Kerberos, Windows2008 RODC and ticket forwarding Problem
Sebastian Galiano
Sebastian.Galiano at spilgames.com
Fri Apr 13 03:23:42 EDT 2012
Ok, the AS-REQ is only to initiate the authentication, that is why the not forwarded one has that packet. Then
I really dont know why is giving the KRB5KRB_AP_ERR_BAD_INTEGRITY
________________________________________
From: Sebastian Galiano
Sent: 13 April 2012 09:18
To: kerberos at mit.edu
Subject: RE: RE: Kerberos, Windows2008 RODC and ticket forwarding Problem
Looking into the captures, I noticed that in the TGS-REQ packets , the NAME-TYPE is Unknown in both cases (Forwareded and not Forwarded Ticket). But in the forwarded ticket capture I don't see any AS-REQ.
Could it be that what is causing the: KRB5KRB_AP_ERR_BAD_INTEGRITY ?
________________________________________
From: Sebastian Galiano
Sent: 13 April 2012 08:58
To: kerberos at mit.edu
Subject: RE: Kerberos, Windows2008 RODC and ticket forwarding Problem
I found more information regarding my problem :
http://lists.samba.org/archive/samba-technical/2010-September/073566.html
The thing is that this problem has been patched and It works. In fact I found the code in krb5lib's current version source code that makes the trick, in the file get_in_tkt.c:
/*
* Windows Server 2008 R2 RODC insists on TGS principal names having the
* right name type.
*/
if (krb5_princ_size(context, *server) == 2 &&
data_eq_string(*krb5_princ_component(context, *server, 0),
KRB5_TGS_NAME)) {
krb5_princ_type(context, *server) = KRB5_NT_SRV_INST;
}
return 0;
}
This sets the right type for NAME-TYPE, unfortunately it doesn't seem to work when I'm using a forwarded ticket. The name type in the request when the ticket is forwarded keeps being unknown, unlike when the ticket is granted from the machine then is : Service and Instance.
________________________________________
From: kerberos-bounces at mit.edu [kerberos-bounces at mit.edu] on behalf of Sebastian Galiano [Sebastian.Galiano at spilgames.com]
Sent: 12 April 2012 11:12
To: kerberos at mit.edu
Subject: Kerberos, Windows2008 RODC and ticket forwarding Problem
Hello
I'm having some problems to get kerberos to work. I got two realms, one realm working in Windows 2008 (WINDOWS), with one KDC and RODC (the RODC is in a separate network). I am testing the ticketing forwarding cross realm. The second realm is a linux realm (LINUX) running on scientific linux 6.1. All the Linux machines are using the same kerberos libraries :
krb5-libs-1.9.2-6.fc16.x86_64
krb5-libs-1.9.2-6.fc16.i686
krb5-workstation-1.9.2-6.fc16.x86_64
So in from my fedora desktop computer I kinit with a WINDOWS realm user, and from there I ssh to my server. The SSH server principal is created in LINUX realm. This works smoothly.
I also have a NFS 4 server kerberized, and declared in the LINUX realm. So from the SSH server (NFS client), I mount the folder and try to access, getting a permission denied message. I've captured the traffic from my SSH server (NFS Client), in the moment of accessing the NFS folder. I've noticed the following error:
KRB_AP_ERR_BAD_INTEGRITY
Also I noticed that the Name-Type inside the request packet is Unknown.
After some browsing in the internet, it seems that W2008 RODC needs the Name-Type to be set, and in fact this has been patched in kerberos. What is more if I dont do ticket forwarding , so I kinit the user from the SSH server (NFS Client), and access the folder it works!
Could it be that the current implementation of Kerberos is not setting the Name-Type for forwarded tickets?
Regards
Sebastián Galiano
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list