Hi Andrew: Please let me know if the following document changes answer your question.
Regards, Obaid Farooqi Escalation Engineer | Microsoft Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at allis...@microsoft.com -----Original Message----- From: Obaid Farooqi Sent: Tuesday, April 12, 2011 4:06 PM To: 'Andrew Bartlett' Cc: cifs-proto...@samba.org; MSSolve Case Email Subject: RE:[REG:111020250601482] RE: Please provide windows behaviour notes on MS-KILE's reference to Referrals-11 Hi Andrew: The modifications to the document resulting from your request are now complete. In a future version of [MS-KILE], the following changes will be incorporated: Section 3.2.1 ------------------ The following explanation will be added at the beginning of the section: “KILE client has the following configuration setting for non-KILE realms: RealmCanonicalize SHOULD be initialized in an implementation specific way. Implementations that use the Windows registry to persistently store and retrieve the RealmCanonicalize variable SHOULD use the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\<REALM> registry path where <REALM> is the name of the realm and RealmFlags key bit 0x8 is set when the non-KILE realm supports canonicalization.” Section 3.2.5.1 ------------------- The following sentence: “Clients SHOULD set the canonicalize flag ([RFC4120] section 5.4.1).” will be replaced by: “Clients SHOULD set the canonicalize flag ([RFC4120] section 5.4.1 & [Referrals] Section 3). For non-KILE realms, if RealmCanonicalize is not set for the realm the client SHOULD NOT set the canonicalize flag ([RFC4120] section 5.4.1).“ Section 3.3.5.1 ------------------- The following sentence: “KILE KDCs SHOULD<28> ignore the canonicalize flag except for referrals [Referrals-11].” will be replaced by: “If the canonicalize flag ([RFC4120] section 5.4.1) is set, KILE KDCs SHOULD return krbtgt/FQDN for the domain. KILE KDCs SHOULD canonicalize principals unless: * The canonicalize flag ([RFC4120] section 5.4.1) is not set. * The server principal is kadmin/changepw. * The account is marked as DES only.” Section 6 ------------- The following behavior note will be removed: “<28> Section 3.3.5.1: Windows 2000 KDCs will canonicalize the name in the resulting ticket, based on the name of the account that is ultimately used in AD. Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 KDCs do not honor the canonicalize flag except for referrals [Referrals-11], and they do not perform any canonicalization.” Regards, Obaid Farooqi Escalation Engineer | Microsoft Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at allis...@microsoft.com -----Original Message----- From: Andrew Bartlett [mailto:abart...@samba.org] Sent: Thursday, February 10, 2011 4:36 PM To: Obaid Farooqi Cc: cifs-proto...@samba.org; MSSolve Case Email Subject: Re: RE:[REG:111020250601482] Please provide windows behaviour notes on MS-KILE's reference to Referrals-11 On Thu, 2011-02-10 at 22:20 +0000, Obaid Farooqi wrote: > Hi Andrew: > I am in the process of filing a document bug for this issue but in the > meantime here is the reason why Windows Server 2003 behaves this way and how > Windows KDC deals with it. > > Windows Server 2003 has a test in the code that test if there is a referral > loop. Here is what happens: > > My domain name is S4DOM.NET and the NETBIOS name is S4DOM. In this scenario, > due to referral, there are two TGT’s. One returned in AS Response will be > referred to as TGT1 and the one returned in the TGS response will be referred > to as TGT2. > For this discussion, I’ll use Sname as servicename/hostname where host name > is either <DNS domain name> or <NETBIOS domain name>. > > Here is what happens: > 1. WS2k3 client sends AS Request with Realm = s4dom and Sname = > krbtgt/s4dom > 2. In AS Response, Samba KDC sends TGT1. TGT1 contains Realm = s4dom.net > and Sname = krbtgt/s4dom > 3. WS2k3 send a TGS request with Realm = s4dom and Sname = krbtgt/s4dom.net > 4. Samba KDC sends the TGS response that contains TGT2. In TGT2 , Realm is > s4dom.net and sname is krbtgt/s4dom.net > > > Windows 2003 checks for referral loop as follows: > > > (Realm in TGT1 == hostname in TGT2) AND !(hostname in TGT1 == > hostname in TGT2) Just so I'm clear, hostname in your examples here is the realm component of a krbtgt principal? ie krbtgt/<hostname>@<REALM>? > If the expression evaluates to TRUE, a loop is detected and the error you are > observing is shown to the user. > > Clients of Windows Vista and onwards do not make this check. > > Windows KDC deals with this situation by sending both Realm in TGT1 and > hostname in TGT1 the same (s4dom.net in this case). > This causes client to send TGS Request with Realm and hostname as s4dom.net. > KDC send TGS response with Realm in TGT2 being equal to hostname in TGT2 > (s4dom.net in this case) and the expression mentioned above evaluates to > FALSE and no referral loop is detected. > > You probably know it already, but I'll mention it just for completeness. I > can login by using administra...@s4dom.net on WS2k3 client when KDC is Samba. Yep, and it gave me great relief that it wasn't something more fundamental, but we have some proprietary products running on Windows that seem to trigger the alternate login, which is what was getting us stuck. > I’ll update you as soon as I have the changes in the document. Please let me > know if it answers your question. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. Microsoft is committed to protecting your privacy. Please read the Microsoft Privacy Statement for more information.The above is an email for a support case from Microsoft Corp.REPLY ALL TO THIS MESSAGE or INCLUDE casem...@microsoft.com IN YOUR REPLY if you want your response added to the case automatically. For technical assistance, please include the Support Engineer on the TO: line. Thank you. _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol
