cross realm and capaths question
Markus Moeller
huaraz at moeller.plus.com
Sun Sep 30 15:06:35 EDT 2007
"Markus Moeller" <huaraz at moeller.plus.com> wrote in message
news:fdoqar$890$1 at sea.gmane.org...
>
> "Douglas E. Engert" <deengert at anl.gov> wrote in message
> news:46FEDD2E.9090109 at anl.gov...
>> You say the KDCs are Windows DCs? and the TEST.HOME is not in the forest?
>> I assume the client LDAP is using the MIT or Heimdal Kerberos, as the
>> capaths is only
>> supported there. Windows uses referrals, where the client can ask its DC
>> for a tgt, and the DC can return an error with a referral (or was it a
>> tgt for the
>> next hop. I forgot all the details.)
>>
>
> Yes my DCs are Windows 2k3 and my clients run SLES 10 with krb5-1.4.3.
>
> BTW I don't think Windows can use referrals in this case or does DOM1
> forward all it knows about TEST.HOME to TOP.COM ? If so how ?
>
>>
>> Markus Moeller wrote:
>>> I have a setup with 4 DCs. 3 DC build a forest and the fourth hangs of
>>> one
>>> of the sub domains.
>>>
>>> TOP.COM
>>> / \
>>> DOM1.TOP.COM DOM2.TOP.COM
>>> /
>>> TEST.HOME
>>>
>>
>> So in the krb5.man page example you r reals equate to these:
>>
>> TEST.ANL.GOV == TEST.HOME
>> ANL.GOV == DOM1.TOP.COM
>> ES.NET == TOP.COM
>> NERSC.GOV == DOM2.TOP.COM
>>
>>> There is full trust betweem TOP.COM and DOM1.TOP.COM and DOM2.TOP.COM.
>>> TEST.HOME as only full trust to DOM1.TOP.COM.
>>>
>>> I try to connect from a user in DOM2.TOP.COM to a system in TEST.HOME
>>> with
>>> the following krb5.conf on DOM2.TOP.COM systems.
>>>
>>> [domain_realm]
>>> top.com = TOP.COM
>>> .top.com = TOP.COM
>>> dom1.top.com = DOM1.TOP.COM
>>> .dom1.top.com = DOM1.TOP.COM
>>> dom2.top.com = DOM2.TOP.COM
>>> .dom2.top.com = DOM2.TOP.COM
>>> test.home = TEST.HOME
>>> .test.home = TEST.HOME
>>>
>>> [capaths]
>>> DOM2.TOP.COM = {
>>> TEST.HOME = DOM1.TOP.COM
>>
>> The above line may be the problem, it is telling the client that
>> it can go to DOM1.TOP.COM. But DOM1.TOP.COM and DOM2.TOP.COM dont
>> share trust, so it may have fallen back and tries the direct approach,
>> or it skipped the capaths altogether.
>>
>> TEST.HOME = TOP.COM
>> TEST.HOME = DMO1.TOP.COM
>>
>> Try these instead, at least it is an easy test.
>
> I did change and tested and get now error 28
> (KRB5KDC_ERR_PATH_NOT_ACCEPTED)
>
> I see
>
> TGS-REQ for krbtgt/TEST.HOME to DOM2.TOP.COM
> TGS-REP unkown Principal
> TGS-REQ for krbtgt/DOM1.TOP.COM to DOM2.TOP.COM
> TGS-REP krbtgt/TOP.COM
> TGS-REQ for krbtgt/TOP.COM to DOM2.TOP.COM
> TGS-REP krbtgt/TOP.COM
> TGS-REQ for krbtgt/TEST.HOME to TOP.COM
> TGS-REP unkown Principal
> TGS-REQ for krbtgt/DOM1.TOP.COM to TOP.COM
> TGS-REP krbtgt/DOM1.TOP.COM
> TGS-REQ for krbtgt/TEST.HOME to DOM1.TOP.COM
Does it help to know that the AP request part contains realm TOP.COM and
krbtgt/DOM1.TOP.COM ?
> TGS-REP error_code: KRB5KDC_ERR_PATH_NOT_ACCEPTED (28)
>
>
>>
>>> DOM1.TOP.COM = TOP.COM
>>> TOP.COM = .
>>> }
>>> DOM1.TOP.COM = {
>>> DOM2.TOP.COM = TOP.COM
>>> TOP.COM = .
>>> }
>>> TEST.HOME = {
>>> DOM2.TOP.COM = TOP.COM
>>> TOP.COM = DOM1.TOP.COM
>>> DOM1.TOP.COM = .
>>> }
>>>
>>> A walk tree test gives me:
>>>
>>> #t_walk_rtree DOM1.TOP.COM TEST.HOME
>>> krbtgt/DOM1.TOP.COM at DOM1.TOP.COM
>>> krbtgt/TEST.HOME at DOM1.TOP.COM
>>>
>>> #t_walk_rtree DOM2.TOP.COM TEST.HOME
>>> krbtgt/DOM2.TOP.COM at DOM2.TOP.COM
>>> krbtgt/DOM1.TOP.COM at DOM2.TOP.COM
>>> krbtgt/DOM1.TOP.COM at DOM1.TOP.COM
>>> krbtgt/TEST.HOME at DOM1.TOP.COM
>>>
>>>
>>>
>>> But when I do a ldapsearch -H ldap://dc.test.home .... I get
>>>
>>> additional info: SASL(-1): generic failure: GSSAPI Error:
>>> Miscellaneous
>>> failure (KDC reply did not match expectations)
>>>
>>> An ethereal shows a TGS-REQ of krbtgt/TEST.HOME going to the
>>> DOM2.TOP.COM
>>> instead to DOM1.TOP.COM.
>>>
>>
>> Was there any other krb5 packets?
>>
>
> Yes there were. Mostly to DOM2.TOP.COM
>
>>> What is wrong inmy configuration ?
>>>
>>> Thank you
>>> Markus
>>>
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>> --
>>
>> Douglas E. Engert <DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
> Thank you
> Markus
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Is there somewhere a better description what shoulud be in the capaths
section ?
Markus
More information about the Kerberos
mailing list