Cross Realm AD<->MIT Trust, with realm name clash?

Douglas E. Engert deengert at anl.gov
Mon Feb 6 12:22:11 EST 2006 

As Ken points out it is the salt that will cause the problem.
The default salt for DES is to use the realm and principal
components concatenated with the password to generate a key.
So if you change the realm, you either have to change the key,
or store the salt that was used when the password was changed.

We had a situation similar to this when we wanted to convert
from DCE to using an MIT KDC with a different realm. We wanted
to copy the user keys so the user's would not need to change the
passwords. We got this working, but never really used it.

You are welcome to the code as an example.

You could run through the data base, adding the current salt as
KRB5_KDB_SALTTYPE_SPECIAL with the current realm name. Then when
you change the realm name, all the existing entries would continue
to use the old realm name for the salt.

Note you must be using +requires_preauth.


Colin Simpson wrote:

> On Fri, 2006-02-03 at 08:17, Enrico.M.V.Fasanelliatl wrote:
> 
>>>If it is necessary for these realms to have cross realm relationships
>>>with any other realms in common or with each other, then one of the
>>>realms must change its name.   There is no procedure for changing the
>>>name of a realm hosted by a MIT KDC.  However, there is such a procedure
>>>for Windows 2003 Active Directory.  It is extremely painful but it is
>>>possible.
>>
>>Hi Jeff,
>>
>>any pointer to the documentation on how to do this?
>>
>>Ciao,
>>	Enrico
>>
> 
> I presume he's referring to the domain renaming tool in W2003 server
> which presumably will also rename the Kerberos Realm as it goes.
> 
> http://support.microsoft.com/kb/819145/en-us
> 
> Unfortunately in my case it won't help as the AD domain concerned  is
> part of a larger forest that I can't change. 
> 
> I must say it's quite a suprise that Windows can allow you this
> flexibility but MIT Kerberos doesn't. Is it really impossible with MIT
> Kerberos?
> 
> Thanks
> 
> Colin
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list