Kerberos, Windows2008 RODC and ticket forwarding Problem

Sebastian Galiano Sebastian.Galiano at spilgames.com
Mon Apr 23 02:07:53 EDT 2012 

I will test it as soon as possible. But I believed that non-forwarding TGS-REQs they already have the Name-Type set. In fact, in the case i didnt forward the tiquet (when i create it directly from the ssh server), it worked perfectly against a W2008RODC, So what exactly should I check? 


________________________________________
From: Tom Yu [tlyu at MIT.EDU]
Sent: 20 April 2012 19:14
To: Sebastian Galiano
Cc: kerberos at mit.edu
Subject: Re: Kerberos, Windows2008 RODC and ticket forwarding Problem

Sebastian Galiano <Sebastian.Galiano at spilgames.com> writes:

> It worked great!!
>
> Thanks!

Thanks for helping with the testing.  I have an updated patch that
should also address the issue with non-forwarding TGS-REQs.  Please
test this, if you have time.

diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index d602952..8387cea 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -28,6 +28,7 @@
 #ifdef HAVE_MEMORY_H
 #include <memory.h>
 #endif
+#include "int-proto.h"

 /* helper function: convert flags to necessary KDC options */
 #define flags2options(flags) (flags & KDC_TKT_COMMON_MASK)
@@ -93,14 +94,9 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
     if ((retval = krb5_copy_principal(context, client, &creds.client)))
         goto errout;

-    if ((retval = krb5_build_principal_ext(context, &creds.server,
-                                           client->realm.length,
-                                           client->realm.data,
-                                           KRB5_TGS_NAME_SIZE,
-                                           KRB5_TGS_NAME,
-                                           client->realm.length,
-                                           client->realm.data,
-                                           0)))
+    retval = krb5int_tgtname(context, &client->realm, &client->realm,
+                             &creds.server);
+    if (retval)
         goto errout;

     /* fetch tgt directly from cache */
diff --git a/src/lib/krb5/krb/tgtname.c b/src/lib/krb5/krb/tgtname.c
index 1a02880..6285b47 100644
--- a/src/lib/krb5/krb/tgtname.c
+++ b/src/lib/krb5/krb/tgtname.c
@@ -30,8 +30,16 @@
 krb5_error_code
 krb5int_tgtname(krb5_context context, const krb5_data *server, const krb5_data *client, krb5_principal *tgtprinc)
 {
-    return krb5_build_principal_ext(context, tgtprinc, client->length, client->data,
-                                    KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
-                                    server->length, server->data,
-                                    0);
+    krb5_error_code ret;
+    ret = krb5_build_principal_ext(context, tgtprinc, client->length, client->data,
+                                   KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
+                                   server->length, server->data,
+                                   0);
+    /*
+     * Windows Server 2008 R2 RODC insists on TGS principal names having the
+     * right name type.
+     */
+    krb5_princ_type(context, *tgtprinc) = KRB5_NT_SRV_INST;
+
+    return ret;
 }

More information about the Kerberos mailing list