Logging on with cached ticket

Simo Sorce ssorce at redhat.com
Fri Jun 5 09:15:33 EDT 2009 

On Fri, 2009-06-05 at 09:03 +0400, Nikolay Shopik wrote:
> On 04.06.2009 11:15, Nikolay Shopik wrote:
> > On 04.06.2009 11:10, Ravi Channavajhala wrote:
> >> Wouldn't it be nice if you can really make another server (Linux or
> >> Unix) as a backup KDC?  But in reality, this may or may not work (I
> >> haven't tried this personally) but Microsoft Kerberos implementation
> >> is different from stock MIT.  Kerberos in Windows 2000 inserts the
> >> SIDS in the TGT necessairly,  although an optional field and the
> >> encrypted TGT is stored in a user credential cache.  There are
> >> certainly interoperability issues you may run into.  The point to
> >> remember is Windows Kerberos implementation varies from MIT, for that
> >> matter even on Solaris.
> >
> > Now I understand that, probably I should go with cross-realm trust, by
> > making another KDC and configure trust with current W2003 KDC. This is
> > much easier way than figure out how to make different kerberos
> > implementation works altogether.
> >
> > Any toughs how should offline clients handled? What best practices about
> > that?
> 
> Only thing I found is pam_krb5 which have existing_ticket option. (tells 
> pam_krb5.so to accept the presence of pre-existing Kerberos credentials 
> provided by the calling application in the default credential cache as 
> sufficient to authenticate the user, and to skip any account management 
> checks). While this available only in Red Hat from what I see but not in 
> Debian/Ubuntu.
> 
> Me wonder how Windows implementation is done, when it allowed login even 
> when KDC is not available. I doubt if it use existing ticked, because it 
> expired just in 24 hours and you can still login.

Windows caches the NT hash of your password.
That's how you get access w/o the KDC. Nothing to do with kerberos
credentials at all.

Also IIRC: in most cases you will not notice because, if krb credentials
are not available, but NTLM auth is not forbidden, your client will
connect to servers using NTLM auth. Then, the first time you have to
unlock your screen or enter a password for other legitimate purposes and
the KDC is available, a new TGT is requested.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list