[kerberos-discuss] PSARC 2007/401 kclient version 2 - code review

Wed, 26 Mar 2008 09:13:16 -0500 


Shawn M Emery wrote:
> This is a request for a code review of the following changes:
> 
> PSARC/2007/401 kclient version 2
> 6287615 kclient enhancement to support domain joining for AD interop
> 6263626 kclient does not accept 'search' type lines in resolv.conf
> 6362266 kclient doesn't support aliasing KDCs
> 6405691 kclient should be used to configure DHCP/VPN clients and for 
> non-Solaris KDCs
> 6629530 kpasswd(1) in SET_CHANGE mode should try kpasswd_server first
> 
> Webrev can be found here:
> http://cr.opensolaris.org/~semery/6287615
> 
> Shawn.
> --
> 

We have run into issues when using AD as the KDC. Its not clear from
your web site if these issues have been addressed. We have been using
the open source msktutil which uses ldap/sasl/gssapi to authenticate
to AD as an admin.

   o An AD account has one password and one kvno, but can have multiple
     SPNs. Thus a change to the password in effect changes the keys for
     all the shared SPN.

     If a keytab entry for a single SPN has multiple keys, say DES
     and RC4, they must all be changed at the same time using the same
     password to derive the key.

   o If two different SPN, say host/<fqdn> and nfs/<fqdn> share the
     same account, they have the same issue and may not even be in
     the same keytab file!

     One best solution is to use separate AD accounts for each SPN
     but this then requires a naming convention for the account names.
     Account names are limited to 19 characters (plus a $) and must be
     unique in the domain. Most principal names are more then 19 characters.

   o There is an issue with the des salt used by AD to derived the key.
     It uses the accountname not the SPN.

   o AD also has flags associated with the account to define if it is
     OK to delegate to the service, if the service ticket needs to have
     the PAC include and should only des be used. msktutil use the
     --delegation, --no-pac and --des-only. The delegation is the most
     important of these, as most Unix machines are considered servers.
     AD defaults to no delegation, and the admin needs special privileges
     to set this flag in the sevice account.


> _______________________________________________
> kerberos-discuss mailing list
> kerberos-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Reply via email to