anonymous realm and host realm referrals
hartmans at MIT.EDU
Thu Dec 17 12:36:42 EST 2009
Principals in the anonymous realm work very poorly with client side host
Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
12/17/09 12:25:01 12/17/09 22:25:01 krbtgt/SUCHDAMAGE.ORG at SUCHDAMAGE.ORG
hartmans at live:build(437)> kvno -S host luminous.suchdamage.org
kvno: Cannot find ticket for requested realm while getting credentials for host/
What's going on here is that I don't have a domain_realm mapping for
luminous.suchdamage.org. So,the library returns a null realm indicating
I should try the client KDC.
Within the library I look at the default principal for my ccache and
try and send the request to that realm. So, I try and send a request
for host/luminous.suchdamage.org at WELLKNOWN:ANONYMOUS.
That fails because I don't have a krbtgt/WELLKNOWN:ANONYMOUS ticket.
If I did have such a ticket it would still fail because sendto_kdc
can't find the address of the WELLKNOWN:ANONYMOUS realm.
I can see several approaches:
1) Ignore the issue. The primary use cases for the anonymous project
are kadmin and FAST armor tickets. This does not become a problem for
either use case.
2) Store WELLKNOWN/ANONYMOUS at REALM in the ccache not
WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS. This is problematic because
you cannot distinguish fully anonymous tickets received via the AS
request from partially anonymous tickets received via the TGS req. We
don't currently support the second class of tickets, but the draft does
and we may some day.
3) Introduce functionality to find the first TGT in the ccache when
trying to contact the client's KDC and using the anonymous realm.
I favor option 1 for now with option 3 in the future.
More information about the krbdev