Hi Andrew: I am in the process of filing a document bug for this issue but in the meantime here is the reason why Windows Server 2003 behaves this way and how Windows KDC deals with it.
Windows Server 2003 has a test in the code that test if there is a referral loop. Here is what happens: My domain name is S4DOM.NET and the NETBIOS name is S4DOM. In this scenario, due to referral, there are two TGT’s. One returned in AS Response will be referred to as TGT1 and the one returned in the TGS response will be referred to as TGT2. For this discussion, I’ll use Sname as servicename/hostname where host name is either <DNS domain name> or <NETBIOS domain name>. Here is what happens: 1. WS2k3 client sends AS Request with Realm = s4dom and Sname = krbtgt/s4dom 2. In AS Response, Samba KDC sends TGT1. TGT1 contains Realm = s4dom.net and Sname = krbtgt/s4dom 3. WS2k3 send a TGS request with Realm = s4dom and Sname = krbtgt/s4dom.net 4. Samba KDC sends the TGS response that contains TGT2. In TGT2 , Realm is s4dom.net and sname is krbtgt/s4dom.net Windows 2003 checks for referral loop as follows: (Realm in TGT1 == hostname in TGT2) AND !(hostname in TGT1 == hostname in TGT2) If the expression evaluates to TRUE, a loop is detected and the error you are observing is shown to the user. Clients of Windows Vista and onwards do not make this check. Windows KDC deals with this situation by sending both Realm in TGT1 and hostname in TGT1 the same (s4dom.net in this case). This causes client to send TGS Request with Realm and hostname as s4dom.net. KDC send TGS response with Realm in TGT2 being equal to hostname in TGT2 (s4dom.net in this case) and the expression mentioned above evaluates to FALSE and no referral loop is detected. You probably know it already, but I'll mention it just for completeness. I can login by using [email protected] on WS2k3 client when KDC is Samba. I’ll update you as soon as I have the changes in the document. Please let me know if it answers your question. Regards, Obaid Farooqi Escalation Engineer | Microsoft -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Tuesday, February 01, 2011 6:26 PM To: Interoperability Documentation Help Cc: [email protected] Subject: Please provide windows behaviour notes on MS-KILE's reference to Referrals-11 I'm trying to understand Microsoft's behaviour around referrals to trusted domains, and referrals as generated between the NetBIOS and DNS names for a domain. I think this is meant to be covered by http://tools.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-11 referred to as Referrals-11 in MS-KILE. However, what I really need is some detail on exactly how Microsoft implements it, as sadly I have little confidence that Windows 2003 follows exactly an RFC proposal last dated in 2008 :-) Presumably these need to be addressed in Windows behaviour notes. In particular, I'm looking at the example archived here: http://permalink.gmane.org/gmane.network.samba.internals/53515 The issue in this case is that the user logs in with DOMAIN\user and Samba attempts to transform that into user@REALM, but the client does not appear to accept the cross-realm ticket (to ourselves) that we generate. Any assistance you can give would be most welcome. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. Microsoft is committed to protecting your privacy. Please read the Microsoft Privacy Statement for more information.The above is an email for a support case from Microsoft Corp.REPLY ALL TO THIS MESSAGE or INCLUDE [email protected] IN YOUR REPLY if you want your response added to the case automatically. For technical assistance, please include the Support Engineer on the TO: line. Thank you. _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
