Hi, I've been trying to setup two different KDCs with realms A.COM and B.COM and I'm now stuck with a TGS referral problem. I've setup a Windows XP installation to use a KDC for realm A.COM. That works like a charm. I can do a logon and the KDC also issues also all kinds of service tickets within realm A.COM (I tried with Squid and SSH). I have configured the MIT KDC (1.7) for cross realm authentication with realm B.COM. If I use ssh on the same host that the KDC for A.COM is running I can do cross realm authentication to services in realm B.COM. But if I try to do this from Windows XP this doesn't work.
The problem is that Windows doesn't know anything about domain realm mappings. So tried to inform XP about it, but without any success (DNS SRV records for KDCs and TXT records for the realm mapping are set). So Windows keeps asking for tickets of the form host/[email protected] instead of host/[email protected]. I've been reading about this new feature of TGS referrals, where the KDC responds with a cross realm ticket for the KDC in B.COM when asked (TGS) for a service ticket for a host known to be in realm B.COM but the KDC of realm A.COM only keeps complaining that the principal cannot be found ... I'm aware that in the TGS request bit 15 for canonicalize must be set, so I configured the realm settings with ksetup /setrealmflags A.COM 0x8. Then I checked with Wireshark that this bit is actually set. But the KDC keeps refusing to send me a TGS referral for realm B.COM ... I'm using an MIT KRB5 build from Gentoo Linux (32bit) (1.7-r2). Has somebody successfully configured any MIT KRB5 version (most likely >= 1.7) with TGS referral? Best regards, Michael Waldvogel ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
