Kerberos proxy for implementing referrals
Richard Silverman
res at qoxp.net
Wed May 24 14:17:35 EDT 2006
Thanks. I should have mentioned that I have also asked Microsoft about
the various bits of netdom that seem as if they might work, e.g. netdom
/addtln. But I will do some more research of my own.
Another complication is that we have hosts in both Windows and MIT realms
scattered thoughout the same DNS domains, so a simple domain-realm mapping
will not work. We use DNS realm RR's (_kerberos.hostname) to effect this,
and Windows has to somehow get the same info.
- Richard
> Before you do this, you may want to look at "Trusted Domain Ojests"
> and "Globus Catalog" There may be a way to use the "netdom" command to:
>
> "Establish one-way or two-way trust relationships between domains,
> including the following kinds of trust relationships:
> ...
> The Windows Server 2003 or Windows 2000 Server half of an
> interoperable Kerberos realm."
>
> Google for netdom, trusted domain object or TDO, referral and cross realm
> or Google for "Domain and Forest Trust Tools and Settings"
>
> ( I have not tried this. But it looks like the netdom command could
> setup the TDO that is missing.)
>
>
> Richard E. Silverman wrote:
>
>> I'm considering the use of a Kerberos proxy, to solve the problem of being
>> unable to do cross realm authentication though a Windows realm to an MIT
>> one, due to Windows not issuing referrals for external realms. The proxy
>> would issue referrals where needed instead of having the Windows KDC say
>> "no such principal," and send/return all other requests to Windows for the
>> client. Obviously, the proxy will need the TGS keys for the Windows
>> realm. This is a last resort; I'm going mad badgering Microsoft for some
>> sort of solution to this. My outstanding request to them is whether they
>> can issue default referrals. I'm not expecting a positive answer.
>>
>> I'm wondering whether anyone else has considered this, or (hoping against
>> hope), already implemented it?
>>
>> I've considered using the KfW GSSAPI library with clients that support it
>> (Firefox, SecureCRT, etc.), but this is probably not a workable option for
>> us.
>>
>> All comments welcome and appreciated,
>>
>
>
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list