On Tuesday, March 30, 2004 06:13:20 -0800 Lara Adianto <[EMAIL PROTECTED]> wrote:
I have a doubt on the following line: Target Name: HOST/[EMAIL PROTECTED] Shouldn't the client send a TGS_REQ for HOST/[EMAIL PROTECTED] instead ?
But if my doubt is correct, how can the client know that test_w2kserver is in LARA_W2K realm and not LARA_HMD ?
In the traditional scenario, services are named using principal names like service/fully.qualified.domain.name, where <service> could be "host" or some more specific name, depending on what service you're talking to. The default assumption is that the realm of such a service is computed by dropping the first component of the host's fully qualified name, and upcasing the rest. So service/fully.qualfiied.domain.name would be in the realm QUALIFIED.DOMAIN.NAME. Each client then has a configuration file which describes variations on and exceptions to this algorithm.
Microsoft chose a different approach, the main intent of which is to concentrate service-to-realm mappings in the KDC's, eliminating the need to distribute a complex configuration file to every client. In this model, a client always starts by assuming the service is in the user's home realm, and thus sends a TGS request to the user's home KDC. If the service actually is in that realm, it gets a ticket back. If not, the KDC is expected to send a cross-realm referral, in the form of a cross-realm TGT for the correct realm (or a least another realm that's "closer" to the correct realm).
The main problem you're seeing is that the heimdal KDC does not issue cross-realm referrals. As a result, you cannot contact any service not in your home realm.
If your client machine is a member of the LARA_W2K domain, then it is possible under certain circumstances to convince it that it should try sending requests to that realm as well. I'm not familiar with exactly what needs to be done, but I'd hope the Microsoft Kerberos interop document would cover this case.
Good luck...
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
