Problems with TGS referral ...

michael-kerberos@waldvogel.name michael-kerberos at waldvogel.name
Sat May 8 13:58:26 EDT 2010


Upgrading to v1.8.1 did the trick. In my test scenario XP now successfully
gets a TGS referral ticket issued.
Many thanks to Richard E. Silverman and Tom Yu!!

Best regards,
Michael Waldvogel

On Tue, 04 May 2010 01:00:14 -0400, "Richard E. Silverman" <res at qoxp.net>
wrote:
>>>>>>   <michael-kerberos at waldvogel.name> writes:
> 
>     > Hi,
> 
>     > I've been trying to setup two different KDCs with realms A.COM and
>     > B.COM and I'm now stuck with a TGS referral problem. I've setup a
>     > Windows XP installation to use a KDC for realm A.COM. That works
>     > like a charm. I can do a logon and the KDC also issues also all
>     > kinds of service tickets within realm A.COM (I tried with Squid
and
>     > SSH). I have configured the MIT KDC (1.7) for cross realm
>     > authentication with realm B.COM. If I use ssh on the same host
that
>     > the KDC for A.COM is running I can do cross realm authentication
to
>     > services in realm B.COM. But if I try to do this from Windows XP
>     > this doesn't work.
> 
>     > The problem is that Windows doesn't know anything about domain
realm
>     > mappings. So tried to inform XP about it, but without any success
>     > (DNS SRV records for KDCs and TXT records for the realm mapping
are
>     > set). So Windows keeps asking for tickets of the form
>     > host/host-in-realm-b at A.COM instead of
>     > host/host-in-realm-b at B.COM. I've been reading about this new
feature
>     > of TGS referrals, where the KDC responds with a cross realm ticket
>     > for the KDC in B.COM when asked (TGS) for a service ticket for a
>     > host known to be in realm B.COM but the KDC of realm A.COM only
>     > keeps complaining that the principal cannot be found ...
> 
>     > I'm aware that in the TGS request bit 15 for canonicalize must be
>     > set, so I configured the realm settings with ksetup /setrealmflags
>     > A.COM 0x8. Then I checked with Wireshark that this bit is actually
>     > set. But the KDC keeps refusing to send me a TGS referral for
realm
>     > B.COM ...
> 
> The MIT code also requires that the principal type in the request be
> NT-HST-SRV in order for it to automatically issue referrals; Windows,
> however, sets the type to NT-HST-SRV.  The logic is this (comments taken
> from the MIT code, v1.8):
> 
>     /* By now we know that server principal name is unknown.
>      * If CANONICALIZE flag is set in the request
>      * If req is not U2U authn. req
>      * the requested server princ. has exactly two components
>      * either
>      *      the name type is NT-SRV-HST
>      *      or name type is NT-UNKNOWN and
>      *         the 1st component is listed in conf file under
>      host_based_services
>      * the 1st component is not in a list in conf under
"no_host_referral"
>      * the 2d component looks like fully-qualified domain name (FQDN)
>      * If all of these conditions are satisfied - try mapping the FQDN
and
>      * re-process the request as if client had asked for cross-realm
TGT.
>      */
>  
> Given this, I had to patch the code to get it working, but it does work.
> Also, you have to code the host->realm mappings for hosts you want
> referrals on into krb5.conf; it doesn't seem to use the DNS for this
> (_kerberos TXT RR's).  You'd have to be careful with that anyway; it
would
> be very easy to get referral loops, given that the Windows and Unix
views
> of realm membership don't match up.
> 
>     > I'm using an MIT KRB5 build from Gentoo Linux (32bit) (1.7-r2).
> 
>     > Has somebody successfully configured any MIT KRB5 version (most
>     > likely >= 1.7) with TGS referral?
> 
>     > Best regards, Michael Waldvogel



More information about the Kerberos mailing list