Looking into the captures, I noticed that in the TGS-REQ packets , the NAME-TYPE is Unknown in both cases (Forwareded and not Forwarded Ticket). But in the forwarded ticket capture I don't see any AS-REQ.
Could it be that what is causing the: KRB5KRB_AP_ERR_BAD_INTEGRITY ? ________________________________________ From: Sebastian Galiano Sent: 13 April 2012 08:58 To: [email protected] Subject: RE: Kerberos, Windows2008 RODC and ticket forwarding Problem I found more information regarding my problem : http://lists.samba.org/archive/samba-technical/2010-September/073566.html The thing is that this problem has been patched and It works. In fact I found the code in krb5lib's current version source code that makes the trick, in the file get_in_tkt.c: /* * Windows Server 2008 R2 RODC insists on TGS principal names having the * right name type. */ if (krb5_princ_size(context, *server) == 2 && data_eq_string(*krb5_princ_component(context, *server, 0), KRB5_TGS_NAME)) { krb5_princ_type(context, *server) = KRB5_NT_SRV_INST; } return 0; } This sets the right type for NAME-TYPE, unfortunately it doesn't seem to work when I'm using a forwarded ticket. The name type in the request when the ticket is forwarded keeps being unknown, unlike when the ticket is granted from the machine then is : Service and Instance. ________________________________________ From: [email protected] [[email protected]] on behalf of Sebastian Galiano [[email protected]] Sent: 12 April 2012 11:12 To: [email protected] Subject: Kerberos, Windows2008 RODC and ticket forwarding Problem Hello I'm having some problems to get kerberos to work. I got two realms, one realm working in Windows 2008 (WINDOWS), with one KDC and RODC (the RODC is in a separate network). I am testing the ticketing forwarding cross realm. The second realm is a linux realm (LINUX) running on scientific linux 6.1. All the Linux machines are using the same kerberos libraries : krb5-libs-1.9.2-6.fc16.x86_64 krb5-libs-1.9.2-6.fc16.i686 krb5-workstation-1.9.2-6.fc16.x86_64 So in from my fedora desktop computer I kinit with a WINDOWS realm user, and from there I ssh to my server. The SSH server principal is created in LINUX realm. This works smoothly. I also have a NFS 4 server kerberized, and declared in the LINUX realm. So from the SSH server (NFS client), I mount the folder and try to access, getting a permission denied message. I've captured the traffic from my SSH server (NFS Client), in the moment of accessing the NFS folder. I've noticed the following error: KRB_AP_ERR_BAD_INTEGRITY Also I noticed that the Name-Type inside the request packet is Unknown. After some browsing in the internet, it seems that W2008 RODC needs the Name-Type to be set, and in fact this has been patched in kerberos. What is more if I dont do ticket forwarding , so I kinit the user from the SSH server (NFS Client), and access the folder it works! Could it be that the current implementation of Kerberos is not setting the Name-Type for forwarded tickets? Regards Sebastián Galiano ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
