Cross-realm trusts w/ MS Windows 2003

Douglas E. Engert deengert at anl.gov
Mon Aug 18 12:03:06 EDT 2003 

You might also want to try the http://www.ethereal.com trace program
for Windows on the client as it can also parse the KRB5 messages.
This might show the traffic. 
 

Joseph Galbraith wrote:
> 
> We develop the SecureCRT and VShell SSH client and
> server packages.  We've now added support for GSSAPI
> key exchange and authentication using kerberos to these
> packages.
> 
> However, when I tried to test our support
> using a cross realm trust relationship between a
> MIT kerberos REALM & a Microsoft Kerberos domain,
> I started running into trouble.

Which realm is the user in and which realm is the server it?


> 
> One of the problems is that I'm getting a "Insufficient
> memory error" from the MS api (I've got an incident open
> with them about this, since the error is bogus.)  However,
> I'm trying to track down the underlying cause of the problem.
> 
> I think the KDC for the MIT kerberos reals is using the MIT
> kerberos build that shipped w/ redhat 7.  RPM says it is
> 1.2.4-1.  (How best to tell what version is in use?)  It
> contains libkrb5.so.3.1.
> 
> I'm using Windows Server 2003 on the MS side.

There might a problem with the size of the tickets, as
the PAC can add an extra 1000 bytes. I understand that 2003 tries to 
switch from UDP to TCP with a smaller ticket size then W2K did.

here might also be a problem determining the realm of the server,
as the MS code might be doing referrals, wihch the MIT code may
not suport.    

> 
> I'm getting the following in my log file:
> 
> Aug 18 08:50:58 redhat.vandyke.com krb5kdc[863](info): TGS_REQ
>    (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.0.77(88):
>    PROCESS_TGS: authtime 0,  <unknown client> for
>    host/redhat.vandyke.com at vandyke.com, Key table entry not found
> 
> In the log file, the SPN realm name, VANDYKE.COM, has been converted
> to lower case.  It seems to me this might be the problem, but I'm
> not sure.  What do you think?
> 
> Is there any chance that the data coming into the MIT
> kdc is correct, but the case is being changed as it
> is written to the log file?
> 
> My current suspicion is that MS is somehow changing it between
> my calling InitializeSecurityContext() and it getting on the
> wire.
> 
> Microsoft developer support is analyzing a tcp capture and
> log files, so hopefully they will tell me more soon.
> 
> If I were going to attach a debugger to the kerberos kdc daemon
> and watch the data come through, where would be the best place
> to set a break point?
> 
> Thanks,
> 
> Joseph
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list