[Freeipa-devel] More types of replicas in FreeIPA

Thu, 31 Jan 2013 15:13:09 -0800 

Hello,
I'm starting to work on my thesis about 'More types of replicas in FreeIPA' again. One of the main problems is the way how should the read-only replicas deal with KDC because they're not supposed to posses the Kerberos (krb) master key. The task was to investigate how is this solved in Active Directory and its Read Only Domain Controllers. 


I found out that the basic of RODC behaviour is described on technet 
page 
(http://technet.microsoft.com/en-us/library/cc754218%28v=ws.10%29.aspx).


Login situation:

RODC by default forwards the KRB requests to the DC. RODC then forwards 
the response back to the client and also requests the password to be 
replicated to RODC. Both the user and his host must be members of 
'Allowed RODC Password Replication' group in order to let user's 
passwords being replicated to RODCs.


Request services that the RODC doesn't have credentials for:

Client sends TGS-REQ to RODC. RODC can read the TGT in the request, but 
doesn't have credentials for the service. So the request is forwarded to 
the DC. DC can decrypt the TGT that was created by RODC and sends back 
the TGS-RES that is forwarded to the client. (but it does not trust the 
RODC so it recalculates the privilege attribute certificate). RODC does 
not cache the credentials for the service.



During my experiments the credentials got replicated to the RODC on the 
first log on of the user. The user's KRB requests were first forwarded 
to the DC. When the user got krbtgt and TGS for host, ldap and cifs, his 
TGT was revoked by RODC. He run through the auth. process again, but 
this time the requests were served by RODC only - no forwarding - and 
not TGS for host was requested.



Unfortunately I can not still recognize how the keys are processed. 
There's barely any RPC communication - only one DCERPC packet exchange 
between RODC and DC that takes place when the user sends his first TGS 
request (this exchange happens also for the clients with disabled 
replication).



It looks to me like the DC knows all the RODC keys. According to 
Technet, the MS implementation of Kerberos is able to recognize the key 
owner from the Key Version Number value.



I think I can't get more info from the network traffic examination. Do 
you have any ideas or hints on further investigation of the problem?


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel






















					Reply via email to