Kerberos "overlay" in mixed OS environment

Simo Sorce simo at redhat.com
Wed Dec 7 15:34:54 EST 2016


On Wed, 2016-12-07 at 17:17 +0000, Nordgren, Bryce L -FS wrote:
> > Use a sub-domain for at least on of the two realm and avoid yourself
> a lot of trouble.
> 
> 
> Ah. I don't control the network. And it sounds to me like what you're
> saying is that there's more than "trouble". Windows is completely
> unsupportable in this environment because it can't adapt, and I can't
> give it the one environment it can live with. Even linux will require
> a herculean effort of manual management. For the moment, I'm just
> going to solve my problem by throwing Windows under the bus. All
> Windows will be unmanaged.
> 
> Musings:
> 
> Even if I did control the network, the notion of subnets comprised of
> homogeneous OSes seems dumb. My purpose for wanting an IPA or AD
> solution is management of the machine, not management of the network.

DNS != Network ?

>  Ideally, I'd want that management (or some subset, like
> authentication)  to work over the Internet, even when my machine is at
> home or moves to a co-operator's network (e.g., has a dynamic IP from
> my ISP and no DNS entry).

A machine can have a name that has nothing to do with the IP address it
uses, in fact that's what my laptop does and in both IPA and AD clients
can use secure DNS updates to adjust their A record as they move (and
they do).

>  What we have now seems to be an artifact of 1990s thinking: computers
> running services never leave their One True Home; there is only one
> OS; a single KDC will be tasked with managing all computers regardless
> of OS; all keytabs on the same computer will be issued from the same
> KDC (e.g., trust of the website I put up/machine I stood up is
> equivalent to trust in the IT department of the host university).

The "one KDC for all machines" is not such a bad idea within an
organization, the fact we do not have it is because we have conflated
concepts for the sake of easy deployment of integrated services and in
the process each vendor decided to care for its own clients very well,
making it hard to cater for the others.

> So the core problem statement (realizing this doesn't exist but might
> be something to work towards) is "How do we associate a
> machine/server/service to a particular KDC without using DNS?" (And
> then securely communicate that pairing to third parties...WITHOUT
> requiring a ratsnest of two-way trusts (cough) forest (cough) ) If we
> can do that, we accommodate mobility, align "trust" more correctly at
> the service-not-host level, control authentication to services via the
> trusts of the service's KDC (instead of applying identical trusts to
> all services running in the same subdomain), encourage
> across-the-internet operation, and remove a barrier to heterogeneous
> deployment.

I'm not sure what you  are asking here honestly :-)

> Something to chew on for Kerberos 6 and a next generation of AD/IPAs.
> Kerberos 5 is pretty much married to DNS and can't go much farther
> than it's already gone.

We could relatively easily ass DNS records that each machine can set to
indicate what is the realm it belongs to, but it doesn't help if the AD
side does not adopt the same method to convey and use such information.
The DNS situation is a bit hostage of what Active Directory does
honestly.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the Kerberos mailing list