Problems with TGS referral ...
michael-kerberos@waldvogel.name
michael-kerberos at waldvogel.name
Sat May 8 13:58:26 EDT 2010
Upgrading to v1.8.1 did the trick. In my test scenario XP now successfully
gets a TGS referral ticket issued.
Many thanks to Richard E. Silverman and Tom Yu!!
Best regards,
Michael Waldvogel
On Tue, 04 May 2010 01:00:14 -0400, "Richard E. Silverman" <res at qoxp.net>
wrote:
>>>>>> <michael-kerberos at waldvogel.name> writes:
>
> > Hi,
>
> > I've been trying to setup two different KDCs with realms A.COM and
> > B.COM and I'm now stuck with a TGS referral problem. I've setup a
> > Windows XP installation to use a KDC for realm A.COM. That works
> > like a charm. I can do a logon and the KDC also issues also all
> > kinds of service tickets within realm A.COM (I tried with Squid
and
> > SSH). I have configured the MIT KDC (1.7) for cross realm
> > authentication with realm B.COM. If I use ssh on the same host
that
> > the KDC for A.COM is running I can do cross realm authentication
to
> > services in realm B.COM. But if I try to do this from Windows XP
> > this doesn't work.
>
> > The problem is that Windows doesn't know anything about domain
realm
> > mappings. So tried to inform XP about it, but without any success
> > (DNS SRV records for KDCs and TXT records for the realm mapping
are
> > set). So Windows keeps asking for tickets of the form
> > host/host-in-realm-b at A.COM instead of
> > host/host-in-realm-b at B.COM. I've been reading about this new
feature
> > of TGS referrals, where the KDC responds with a cross realm ticket
> > for the KDC in B.COM when asked (TGS) for a service ticket for a
> > host known to be in realm B.COM but the KDC of realm A.COM only
> > keeps complaining that the principal cannot be found ...
>
> > I'm aware that in the TGS request bit 15 for canonicalize must be
> > set, so I configured the realm settings with ksetup /setrealmflags
> > A.COM 0x8. Then I checked with Wireshark that this bit is actually
> > set. But the KDC keeps refusing to send me a TGS referral for
realm
> > B.COM ...
>
> The MIT code also requires that the principal type in the request be
> NT-HST-SRV in order for it to automatically issue referrals; Windows,
> however, sets the type to NT-HST-SRV. The logic is this (comments taken
> from the MIT code, v1.8):
>
> /* By now we know that server principal name is unknown.
> * If CANONICALIZE flag is set in the request
> * If req is not U2U authn. req
> * the requested server princ. has exactly two components
> * either
> * the name type is NT-SRV-HST
> * or name type is NT-UNKNOWN and
> * the 1st component is listed in conf file under
> host_based_services
> * the 1st component is not in a list in conf under
"no_host_referral"
> * the 2d component looks like fully-qualified domain name (FQDN)
> * If all of these conditions are satisfied - try mapping the FQDN
and
> * re-process the request as if client had asked for cross-realm
TGT.
> */
>
> Given this, I had to patch the code to get it working, but it does work.
> Also, you have to code the host->realm mappings for hosts you want
> referrals on into krb5.conf; it doesn't seem to use the DNS for this
> (_kerberos TXT RR's). You'd have to be careful with that anyway; it
would
> be very easy to get referral loops, given that the Windows and Unix
views
> of realm membership don't match up.
>
> > I'm using an MIT KRB5 build from Gentoo Linux (32bit) (1.7-r2).
>
> > Has somebody successfully configured any MIT KRB5 version (most
> > likely >= 1.7) with TGS referral?
>
> > Best regards, Michael Waldvogel
More information about the Kerberos
mailing list