Microsoft ReadOnlyDomainControler (RODC) question

Markus Moeller huaraz at moeller.plus.com
Thu Aug 25 16:54:20 EDT 2011 

Does anybody know if a MIT client can work with a RODC ?

Looking at page 142 of 
http://download.microsoft.com/download/e/e/0/ee04289a-02a7-45e9-86ce-e0ec41211c08/LHBOG_Plan.doc I 
wonder how a TGS could be received for example for SASL/GSSAPI 
authentication to the RODC ldap port.

If BKCOMPUTER is a Unix host with an openldap client with SASL/GSSAPI 
support. The user BobKelly would do a kinit against the RODC and then start 
for example an ldapsearch and I would assume at point 4. it would fail as 
the MIT libary receives an unknown error. Unfortunately I don't have a RODC 
at hand to test.

Service ticket acquisition

1. BKCOMPUTER transmits a Kerberos ticket-granting service (TGS) request 
(KRB_TGS_REQ) for BobKelly to RODC1 along with the TGT that was issued by 
WDC1.
2. RODC1 cannot decrypt the TGT because it does not know the password of the 
krbtgt account that writeable domain controllers use to encrypt the TGT. 
RODC1 therefore forwards the KRB_TGS_REQ to WDC1.
3. WDC1 receives and deciphers the KRB_TGS_REQ and replies with a Kerberos 
TGS response (KRB_TGS_REP) to RODC1.
4. Because RODC1 has cached BobKelly's credentials, it is able to satisfy 
requests for service tickets. Therefore, after receiving a KRB_TGS_REP from 
WDC1, RODC1 returns an error message to BKCOMPUTER, instead of a Service 
Ticket.
5. BKCOMPUTER discards the TGT that was previously issued by WDC1 after 
receiving the error message from RODC1. Then, BKCOMPUTER sends another 
KRB_AS_REQ to RODC1.
6. RODC1 receives the KRB_AS_REQ. Because BobKelly's credentials are cached, 
RODC1 uses its own krbtgt account to encrypt the TGT.
7. RODC1 then sends a KRB_AS_REP with the new TGT to BKCOMPUTER.
8. BKCOMPUTER sends another KRB_TGS_REQ (including the new TGT issued by 
RODC1) to RODC1.
9. RODC1 receives the KRB_TGS_REQ and is able to decrypt the TGT this time. 
Because BKCOMPUTER credentials are cached locally, RODC1 generates and sends 
a KRB_TGS_REP with the service ticket to BKCOMPUTER for BobKelly.


Thank you
Markus

More information about the Kerberos mailing list