Kerberos, Windows2008 RODC and ticket forwarding Problem

Tom Yu tlyu at MIT.EDU
Thu Apr 19 17:01:28 EDT 2012 

Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:

> Ok. I followed your indications.  I have the 02 LL, being LL 01. So only one byte is highlighted : 05.
> So, It is not a long value... it doesn't correspond with your problem description but I've been comparing the captures of my two tests:
>
> 1.  Not forwarding  cross realm authentication directly from the ssh server to access the NFS server (using RODC W2008), result it works.
> 2. Ticket forwarding cross realm authentication  from my desktop computer using a regular w2008 DC to the ssh server and then from there, try to access the NFS server but this time requesting the service ticket to a RODC using the forwarded ticket from my W2008 server. Result in doesnt work.
>
> For me the main difference is that the field Name-Type is not being set. In the first case the in the Name-Type is set to Service and Instance in TGS Request. In the second case is set to unknown and Windows Server 2008 R2 RODC insists on TGS principal names having the  name type.
>
> Could it be that the Name-Type must be setted somewhere else?

It looks like krb5_fwd_tgt_creds doesn't currently set the name-type
to KRB5_NT_SRV_INST, so that is one possible problem.  I will need to
check the other places that we format principal names for TGS-REQs,
though it seems that patching the fwd_tgt_creds location might solve
your specific problem:

diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index d602952..3ce8cfb 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -103,6 +103,12 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
                                            0)))
         goto errout;
 
+    /*
+     * Windows Server 2008 R2 RODC insists on TGS principal names having the
+     * right name type.
+     */
+    krb5_princ_type(context, creds.server) = KRB5_NT_SRV_INST;
+
     /* fetch tgt directly from cache */
     context->use_conf_ktypes = 1;
     retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_SUPPORTED_KTYPES,

More information about the Kerberos mailing list