Mimicking AD's Kerberos Forest Search Order (KFSO) with MIT Kerberos

[Osipov, Michael]

> On 03/15/2017 11:39 AM, Osipov, Michael wrote:
> > So there is basically no way to tell MIT Kerberos if you home realm is
> > unable to route the request, it should try other realms, correct?
> 
> No; we have a fallback realm mechanism in the TGS client code, but it
> only tries one realm (determined by TXT records or DNS heuristics) and
> you can't configure a list.
> 
> We haven't implemented a TGS realm search path because:
> 
> 1. It's not completely secure, in that an attacker can forge error
> messages to make the client walk the list past the ideal destination for
> a given service.  FAST TGS was supposed to fix this, but for various
> reasons it doesn't.

At which point would attacker be able to forge a message?
DNS updates here are via GSS-TSIG only. Krb5.conf can be changed by root
only. I would expect this search list reside in krb5.conf.Nein

> 2. The TGS client code is already really complicated, and we're
> reluctant to add more complexity to code that is hard to understand as
> it is.
> 
> 3. There are some caching concerns, which if left unaddressed would lead
> to a lot of repeated TGS requests to the earlier realms.

Acknowledged.

> That said, I'm told Heimdal recently added support for a feature like
> this, so if Microsoft does as well, that makes us the odd one out, and
> we should perhaps reconsider.

I checked Heimdal's git log from today back to 2015, haven't found anything.
Can you name the change in particular?

If you are up to reconsidering, I asked a related topic almost a year ago [1]
Without any answer. The search order issue only applies to SPNs with two
components -- namely without a realm indication.

Can you create a ticket for this feature in your bug tracker?

If you reach some code state, I can test anytime from master. I have several
huge forests at hand. Just ping me privately.

Best regards,

Michael

[1] https://www.mail-archive.com/kerberos@mit.edu/msg21765.html