MS-KDC / MIT Interoperability

Anthony Liguori aliguor at us.ibm.com
Tue Jun 10 19:21:22 EDT 2003 

Greetings All,

I'm part of a team that's been doing a lot of work with Active Directory 
Kerberos interoperability and thought I'd share some of our findings with 
the list.  Namely, there are two issues involving realm names and service 
principal names whereas Active Directory will accept short forms of the 
realm or service principal names and return the full names.

The first occurs when a user joins a domain in an Active Directory realm. 
If we're joining the domain ibm.foo.bar, with user Administrator, then a 
client will make a request with the realm being whatever the client types 
as the domain name.  If a client enters ibm.foo.bar, IBM.FOO.BAR, or 
IBM.foo.BAR, the requests will go out as Administrator at ibm.foo.bar, 
Administrator at IBM.FOO.BAR, or Administrator at IBM.foo.BAR respectively. 
Regardless of the request, Active Directory will always return a ticket 
for Administrator at IBM.FOO.BAR.

Additionally, it also appears that tickets can be requested via the 
netbios-equivalent of the domain name (netbios naming is a flat naming 
convention being slowly phased out of CIFS).  So the above example would 
also work if the client requested Administrator at IBM if IBM is the netbios 
name of the domain.

Another interesting problem is with service principal names.  Typically, 
an AD client will request a ticket with a service principal in the form 
HOST/dc.domain at REALM.  If our domain controller (or kdc) resides on 
dc.ibm.foo.bar, then this would be a request for 
HOST/dc.ibm.foo.bar at IBM.FOO.BAR.  Of course, in certain circumstances, a 
client can request HOST/netbios_name at REALM or if our netbios dc name was 
NBDC, HOST/NBDC$@IBM.FOO.BAR.  In this circumstance, the dns form will be 
returned.

Our solution has been a simple patch that accepts the different forms for 
ticket names but we've been a little uncertain what the best long term 
solution to this problem would be.  Any input would be greatly 
appreciated.

I can provide network traces if desired (I wasn't sure if this list 
accepts binary attachments).

Regards,

Anthony Liguori
Linux/Active Directory Interoperability
Linux Technology Center (LTC) - IBM Austin
E-mail: aliguor at us.ibm.com
Phone: (512) 838-1208
Tie Line: 678-1208
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/krbdev/attachments/20030610/0d2ceaf8/attachment.htm

More information about the krbdev mailing list