better if somebody took it upon him-/herself
>     to maintain a howto. please feel free to incorporate any of this you
>     find worthwhile, if that would be you, although that's not induce-
>     ment to abuse anybody's trademarks or anything i shouldn't have done
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list