Kerberos proxy for implementing referrals

Richard Silverman res at qoxp.net
Wed May 24 14:17:35 EDT 2006 

Thanks.  I should have mentioned that I have also asked Microsoft about
the various bits of netdom that seem as if they might work, e.g. netdom
/addtln.  But I will do some more research of my own.

Another complication is that we have hosts in both Windows and MIT realms
scattered thoughout the same DNS domains, so a simple domain-realm mapping
will not work.  We use DNS realm RR's (_kerberos.hostname) to effect this,
and Windows has to somehow get the same info.

- Richard

> Before you do this, you may want to look at "Trusted Domain Ojests"
> and "Globus Catalog" There may be a way to use the "netdom" command to:
>
> "Establish one-way or two-way trust relationships between domains,
>   including the following kinds of trust relationships:
>    ...
> 	 The Windows Server 2003 or Windows 2000 Server half of an
>     interoperable Kerberos realm."
>
> Google for netdom, trusted domain object or TDO, referral and cross realm
> or Google for "Domain and Forest Trust Tools and Settings"
>
> ( I have not tried this. But it looks like the netdom command could
> setup the TDO that is missing.)
>
>
> Richard E. Silverman wrote:
>
>> I'm considering the use of a Kerberos proxy, to solve the problem of being
>> unable to do cross realm authentication though a Windows realm to an MIT
>> one, due to Windows not issuing referrals for external realms.  The proxy
>> would issue referrals where needed instead of having the Windows KDC say
>> "no such principal," and send/return all other requests to Windows for the
>> client.  Obviously, the proxy will need the TGS keys for the Windows
>> realm.  This is a last resort; I'm going mad badgering Microsoft for some
>> sort of solution to this.  My outstanding request to them is whether they
>> can issue default referrals.  I'm not expecting a positive answer.
>> 
>> I'm wondering whether anyone else has considered this, or (hoping against
>> hope), already implemented it?
>> 
>> I've considered using the KfW GSSAPI library with clients that support it
>> (Firefox, SecureCRT, etc.), but this is probably not a workable option for
>> us.
>> 
>> All comments welcome and appreciated,
>> 
>
>

-- 
   Richard Silverman
   res at qoxp.net

More information about the Kerberos mailing list