Microsoft ReadOnlyDomainControler (RODC) question
Markus Moeller
huaraz at moeller.plus.com
Thu Aug 25 16:54:20 EDT 2011
Does anybody know if a MIT client can work with a RODC ?
Looking at page 142 of
http://download.microsoft.com/download/e/e/0/ee04289a-02a7-45e9-86ce-e0ec41211c08/LHBOG_Plan.doc I
wonder how a TGS could be received for example for SASL/GSSAPI
authentication to the RODC ldap port.
If BKCOMPUTER is a Unix host with an openldap client with SASL/GSSAPI
support. The user BobKelly would do a kinit against the RODC and then start
for example an ldapsearch and I would assume at point 4. it would fail as
the MIT libary receives an unknown error. Unfortunately I don't have a RODC
at hand to test.
Service ticket acquisition
1. BKCOMPUTER transmits a Kerberos ticket-granting service (TGS) request
(KRB_TGS_REQ) for BobKelly to RODC1 along with the TGT that was issued by
WDC1.
2. RODC1 cannot decrypt the TGT because it does not know the password of the
krbtgt account that writeable domain controllers use to encrypt the TGT.
RODC1 therefore forwards the KRB_TGS_REQ to WDC1.
3. WDC1 receives and deciphers the KRB_TGS_REQ and replies with a Kerberos
TGS response (KRB_TGS_REP) to RODC1.
4. Because RODC1 has cached BobKelly's credentials, it is able to satisfy
requests for service tickets. Therefore, after receiving a KRB_TGS_REP from
WDC1, RODC1 returns an error message to BKCOMPUTER, instead of a Service
Ticket.
5. BKCOMPUTER discards the TGT that was previously issued by WDC1 after
receiving the error message from RODC1. Then, BKCOMPUTER sends another
KRB_AS_REQ to RODC1.
6. RODC1 receives the KRB_AS_REQ. Because BobKelly's credentials are cached,
RODC1 uses its own krbtgt account to encrypt the TGT.
7. RODC1 then sends a KRB_AS_REP with the new TGT to BKCOMPUTER.
8. BKCOMPUTER sends another KRB_TGS_REQ (including the new TGT issued by
RODC1) to RODC1.
9. RODC1 receives the KRB_TGS_REQ and is able to decrypt the TGT this time.
Because BKCOMPUTER credentials are cached locally, RODC1 generates and sends
a KRB_TGS_REP with the service ticket to BKCOMPUTER for BobKelly.
Thank you
Markus
More information about the Kerberos
mailing list