Kerberos fails with Windows Server 2008 R2 RODC - assistance appreciated in backporting patch
Jonathan Thorpe
jthorpe at conexim.com.au
Fri Mar 4 02:58:36 EST 2011
Hi All,
Our Active Directory environment is running Windows Server 2008 R2 and we've recently started deploying Kerberos across many of our Linux machines for Apache web authentication/single sign on. We have hopes to extend this to SSH authentication as well.
In testing, we have had persistent issues with Kerberos sending a name-type of "unknown" where the Windows 2008 R2 RODC is expecting NT-SRV-INST on TGS principle names. This issue appears to affect both MIT and Heimdal implementations of Kerberos and is discussed in length at:
http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/9166
It would appear this bug has been addressed in 1.9 (see http://src.mit.edu/fisheye/changelog/krb5/?cs=24438), however running Debian Lenny, we're still using the 1.6 branch. I have attempted to upgrade to 1.9 from the "experimental" repository, however this breaks too many dependencies to implement in production.
Looking at how dramatically different the 1.6 and 1.9 branches are, I'm not confident enough to backport this patch myself, however I was hoping someone might be able to help with a patch for the 1.6 releases that Debian is currently shipping?
Kind Regards,
Jonathan
More information about the Kerberos
mailing list