Cross-realm trusts w/ MS Windows 2003

Joseph Galbraith galb at vandyke.com
Mon Aug 18 11:47:19 EDT 2003


We develop the SecureCRT and VShell SSH client and
server packages.  We've now added support for GSSAPI
key exchange and authentication using kerberos to these
packages.

However, when I tried to test our support
using a cross realm trust relationship between a
MIT kerberos REALM & a Microsoft Kerberos domain,
I started running into trouble.

One of the problems is that I'm getting a "Insufficient
memory error" from the MS api (I've got an incident open
with them about this, since the error is bogus.)  However,
I'm trying to track down the underlying cause of the problem.

I think the KDC for the MIT kerberos reals is using the MIT
kerberos build that shipped w/ redhat 7.  RPM says it is
1.2.4-1.  (How best to tell what version is in use?)  It
contains libkrb5.so.3.1.

I'm using Windows Server 2003 on the MS side.

I'm getting the following in my log file:

Aug 18 08:50:58 redhat.vandyke.com krb5kdc[863](info): TGS_REQ
   (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.77(88):
   PROCESS_TGS: authtime 0,  <unknown client> for
   host/redhat.vandyke.com at vandyke.com, Key table entry not found

In the log file, the SPN realm name, VANDYKE.COM, has been converted
to lower case.  It seems to me this might be the problem, but I'm
not sure.  What do you think?

Is there any chance that the data coming into the MIT
kdc is correct, but the case is being changed as it
is written to the log file?

My current suspicion is that MS is somehow changing it between
my calling InitializeSecurityContext() and it getting on the
wire.

Microsoft developer support is analyzing a tcp capture and
log files, so hopefully they will tell me more soon.

If I were going to attach a debugger to the kerberos kdc daemon
and watch the data come through, where would be the best place
to set a break point?

Thanks,

Joseph



More information about the krbdev mailing list