RE: Kerberos, Windows2008 RODC and ticket forwarding Problem

Fri, 20 Apr 2012 00:26:34 -0700 

It worked great!! 

Thanks!
________________________________________
From: Tom Yu [[email protected]]
Sent: 19 April 2012 23:01
To: Sebastian Galiano
Cc: [email protected]
Subject: Re: Kerberos, Windows2008 RODC and ticket forwarding Problem

Sebastian Galiano <[email protected]> writes:

> Ok. I followed your indications.  I have the 02 LL, being LL 01. So only one 
> byte is highlighted : 05.
> So, It is not a long value... it doesn't correspond with your problem 
> description but I've been comparing the captures of my two tests:
>
> 1.  Not forwarding  cross realm authentication directly from the ssh server 
> to access the NFS server (using RODC W2008), result it works.
> 2. Ticket forwarding cross realm authentication  from my desktop computer 
> using a regular w2008 DC to the ssh server and then from there, try to access 
> the NFS server but this time requesting the service ticket to a RODC using 
> the forwarded ticket from my W2008 server. Result in doesnt work.
>
> For me the main difference is that the field Name-Type is not being set. In 
> the first case the in the Name-Type is set to Service and Instance in TGS 
> Request. In the second case is set to unknown and Windows Server 2008 R2 RODC 
> insists on TGS principal names having the  name type.
>
> Could it be that the Name-Type must be setted somewhere else?

It looks like krb5_fwd_tgt_creds doesn't currently set the name-type
to KRB5_NT_SRV_INST, so that is one possible problem.  I will need to
check the other places that we format principal names for TGS-REQs,
though it seems that patching the fwd_tgt_creds location might solve
your specific problem:

diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index d602952..3ce8cfb 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -103,6 +103,12 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context 
auth_context,
                                            0)))
         goto errout;

+    /*
+     * Windows Server 2008 R2 RODC insists on TGS principal names having the
+     * right name type.
+     */
+    krb5_princ_type(context, creds.server) = KRB5_NT_SRV_INST;
+
     /* fetch tgt directly from cache */
     context->use_conf_ktypes = 1;
     retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_SUPPORTED_KTYPES,


________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to