Kerberos, Windows2008 RODC and ticket forwarding Problem

Sebastian Galiano Sebastian.Galiano at spilgames.com
Fri Apr 13 03:18:00 EDT 2012 

Looking into the captures, I noticed that in the  TGS-REQ packets , the NAME-TYPE is Unknown in both cases (Forwareded and not Forwarded Ticket). But in the forwarded ticket capture I don't see any AS-REQ.

Could it be that what is causing the: KRB5KRB_AP_ERR_BAD_INTEGRITY ?
________________________________________
From: Sebastian Galiano
Sent: 13 April 2012 08:58
To: kerberos at mit.edu
Subject: RE: Kerberos, Windows2008 RODC and ticket forwarding Problem

I found more information regarding my problem :
http://lists.samba.org/archive/samba-technical/2010-September/073566.html

The thing is that this problem has been patched and It works. In fact I found the code in krb5lib's  current version source code that makes the trick,  in the file get_in_tkt.c:
    /*
     * Windows Server 2008 R2 RODC insists on TGS principal names having the
     * right name type.
     */
    if (krb5_princ_size(context, *server) == 2 &&
        data_eq_string(*krb5_princ_component(context, *server, 0),
                       KRB5_TGS_NAME)) {
        krb5_princ_type(context, *server) = KRB5_NT_SRV_INST;
    }
    return 0;
}
This sets the right type for NAME-TYPE, unfortunately it doesn't seem to work when I'm using a forwarded ticket. The name type in the request when the ticket is forwarded keeps being unknown, unlike when the ticket is granted from the machine then is : Service and Instance.





________________________________________
From: kerberos-bounces at mit.edu [kerberos-bounces at mit.edu] on behalf of Sebastian Galiano [Sebastian.Galiano at spilgames.com]
Sent: 12 April 2012 11:12
To: kerberos at mit.edu
Subject: Kerberos, Windows2008 RODC and ticket forwarding Problem

Hello

I'm having some problems to get kerberos to work. I got two realms, one realm working in Windows 2008 (WINDOWS), with one KDC and RODC (the RODC  is in a separate network). I am testing the ticketing forwarding cross realm. The second realm is a linux realm (LINUX) running on scientific linux 6.1. All the Linux machines are using the same kerberos libraries :

krb5-libs-1.9.2-6.fc16.x86_64
krb5-libs-1.9.2-6.fc16.i686
krb5-workstation-1.9.2-6.fc16.x86_64

So in from my fedora desktop computer I kinit with a WINDOWS realm user, and from there I ssh to my server. The SSH server principal is created in LINUX realm. This works smoothly.

I also have a NFS 4 server kerberized, and declared in the LINUX realm. So from the SSH server (NFS client), I mount the folder and try to access, getting a permission denied message. I've captured the traffic from my SSH server (NFS Client), in the moment of accessing the NFS folder. I've  noticed  the following error:

KRB_AP_ERR_BAD_INTEGRITY

Also I noticed that the Name-Type inside the request packet is Unknown.

After some browsing in the internet, it seems that W2008 RODC needs the Name-Type to be set, and in fact this has been patched in kerberos. What is more if I dont do ticket forwarding , so I kinit the user from the SSH server (NFS Client), and access the folder it works!

Could it be that the current implementation of Kerberos is not setting the Name-Type for forwarded tickets?

Regards

Sebastián Galiano
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list