Hello,
I'm starting to work on my thesis about 'More types of replicas in
FreeIPA' again. One of the main problems is the way how should the
read-only replicas deal with KDC because they're not supposed to posses
the Kerberos (krb) master key. The task was to investigate how is this
solved in Active Directory and its Read Only Domain Controllers.
I found out that the basic of RODC behaviour is described on technet
page
(http://technet.microsoft.com/en-us/library/cc754218%28v=ws.10%29.aspx).
Login situation:
RODC by default forwards the KRB requests to the DC. RODC then forwards
the response back to the client and also requests the password to be
replicated to RODC. Both the user and his host must be members of
'Allowed RODC Password Replication' group in order to let user's
passwords being replicated to RODCs.
Request services that the RODC doesn't have credentials for:
Client sends TGS-REQ to RODC. RODC can read the TGT in the request, but
doesn't have credentials for the service. So the request is forwarded to
the DC. DC can decrypt the TGT that was created by RODC and sends back
the TGS-RES that is forwarded to the client. (but it does not trust the
RODC so it recalculates the privilege attribute certificate). RODC does
not cache the credentials for the service.
During my experiments the credentials got replicated to the RODC on the
first log on of the user. The user's KRB requests were first forwarded
to the DC. When the user got krbtgt and TGS for host, ldap and cifs, his
TGT was revoked by RODC. He run through the auth. process again, but
this time the requests were served by RODC only - no forwarding - and
not TGS for host was requested.
Unfortunately I can not still recognize how the keys are processed.
There's barely any RPC communication - only one DCERPC packet exchange
between RODC and DC that takes place when the user sends his first TGS
request (this exchange happens also for the clients with disabled
replication).
It looks to me like the DC knows all the RODC keys. According to
Technet, the MS implementation of Kerberos is able to recognize the key
owner from the Key Version Number value.
I think I can't get more info from the network traffic examination. Do
you have any ideas or hints on further investigation of the problem?
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel