[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos-Referrals (walk realm tree)

Marko Damaschke <heimdal@mdam.de> writes:

> Hello,
> i've got a problem with a windows heimdal mixed environment which
> isn't in a windows mit-kerberos environment.
> The environment is a heimdal-realm where all user principals exists
> and a windows-domain structure where the AD root domain has a
> cross-realm-trust to the heimdal realm. Additional exists for each
> user principal in the heimdal db a corresponding user object in the
> AD.
> This works fine for an authentication from a client in the AD root
> domain. The user gets a krbtgt for heimdal-realm and so a krbtgt for
> AD root from the heimdal and with the help of this service tickets
> from the AD-server.
> But when a subdomain is integrated in the windows structure, this way
> doesn't work. First the user is authenticated by the heimdal server
> bus the heimdal isn't able to obtain a path to the kerberos server of
> the subdomain because just a trust to the root domain exists.
> The client requests a service ticket for his domain and just a path
> via the AD-root is possible.
> As an example the heimdal-realm is DOMAIN.TLD and the AD-Root is
> AD.DOMAIN.TLD. The AD-Subdomain is SUB.AD.DOMAIN.TLD. In the scenario
> above the user send an AS to heimdal for user@DOMAIN.TLD gets an
> krbtgt/DOMAIN.TLD. With the help of this the client requests a TGT for
> SUB.AD.DOMAIN.TLD, which the heimdal isn't able to obtain.
> MIT-Kerberos uses a interesting way in this case: It explodes the
> request at the dots and try to find a principal which matchs the new
> construct. So it obtains a krbtgt/AD.DOMAIN.TLD and a referal to the
> KDC of this Realm (the AD-Root-server). There it is possible to obtain
> a krbtgt/SUB.AD.DOMAIN.TLD because of the windows trusts.
> The function is called "find_alternate_tgs" resp.
> "krb5_walk_realm_tree" in MIT.
> And the benefit of this way is the usage of the user object
> correspondig in the AD-root-domain. So you don't need to administer a
> user object in each AD, just in the AD-root.
> Is there a possibility of configure a analog behavior in heimdal?
> Or gives a workaround?

There is enougth code in heimdal to handles referals to make windows
happy. The code handles the common case, when there is a direct trust, by
itself. If there are multihop trusts, you have to add [domain_realm]
mappings in the kdc's krb5.conf.

For example, subdomain.su.se is joined to the AD (WIN.SU.SE), so we have in
our krb5.conf:

        .subdomain.su.se = WIN.SU.SE

And then the kdc will send back to WIN.SU.SE

.... Returning a referral to realm WIN.SU.SE for server cifs/host.subdomain.su.se@SU.SE that was not found

Also see the info documentation about trust validation (capaths).



PGP signature