Kerberos, Windows2008 RODC and ticket forwarding Problem

[Sebastian Galiano]

Hello

I'm having some problems to get kerberos to work. I got two realms, one realm working in Windows 2008 (WINDOWS), with one KDC and RODC (the RODC  is in a separate network). I am testing the ticketing forwarding cross realm. The second realm is a linux realm (LINUX) running on scientific linux 6.1. All the Linux machines are using the same kerberos libraries :

krb5-libs-1.9.2-6.fc16.x86_64
krb5-libs-1.9.2-6.fc16.i686
krb5-workstation-1.9.2-6.fc16.x86_64

So in from my fedora desktop computer I kinit with a WINDOWS realm user, and from there I ssh to my server. The SSH server principal is created in LINUX realm. This works smoothly.

I also have a NFS 4 server kerberized, and declared in the LINUX realm. So from the SSH server (NFS client), I mount the folder and try to access, getting a permission denied message. I've captured the traffic from my SSH server (NFS Client), in the moment of accessing the NFS folder. I've  noticed  the following error:

KRB_AP_ERR_BAD_INTEGRITY

Also I noticed that the Name-Type inside the request packet is Unknown.

After some browsing in the internet, it seems that W2008 RODC needs the Name-Type to be set, and in fact this has been patched in kerberos. What is more if I dont do ticket forwarding , so I kinit the user from the SSH server (NFS Client), and access the folder it works!

Could it be that the current implementation of Kerberos is not setting the Name-Type for forwarded tickets?

Regards

Sebastián Galiano