Kerberos "overlay" in mixed OS environment

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Wed Dec 7 12:17:55 EST 2016


> Use a sub-domain for at least on of the two realm and avoid yourself a lot of trouble.

Ah. I don't control the network. And it sounds to me like what you're saying is that there's more than "trouble". Windows is completely unsupportable in this environment because it can't adapt, and I can't give it the one environment it can live with. Even linux will require a herculean effort of manual management. For the moment, I'm just going to solve my problem by throwing Windows under the bus. All Windows will be unmanaged.

Musings:

Even if I did control the network, the notion of subnets comprised of homogeneous OSes seems dumb. My purpose for wanting an IPA or AD solution is management of the machine, not management of the network. Ideally, I'd want that management (or some subset, like authentication)  to work over the Internet, even when my machine is at home or moves to a co-operator's network (e.g., has a dynamic IP from my ISP and no DNS entry). What we have now seems to be an artifact of 1990s thinking: computers running services never leave their One True Home; there is only one OS; a single KDC will be tasked with managing all computers regardless of OS; all keytabs on the same computer will be issued from the same KDC (e.g., trust of the website I put up/machine I stood up is equivalent to trust in the IT department of the host university).

So the core problem statement (realizing this doesn't exist but might be something to work towards) is "How do we associate a machine/server/service to a particular KDC without using DNS?" (And then securely communicate that pairing to third parties...WITHOUT requiring a ratsnest of two-way trusts (cough) forest (cough) ) If we can do that, we accommodate mobility, align "trust" more correctly at the service-not-host level, control authentication to services via the trusts of the service's KDC (instead of applying identical trusts to all services running in the same subdomain), encourage across-the-internet operation, and remove a barrier to heterogeneous deployment.

Something to chew on for Kerberos 6 and a next generation of AD/IPAs. Kerberos 5 is pretty much married to DNS and can't go much farther than it's already gone.

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.



More information about the Kerberos mailing list