[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Kerberos-Referrals (walk realm tree)
- To: Marko Damaschke <heimdal@mdam.de>
- Subject: Re: Kerberos-Referrals (walk realm tree)
- From: Love Hörnquist Åstrand <lha@kth.se>
- Date: Fri, 03 Feb 2006 12:56:15 +0100
- Cc: heimdal-discuss@sics.se
- In-Reply-To: <Pine.LNX.4.58.0512121447040.32309@pandora.hrz.tu-chemnitz.de> (MarkoDamaschke's message of "Mon, 12 Dec 2005 15:30:48 +0100 (MET)")
- References: <Pine.LNX.4.58.0512121447040.32309@pandora.hrz.tu-chemnitz.de>
- Sender: owner-heimdal-discuss@sics.se
- User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/22.0.50 (darwin)
Marko Damaschke <heimdal@mdam.de> writes:
> Hello,
> i've got a problem with a windows heimdal mixed environment which
> isn't in a windows mit-kerberos environment.
> The environment is a heimdal-realm where all user principals exists
> and a windows-domain structure where the AD root domain has a
> cross-realm-trust to the heimdal realm. Additional exists for each
> user principal in the heimdal db a corresponding user object in the
> AD.
> This works fine for an authentication from a client in the AD root
> domain. The user gets a krbtgt for heimdal-realm and so a krbtgt for
> AD root from the heimdal and with the help of this service tickets
> from the AD-server.
>
> But when a subdomain is integrated in the windows structure, this way
> doesn't work. First the user is authenticated by the heimdal server
> bus the heimdal isn't able to obtain a path to the kerberos server of
> the subdomain because just a trust to the root domain exists.
> The client requests a service ticket for his domain and just a path
> via the AD-root is possible.
>
> As an example the heimdal-realm is DOMAIN.TLD and the AD-Root is
> AD.DOMAIN.TLD. The AD-Subdomain is SUB.AD.DOMAIN.TLD. In the scenario
> above the user send an AS to heimdal for user@DOMAIN.TLD gets an
> krbtgt/DOMAIN.TLD. With the help of this the client requests a TGT for
> SUB.AD.DOMAIN.TLD, which the heimdal isn't able to obtain.
>
> MIT-Kerberos uses a interesting way in this case: It explodes the
> request at the dots and try to find a principal which matchs the new
> construct. So it obtains a krbtgt/AD.DOMAIN.TLD and a referal to the
> KDC of this Realm (the AD-Root-server). There it is possible to obtain
> a krbtgt/SUB.AD.DOMAIN.TLD because of the windows trusts.
> The function is called "find_alternate_tgs" resp.
> "krb5_walk_realm_tree" in MIT.
>
> And the benefit of this way is the usage of the user object
> correspondig in the AD-root-domain. So you don't need to administer a
> user object in each AD, just in the AD-root.
>
> Is there a possibility of configure a analog behavior in heimdal?
> Or gives a workaround?
There is enougth code in heimdal to handles referals to make windows
happy. The code handles the common case, when there is a direct trust, by
itself. If there are multihop trusts, you have to add [domain_realm]
mappings in the kdc's krb5.conf.
For example, subdomain.su.se is joined to the AD (WIN.SU.SE), so we have in
our krb5.conf:
[domain_realm]
.subdomain.su.se = WIN.SU.SE
And then the kdc will send back to WIN.SU.SE
.... Returning a referral to realm WIN.SU.SE for server cifs/host.subdomain.su.se@SU.SE that was not found
Also see the info documentation about trust validation (capaths).
http://www.pdc.kth.se/heimdal/heimdal.html#Transit-policy
Love
PGP signature