Does anybody know if a MIT client can work with a RODC ? Looking at page 142 of http://download.microsoft.com/download/e/e/0/ee04289a-02a7-45e9-86ce-e0ec41211c08/LHBOG_Plan.doc I wonder how a TGS could be received for example for SASL/GSSAPI authentication to the RODC ldap port.
If BKCOMPUTER is a Unix host with an openldap client with SASL/GSSAPI support. The user BobKelly would do a kinit against the RODC and then start for example an ldapsearch and I would assume at point 4. it would fail as the MIT libary receives an unknown error. Unfortunately I don't have a RODC at hand to test. Service ticket acquisition 1. BKCOMPUTER transmits a Kerberos ticket-granting service (TGS) request (KRB_TGS_REQ) for BobKelly to RODC1 along with the TGT that was issued by WDC1. 2. RODC1 cannot decrypt the TGT because it does not know the password of the krbtgt account that writeable domain controllers use to encrypt the TGT. RODC1 therefore forwards the KRB_TGS_REQ to WDC1. 3. WDC1 receives and deciphers the KRB_TGS_REQ and replies with a Kerberos TGS response (KRB_TGS_REP) to RODC1. 4. Because RODC1 has cached BobKelly's credentials, it is able to satisfy requests for service tickets. Therefore, after receiving a KRB_TGS_REP from WDC1, RODC1 returns an error message to BKCOMPUTER, instead of a Service Ticket. 5. BKCOMPUTER discards the TGT that was previously issued by WDC1 after receiving the error message from RODC1. Then, BKCOMPUTER sends another KRB_AS_REQ to RODC1. 6. RODC1 receives the KRB_AS_REQ. Because BobKelly's credentials are cached, RODC1 uses its own krbtgt account to encrypt the TGT. 7. RODC1 then sends a KRB_AS_REP with the new TGT to BKCOMPUTER. 8. BKCOMPUTER sends another KRB_TGS_REQ (including the new TGT issued by RODC1) to RODC1. 9. RODC1 receives the KRB_TGS_REQ and is able to decrypt the TGT this time. Because BKCOMPUTER credentials are cached locally, RODC1 generates and sends a KRB_TGS_REP with the service ticket to BKCOMPUTER for BobKelly. Thank you Markus ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
