KfW-2.6 beta2 in a mixed realm environment, wrong client principal

Douglas E. Engert deengert at anl.gov
Tue Jan 20 17:57:04 EST 2004

There may be a bug/misunderstanding in W2K which is carried forward 
into KfW. It looks like the MS code may be reporting the wrong realm
of the client when returning a ticket with KERB_RETRIEVE_TKT_RESPONSE maybe 
returning the wrong realm. 

The KERB_EXTERNAL_TICKET structure says: 
  KERB_EXTERNAL_NAME structure containing the client name in the 
  ticket. This name is relative to the current domain. 

The clue to the problem may be "relative to the current domain"
what ever that means. 

We have two realms, ANL.GOV is a W2K domain, and KRB5.ANL.GOV
is using a MIT 1.2.8 KDC. 

I logon using Windows login to the local workstation that is
listed as host/deet22.ctd.anl.gov at KRB5.ANL.GOV

This causes a TGT and cross realm TGT to be obtained. 
But notice below that the principal listed for the cross realm
TGT and the host ticket is listed as b17783 at KRB5.ANL.GOV, rather
then what is actually in the ticket of b17783 at ANL.GOV


 C:\Program Files\MIT\Kerberos\bin>klist -e
Ticket cache: API:krb5cc
Default principal: b17783 at ANL.GOV

Valid starting     Expires            Service principal
01/20/04 16:11:50  01/21/04 02:11:50  krbtgt/KRB5.ANL.GOV at ANL.GOV
        for client b17783 at KRB5.ANL.GOV, renew until 01/27/04 16:11:50
        Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5

01/20/04 16:11:50  01/21/04 02:11:50  krbtgt/ANL.GOV at ANL.GOV
        renew until 01/27/04 16:11:50, Etype (skey, tkt): etype 0, ArcFour with
01/20/04 16:11:57  01/21/04 02:11:50  host/deet22.ctd.anl.gov at KRB5.ANL.GOV
        for client b17783 at KRB5.ANL.GOV, renew until 01/27/04 16:11:50
        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5

The Windows kerbtray.exe lists the client name correctly in the krbtgt/ANL.GOV at ANL.GOV
and the krbtgt/KRB5.ANL.GOV at ANL.GOV tickets but not in the 
host/deet22.ctd.anl.gov at KRB5.ANL.GOV ticket. 

The KRB5.ANL.GOV KDC logs show the client name correctly in the host ticket as 
b17783 at ANL.GOV

This was not a problem with the older ms2mit, which only copied the single TGT.
But KfW appears to copy both TGTs. 

Some GSSAPI programs when trying to use these tickets fail. If I use Leash and
give it the b17783 at ANL.GOV and password, the gssapi applications work. 

So the interpretation of "relative to the current domain" may need to be looked at closely. 


 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list