Problems with TGS referral ...

Richard E. Silverman res at qoxp.net
Tue May 4 01:00:14 EDT 2010 

>>>>>   <michael-kerberos at waldvogel.name> writes:

    > Hi,

    > I've been trying to setup two different KDCs with realms A.COM and
    > B.COM and I'm now stuck with a TGS referral problem. I've setup a
    > Windows XP installation to use a KDC for realm A.COM. That works
    > like a charm. I can do a logon and the KDC also issues also all
    > kinds of service tickets within realm A.COM (I tried with Squid and
    > SSH). I have configured the MIT KDC (1.7) for cross realm
    > authentication with realm B.COM. If I use ssh on the same host that
    > the KDC for A.COM is running I can do cross realm authentication to
    > services in realm B.COM. But if I try to do this from Windows XP
    > this doesn't work.

    > The problem is that Windows doesn't know anything about domain realm
    > mappings. So tried to inform XP about it, but without any success
    > (DNS SRV records for KDCs and TXT records for the realm mapping are
    > set). So Windows keeps asking for tickets of the form
    > host/host-in-realm-b at A.COM instead of
    > host/host-in-realm-b at B.COM. I've been reading about this new feature
    > of TGS referrals, where the KDC responds with a cross realm ticket
    > for the KDC in B.COM when asked (TGS) for a service ticket for a
    > host known to be in realm B.COM but the KDC of realm A.COM only
    > keeps complaining that the principal cannot be found ...

    > I'm aware that in the TGS request bit 15 for canonicalize must be
    > set, so I configured the realm settings with ksetup /setrealmflags
    > A.COM 0x8. Then I checked with Wireshark that this bit is actually
    > set. But the KDC keeps refusing to send me a TGS referral for realm
    > B.COM ...

The MIT code also requires that the principal type in the request be
NT-HST-SRV in order for it to automatically issue referrals; Windows,
however, sets the type to NT-HST-SRV.  The logic is this (comments taken
from the MIT code, v1.8):

    /* By now we know that server principal name is unknown.
     * If CANONICALIZE flag is set in the request
     * If req is not U2U authn. req
     * the requested server princ. has exactly two components
     * either
     *      the name type is NT-SRV-HST
     *      or name type is NT-UNKNOWN and
     *         the 1st component is listed in conf file under host_based_services
     * the 1st component is not in a list in conf under "no_host_referral"
     * the 2d component looks like fully-qualified domain name (FQDN)
     * If all of these conditions are satisfied - try mapping the FQDN and
     * re-process the request as if client had asked for cross-realm TGT.
     */
 
Given this, I had to patch the code to get it working, but it does work.
Also, you have to code the host->realm mappings for hosts you want
referrals on into krb5.conf; it doesn't seem to use the DNS for this
(_kerberos TXT RR's).  You'd have to be careful with that anyway; it would
be very easy to get referral loops, given that the Windows and Unix views
of realm membership don't match up.

    > I'm using an MIT KRB5 build from Gentoo Linux (32bit) (1.7-r2).

    > Has somebody successfully configured any MIT KRB5 version (most
    > likely >= 1.7) with TGS referral?

    > Best regards, Michael Waldvogel

-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list