Kerberos fails with Windows Server 2008 R2 RODC - assistance appreciated in backporting patch

Jonathan Thorpe jthorpe at conexim.com.au
Fri Mar 4 02:58:36 EST 2011


Hi All,

Our Active Directory environment is running Windows Server 2008 R2 and we've recently started deploying Kerberos across many of our Linux machines for Apache web authentication/single sign on. We have hopes to extend this to SSH authentication as well.

In testing, we have had persistent issues with Kerberos sending a name-type of "unknown" where the Windows 2008 R2 RODC is expecting NT-SRV-INST on TGS principle names. This issue appears to affect both MIT and Heimdal implementations of Kerberos and is discussed in length at:
http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/9166

It would appear this bug has been addressed in 1.9 (see http://src.mit.edu/fisheye/changelog/krb5/?cs=24438), however running Debian Lenny, we're still using the 1.6 branch. I have attempted to upgrade to 1.9 from the "experimental" repository, however this breaks too many dependencies to implement in production.

Looking at how dramatically different the 1.6 and 1.9 branches are, I'm not confident enough to backport this patch myself, however  I was hoping someone might be able to help with a patch for the 1.6 releases that Debian is currently shipping?

Kind Regards,
Jonathan




More information about the Kerberos mailing list