[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Kerberos-Referrals (walk realm tree)
Hello,
i've got a problem with a windows heimdal mixed environment which
isn't in a windows mit-kerberos environment.
The environment is a heimdal-realm where all user principals exists
and a windows-domain structure where the AD root domain has a
cross-realm-trust to the heimdal realm. Additional exists for each
user principal in the heimdal db a corresponding user object in the
AD.
This works fine for an authentication from a client in the AD root
domain. The user gets a krbtgt for heimdal-realm and so a krbtgt for
AD root from the heimdal and with the help of this service tickets
from the AD-server.
But when a subdomain is integrated in the windows structure, this way
doesn't work. First the user is authenticated by the heimdal server
bus the heimdal isn't able to obtain a path to the kerberos server of
the subdomain because just a trust to the root domain exists.
The client requests a service ticket for his domain and just a path
via the AD-root is possible.
As an example the heimdal-realm is DOMAIN.TLD and the AD-Root is
AD.DOMAIN.TLD. The AD-Subdomain is SUB.AD.DOMAIN.TLD. In the scenario
above the user send an AS to heimdal for user@DOMAIN.TLD gets an
krbtgt/DOMAIN.TLD. With the help of this the client requests a TGT for
SUB.AD.DOMAIN.TLD, which the heimdal isn't able to obtain.
MIT-Kerberos uses a interesting way in this case: It explodes the
request at the dots and try to find a principal which matchs the new
construct. So it obtains a krbtgt/AD.DOMAIN.TLD and a referal to the
KDC of this Realm (the AD-Root-server). There it is possible to obtain
a krbtgt/SUB.AD.DOMAIN.TLD because of the windows trusts.
The function is called "find_alternate_tgs" resp.
"krb5_walk_realm_tree" in MIT.
And the benefit of this way is the usage of the user object
correspondig in the AD-root-domain. So you don't need to administer a
user object in each AD, just in the AD-root.
Is there a possibility of configure a analog behavior in heimdal?
Or gives a workaround?
Thanks in advance!
Marko Damaschke