Logging on with cached ticket

Nikolay Shopik shopik at inblock.ru
Fri Jun 5 01:03:50 EDT 2009


On 04.06.2009 11:15, Nikolay Shopik wrote:
> On 04.06.2009 11:10, Ravi Channavajhala wrote:
>> Wouldn't it be nice if you can really make another server (Linux or
>> Unix) as a backup KDC?  But in reality, this may or may not work (I
>> haven't tried this personally) but Microsoft Kerberos implementation
>> is different from stock MIT.  Kerberos in Windows 2000 inserts the
>> SIDS in the TGT necessairly,  although an optional field and the
>> encrypted TGT is stored in a user credential cache.  There are
>> certainly interoperability issues you may run into.  The point to
>> remember is Windows Kerberos implementation varies from MIT, for that
>> matter even on Solaris.
>
> Now I understand that, probably I should go with cross-realm trust, by
> making another KDC and configure trust with current W2003 KDC. This is
> much easier way than figure out how to make different kerberos
> implementation works altogether.
>
> Any toughs how should offline clients handled? What best practices about
> that?

Only thing I found is pam_krb5 which have existing_ticket option. (tells 
pam_krb5.so to accept the presence of pre-existing Kerberos credentials 
provided by the calling application in the default credential cache as 
sufficient to authenticate the user, and to skip any account management 
checks). While this available only in Red Hat from what I see but not in 
Debian/Ubuntu.

Me wonder how Windows implementation is done, when it allowed login even 
when KDC is not available. I doubt if it use existing ticked, because it 
expired just in 24 hours and you can still login.



More information about the Kerberos mailing list