Cross-realm trusts w/ MS Windows 2003

Joseph Galbraith galb at
Mon Aug 18 12:24:18 EDT 2003

> You might also want to try the trace program
> for Windows on the client as it can also parse the KRB5 messages.
> This might show the traffic. 

Thanks.  I'm downloading it now.

>>We develop the SecureCRT and VShell SSH client and
>>server packages.  We've now added support for GSSAPI
>>key exchange and authentication using kerberos to these
>>However, when I tried to test our support
>>using a cross realm trust relationship between a
>>MIT kerberos REALM & a Microsoft Kerberos domain,
>>I started running into trouble.
> Which realm is the user in and which realm is the server it?

Ahh... I guess a little bit more detail might be useful.

VANDYKE.COM is the mit realm.  GALB.VANDYKE.COM is the
MS realm.  The upn is galb at GALB.VANDYKE.COM, the spn
is host/ at VANDYKE.COM.  The server
is our vshelld for unix, running on the same machine
as the MIT kdc.

The failure occurs during the first call to

>>One of the problems is that I'm getting a "Insufficient
>>memory error" from the MS api (I've got an incident open
>>with them about this, since the error is bogus.)  However,
>>I'm trying to track down the underlying cause of the problem.
>>I think the KDC for the MIT kerberos reals is using the MIT
>>kerberos build that shipped w/ redhat 7.  RPM says it is
>>1.2.4-1.  (How best to tell what version is in use?)  It
>>I'm using Windows Server 2003 on the MS side.
> There might a problem with the size of the tickets, as
> the PAC can add an extra 1000 bytes. I understand that 2003 tries to 
> switch from UDP to TCP with a smaller ticket size then W2K did.

How big is the packet w/o the PAC?  The buffer I'm
using was originally 32K; I tried 128K and I also
tried specifying the flag to tell the MS api to
allocate the buffer for me.

> There might also be a problem determining the realm of the server,
> as the MS code might be doing referrals, wihch the MIT code may
> not suport.    

How would I tell if this is what is happening?

I am seeing traffic to the MIT KDC, so I think
MS is finding it?  I had to configure the workstation
with the KDC for the mit realm.



More information about the krbdev mailing list