2008 R2

[Tom Yu]

Bill Fellows <wrfellows at yahoo.com> writes:

> We got this response from Microsoft technical support:
>
> "I have received an update from my SME on the data which has been
> provided to us. The problem is the name-type used for the TGT
> request is set to Unknown:
>
> 133         2010-08-26 17:15:17.284157         x.x.x.x
> x.x.x.x     KRB5      AS-REQ
> Server Name (Unknown): krbtgt/EXAMPLE.COM
> Name-type: Unknown (0)
> Name: krbtgt
> Name: EXAMPLE.COM
>
> The name-type needs to be Service and Instance.  The reason why it
> works against the Writable DCs is because those DCs dont need to
> proxy the authentication, RODCs do.  In W2K8R2 there were additional
> checks in the Kerberos decryption code path which now exposes this
> problem."

That statement implies that the difficulty is with the principal
name-type of the TGS principal (krbtgt/EXAMPLE.COM).  A reasonable
interpretation of RFC 4120 is that an implementation should not
require that the name-type be a certain value when processing a
request, which matches historical behavior.

> I've attached a network capture displaying this problem.

The mailing list software strips out non-text attachments.

>> -----Original Message-----
>> From: krbdev-bounces at mit.edu
>> [mailto:krbdev-bounces at mit.edu]
>> On Behalf Of Bill Fellows
>> Sent: Wednesday, September 22, 2010 2:13 PM
>> To: krbdev at mit.edu
>> Subject: 2008 R2 
>> 
>> Hi,
>> 
>> I'm unable to authenticate through Kerberos to a 2008 R2
>> read only domain controller (RODC) with Samba 3.5.5. I
>> changed the krb5_princ_type field in bld_pr_ext.c
>> krb5_build_principal_ext() to KRB5_NT_SRV_INST from
>> KRB5_NT_UNKNOWN and this solved the problem. Is there a
>> better / safer fix for this bug?

I suspect that a safer solution would be to explicitly reset the
principal type in the relevant places in the get_init_creds()
implementation, but I still think it's wrong for Windows Server 2008
R2 to be denying the request solely on the basis of the principal
type.