Cross-realm trusts w/ MS Windows 2003
Joseph Galbraith
galb at vandyke.com
Mon Aug 18 12:24:18 EDT 2003
> You might also want to try the http://www.ethereal.com trace program
> for Windows on the client as it can also parse the KRB5 messages.
> This might show the traffic.
Thanks. I'm downloading it now.
>>We develop the SecureCRT and VShell SSH client and
>>server packages. We've now added support for GSSAPI
>>key exchange and authentication using kerberos to these
>>packages.
>>
>>However, when I tried to test our support
>>using a cross realm trust relationship between a
>>MIT kerberos REALM & a Microsoft Kerberos domain,
>>I started running into trouble.
>
>
> Which realm is the user in and which realm is the server it?
Ahh... I guess a little bit more detail might be useful.
VANDYKE.COM is the mit realm. GALB.VANDYKE.COM is the
MS realm. The upn is galb at GALB.VANDYKE.COM, the spn
is host/redhat.vandyke.com at VANDYKE.COM. The server
is our vshelld for unix, running on the same machine
as the MIT kdc.
The failure occurs during the first call to
InitializeSecurityContext().
>>One of the problems is that I'm getting a "Insufficient
>>memory error" from the MS api (I've got an incident open
>>with them about this, since the error is bogus.) However,
>>I'm trying to track down the underlying cause of the problem.
>>
>>I think the KDC for the MIT kerberos reals is using the MIT
>>kerberos build that shipped w/ redhat 7. RPM says it is
>>1.2.4-1. (How best to tell what version is in use?) It
>>contains libkrb5.so.3.1.
>>
>>I'm using Windows Server 2003 on the MS side.
>
>
> There might a problem with the size of the tickets, as
> the PAC can add an extra 1000 bytes. I understand that 2003 tries to
> switch from UDP to TCP with a smaller ticket size then W2K did.
How big is the packet w/o the PAC? The buffer I'm
using was originally 32K; I tried 128K and I also
tried specifying the flag to tell the MS api to
allocate the buffer for me.
> There might also be a problem determining the realm of the server,
> as the MS code might be doing referrals, wihch the MIT code may
> not suport.
How would I tell if this is what is happening?
I am seeing traffic to the MIT KDC, so I think
MS is finding it? I had to configure the workstation
with the KDC for the mit realm.
Thanks,
Joseph
More information about the krbdev
mailing list