Problems with TGS referral ...

[michael-kerberos@waldvogel.name]

Hi,

I've been trying to setup two different KDCs with realms A.COM and B.COM
and I'm now stuck with a TGS referral problem. I've setup a Windows XP
installation to use a KDC for realm A.COM. That works like a charm. I can
do a logon and the KDC also issues also all kinds of service tickets within
realm A.COM (I tried with Squid and SSH). I have configured the MIT KDC
(1.7) for cross realm authentication with realm B.COM. If I use ssh on the
same host that the KDC for A.COM is running I can do cross realm
authentication to services in realm B.COM. But if I try to do this from
Windows XP this doesn't work.

The problem is that Windows doesn't know anything about domain realm
mappings. So tried to inform XP about it, but without any success (DNS SRV
records for KDCs and TXT records for the realm mapping are set). So Windows
keeps asking for tickets of the form host/host-in-realm-b at A.COM instead of
host/host-in-realm-b at B.COM. I've been reading about this new feature of TGS
referrals, where the KDC responds with a cross realm ticket for the KDC in
B.COM when asked (TGS) for a service ticket for a host known to be in realm
B.COM but the KDC of realm A.COM only keeps complaining that the principal
cannot be found ...

I'm aware that in the TGS request bit 15 for canonicalize must be set, so
I configured the realm settings with ksetup /setrealmflags A.COM 0x8. Then
I checked with Wireshark that this bit is actually set. But the KDC keeps
refusing to send me a TGS referral for realm B.COM ...

I'm using an MIT KRB5 build from Gentoo Linux (32bit) (1.7-r2).

Has somebody successfully configured any MIT KRB5 version (most likely >=
1.7) with TGS referral?

Best regards,
Michael Waldvogel