Re: some cross-realm trust questions

[Nicolas Williams]

On Sat, Dec 25, 2010 at 07:10:53AM +, Victor Sudakov wrote:
> 1. If a cross-realm trust is configured, do the realms' KDCs ever have to
> exchange any traffic between each other?

No, they do not.

Nico
-- 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: some cross-realm trust questions

[Russ Allbery]

Victor Sudakov  writes:

> 2. Are there any success stories of servers in a Heimdal realm
> authenticating users from a trusted Microsoft AD based realm?

Yes, we do this.

> Is there a documentation how to setup such one way trust?

We have a bidirectional trust, but I think the setup is substantially the
same.  It's just like a regular bidirectional trust, except you would then
delete the krbtgt principal for the Active Directory realm from the
Heimdal realm.

There's a section in the Heimdal manual on setting up cross-realm trust.
On the Active Directory side, I've not done it personally, but:

http://technet.microsoft.com/en-us/library/cc738617%28WS.10%29.aspx

looks like the right documentation, and I think you want one-way incoming
if I understand that properly.

-- 
Russ Allbery (r...@stanford.edu) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

some cross-realm trust questions

[Victor Sudakov]

Colleagues, 

1. If a cross-realm trust is configured, do the realms' KDCs ever have to
exchange any traffic between each other?

2. Are there any success stories of servers in a Heimdal realm
authenticating users from a trusted Microsoft AD based realm? Is there
a documentation how to setup such one way trust?

TIA.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/4...@fidonet http://vas.tomsk.ru/

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Crash in gss_export_sec_contex in krb5-1.8.1 on OpenSuse 11.3

[Markus Moeller]

When I try to export a security context it sometime crashes in:

gss_export_sec_context in g_exp_sec_context line 104

102 return (GSS_S_UNAVAILABLE);
 103
 104 status = mech->gss_export_sec_context(minor_status,
 105   &ctx->internal_ctx_id, 
&token);
 106 if (status != GSS_S_COMPLETE) {
 107 map_error(minor_status, mech);
 108 return (status);
 109 }

krb5_gss_export_sec_context in export_sec_context.c line 66

64 /* Determine size needed for externalization of context */
  65 bufsize = 0;
  66 if ((kret = kg_ctx_size(context, (krb5_pointer) ctx,
  67 &bufsize)))
  68 goto error_out;

kg_ctx_size in ser_sctx.c line 361

360 if (initiator_name) {
 361 kret = krb5_size_opaque(kcontext,
 362 KV5M_AUTHDATA_CONTEXT,
 363 initiator_name->ad_context,
 364 &required);
 365 }


krb5_size_opaque in serialize.c line 105

103 /* See if the type is supported, if so, do it */
 104 if ((shandle = krb5_find_serializer(kcontext, odtype)))
 105 kret = (shandle->sizer) ? (*shandle->sizer)(kcontext, arg, 
sizep) : 0;
 106 return(kret);

krb5_authdata_context_size in authdata.c line 1131

1130
1131 code = k5_ad_size(kcontext, context, AD_USAGE_MASK, sizep);
1132 if (code != 0)
1133 return code;
1134

k5_ad_size in authdata.c line 162   (The reason is that context is 0 , which 
is initiator_name->ad_context)

162 for (i = 0; i < context->n_modules; i++) {
 163 struct _krb5_authdata_context_module *module = 
&context->modules[i];
 164 size_t size;
 165


I use a MIT kdc so I would not expect authorization data.  Is this a known 
bug in 1.8.1 ?

Markus 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos