MS-KDC / MIT Interoperability
aliguor at us.ibm.com
Tue Jun 10 19:21:22 EDT 2003
I'm part of a team that's been doing a lot of work with Active Directory
Kerberos interoperability and thought I'd share some of our findings with
the list. Namely, there are two issues involving realm names and service
principal names whereas Active Directory will accept short forms of the
realm or service principal names and return the full names.
The first occurs when a user joins a domain in an Active Directory realm.
If we're joining the domain ibm.foo.bar, with user Administrator, then a
client will make a request with the realm being whatever the client types
as the domain name. If a client enters ibm.foo.bar, IBM.FOO.BAR, or
IBM.foo.BAR, the requests will go out as Administrator at ibm.foo.bar,
Administrator at IBM.FOO.BAR, or Administrator at IBM.foo.BAR respectively.
Regardless of the request, Active Directory will always return a ticket
for Administrator at IBM.FOO.BAR.
Additionally, it also appears that tickets can be requested via the
netbios-equivalent of the domain name (netbios naming is a flat naming
convention being slowly phased out of CIFS). So the above example would
also work if the client requested Administrator at IBM if IBM is the netbios
name of the domain.
Another interesting problem is with service principal names. Typically,
an AD client will request a ticket with a service principal in the form
HOST/dc.domain at REALM. If our domain controller (or kdc) resides on
dc.ibm.foo.bar, then this would be a request for
HOST/dc.ibm.foo.bar at IBM.FOO.BAR. Of course, in certain circumstances, a
client can request HOST/netbios_name at REALM or if our netbios dc name was
NBDC, HOST/NBDC$@IBM.FOO.BAR. In this circumstance, the dns form will be
Our solution has been a simple patch that accepts the different forms for
ticket names but we've been a little uncertain what the best long term
solution to this problem would be. Any input would be greatly
I can provide network traces if desired (I wasn't sure if this list
accepts binary attachments).
Linux/Active Directory Interoperability
Linux Technology Center (LTC) - IBM Austin
E-mail: aliguor at us.ibm.com
Phone: (512) 838-1208
Tie Line: 678-1208
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the krbdev