Date: | Thu, 30 May 2013 13:03:34 +0200 |
From: | Sumit Bose <sbose@redhat.com> |
To: | krb5-bugs@mit.edu |
Subject: | Issue following client referral from AD |
Hi,
I have two AD forests DOM1.FOO and DOM2.BAR. Besides DOM2.BAR there is
also the domain SUBDOM.SUB in the second forest. From a client joind to
domain DOM1.FOO I would like to get a TGT for a user from SUBDOM.SUB.
$ KRB5_TRACE=/dev/stdout KRB5_CONFIG=./krb5.conf KRB5CCNAME=FILE:./bla.ccfile kinit -C -E Administrator@SUBDOM.SUB
[22572] 1369910390.283695: Getting initial credentials for Administrator\@SUBDOM.SUB@DOM1.FOO
[22572] 1369910390.283983: Sending request (210 bytes) to DOM1.FOO
[22572] 1369910390.284096: Resolving hostname 10.34.47.82
[22572] 1369910390.284314: Sending initial UDP request to dgram 10.34.47.82:88
[22572] 1369910390.373825: Received answer from dgram 10.34.47.82:88
[22572] 1369910390.373883: Response was from master KDC
[22572] 1369910390.373927: Received error from KDC: -1765328316/Realm not local to KDC
[22572] 1369910390.373939: Following referral to realm dom2.bar
[22572] 1369910390.373997: Sending request (210 bytes) to dom2.bar (master)
kinit: Cannot resolve servers for KDC in realm "dom2.bar" while getting initial credentials
$ dig SRV _kerberos._udp.dom2.bar
; <<>> DiG 9.9.2-rl.028.23-P2-RedHat-9.9.2-7.P2.fc17 <<>> SRV _kerberos._udp.dom2.bar
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39100
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._udp.dom2.bar. IN SRV
;; ANSWER SECTION:
_kerberos._udp.dom2.bar. 516 IN SRV 0 100 88 ad2.dom2.bar.
;; ADDITIONAL SECTION:
ad2.dom2.bar. 3516 IN A 10.34.47.47
;; Query time: 84 msec
;; SERVER: 10.34.47.82#53(10.34.47.82)
;; WHEN: Thu May 30 12:50:44 2013
;; MSG SIZE rcvd: 100
AD does not care much about the case of the realm and returns it lower case in
the 'Realm not local to KDC' response. This wouldn't be a problem because
'dns_lookup_kdc = true' in krb5.conf and DNS does not care about the case
either.
But for some reason the master KDC is looked up and AD DNS does not define
service records for_kerberos-master._udp or _kerberos-master._tcp. Is there a
reason why a master KDC is required here or can if be replaced by a plain KDC
lookup?
If I add a section for the dom2.bar realm (and for SUBDOM.SUB in my case) to
krb5.conf include a master_kdc then everything works as expected:
$ KRB5_TRACE=/dev/stdout KRB5_CONFIG=./krb5.conf KRB5CCNAME=FILE:./bla.ccfile kinit -C -E Administrator@SUBDOM.SUB
[24304] 1369911570.127327: Getting initial credentials for Administrator\@SUBDOM.SUB@DOM1.FOO
[24304] 1369911570.127578: Sending request (210 bytes) to DOM1.FOO
[24304] 1369911570.366902: Resolving hostname ad1.dom1.foo.
[24304] 1369911570.462220: Sending initial UDP request to dgram 10.34.47.82:88
[24304] 1369911570.549903: Received answer from dgram 10.34.47.82:88
[24304] 1369911570.627685: Response was not from master KDC
[24304] 1369911570.627717: Received error from KDC: -1765328316/Realm not local to KDC
[24304] 1369911570.627725: Following referral to realm dom2.bar
[24304] 1369911570.627768: Sending request (210 bytes) to dom2.bar
[24304] 1369911570.627793: Resolving hostname 10.34.47.47
[24304] 1369911570.627936: Sending initial UDP request to dgram 10.34.47.47:88
[24304] 1369911570.715623: Received answer from dgram 10.34.47.47:88
[24304] 1369911570.715667: Response was from master KDC
[24304] 1369911570.715687: Received error from KDC: -1765328316/Realm not local to KDC
[24304] 1369911570.715694: Following referral to realm SUBDOM.SUB
[24304] 1369911570.715745: Sending request (214 bytes) to SUBDOM.SUB (master)
[24304] 1369911570.715760: Resolving hostname 10.34.47.53
[24304] 1369911570.715940: Sending initial UDP request to dgram 10.34.47.53:88
[24304] 1369911570.802514: Received answer from dgram 10.34.47.53:88
[24304] 1369911570.802549: Received error from KDC: -1765328359/Additional pre-authentication required
[24304] 1369911570.802589: Processing preauth types: 16, 15, 19, 2
[24304] 1369911570.802606: Selected etype info: etype rc4-hmac, salt "(null)", params ""
Password for Administrator\@SUBDOM.SUB@DOM1.FOO:
[24304] 1369911575.606320: AS key obtained for encrypted timestamp: rc4-hmac/A4BB
[24304] 1369911575.606376: Encrypted timestamp (for 1369911575.606329): plain 301AA011180F32303133303533303130353933355AA1050203094079, encrypted B5539C54568D309820C9FEB5080E873529C3FE88CD182311A7CF701A3E35A862071540C31612703A7C2C9E874A4369883DB51F08
[24304] 1369911575.606405: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Erfolg
[24304] 1369911575.606410: Produced preauth for next request: 2
[24304] 1369911575.606428: Sending request (290 bytes) to SUBDOM.SUB (master)
[24304] 1369911575.606462: Resolving hostname 10.34.47.53
[24304] 1369911575.606679: Sending initial UDP request to dgram 10.34.47.53:88
[24304] 1369911575.713066: Received answer from dgram 10.34.47.53:88
[24304] 1369911575.713118: Salt derived from principal: SUBDOM.SUBAdministrator
[24304] 1369911575.713131: AS key determined by preauth: rc4-hmac/A4BB
[24304] 1369911575.713170: Decrypted AS reply; session key is: aes256-cts/1BA3
[24304] 1369911575.713174: FAST negotiation: unavailable
[24304] 1369911575.713202: Initializing FILE:./bla.ccfile with default princ Administrator@SUBDOM.SUB
[24304] 1369911575.731159: Removing Administrator@SUBDOM.SUB -> krbtgt/SUBDOM.SUB@SUBDOM.SUB from FILE:./bla.ccfile
[24304] 1369911575.731181: Storing Administrator@SUBDOM.SUB -> krbtgt/SUBDOM.SUB@SUBDOM.SUB in FILE:./bla.ccfile
To summarize, can the master KDC lookup be replace by a simple KDC lookup while
following client referrals?
Thank you.
bye,
Sumit
I have two AD forests DOM1.FOO and DOM2.BAR. Besides DOM2.BAR there is
also the domain SUBDOM.SUB in the second forest. From a client joind to
domain DOM1.FOO I would like to get a TGT for a user from SUBDOM.SUB.
$ KRB5_TRACE=/dev/stdout KRB5_CONFIG=./krb5.conf KRB5CCNAME=FILE:./bla.ccfile kinit -C -E Administrator@SUBDOM.SUB
[22572] 1369910390.283695: Getting initial credentials for Administrator\@SUBDOM.SUB@DOM1.FOO
[22572] 1369910390.283983: Sending request (210 bytes) to DOM1.FOO
[22572] 1369910390.284096: Resolving hostname 10.34.47.82
[22572] 1369910390.284314: Sending initial UDP request to dgram 10.34.47.82:88
[22572] 1369910390.373825: Received answer from dgram 10.34.47.82:88
[22572] 1369910390.373883: Response was from master KDC
[22572] 1369910390.373927: Received error from KDC: -1765328316/Realm not local to KDC
[22572] 1369910390.373939: Following referral to realm dom2.bar
[22572] 1369910390.373997: Sending request (210 bytes) to dom2.bar (master)
kinit: Cannot resolve servers for KDC in realm "dom2.bar" while getting initial credentials
$ dig SRV _kerberos._udp.dom2.bar
; <<>> DiG 9.9.2-rl.028.23-P2-RedHat-9.9.2-7.P2.fc17 <<>> SRV _kerberos._udp.dom2.bar
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39100
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._udp.dom2.bar. IN SRV
;; ANSWER SECTION:
_kerberos._udp.dom2.bar. 516 IN SRV 0 100 88 ad2.dom2.bar.
;; ADDITIONAL SECTION:
ad2.dom2.bar. 3516 IN A 10.34.47.47
;; Query time: 84 msec
;; SERVER: 10.34.47.82#53(10.34.47.82)
;; WHEN: Thu May 30 12:50:44 2013
;; MSG SIZE rcvd: 100
AD does not care much about the case of the realm and returns it lower case in
the 'Realm not local to KDC' response. This wouldn't be a problem because
'dns_lookup_kdc = true' in krb5.conf and DNS does not care about the case
either.
But for some reason the master KDC is looked up and AD DNS does not define
service records for_kerberos-master._udp or _kerberos-master._tcp. Is there a
reason why a master KDC is required here or can if be replaced by a plain KDC
lookup?
If I add a section for the dom2.bar realm (and for SUBDOM.SUB in my case) to
krb5.conf include a master_kdc then everything works as expected:
$ KRB5_TRACE=/dev/stdout KRB5_CONFIG=./krb5.conf KRB5CCNAME=FILE:./bla.ccfile kinit -C -E Administrator@SUBDOM.SUB
[24304] 1369911570.127327: Getting initial credentials for Administrator\@SUBDOM.SUB@DOM1.FOO
[24304] 1369911570.127578: Sending request (210 bytes) to DOM1.FOO
[24304] 1369911570.366902: Resolving hostname ad1.dom1.foo.
[24304] 1369911570.462220: Sending initial UDP request to dgram 10.34.47.82:88
[24304] 1369911570.549903: Received answer from dgram 10.34.47.82:88
[24304] 1369911570.627685: Response was not from master KDC
[24304] 1369911570.627717: Received error from KDC: -1765328316/Realm not local to KDC
[24304] 1369911570.627725: Following referral to realm dom2.bar
[24304] 1369911570.627768: Sending request (210 bytes) to dom2.bar
[24304] 1369911570.627793: Resolving hostname 10.34.47.47
[24304] 1369911570.627936: Sending initial UDP request to dgram 10.34.47.47:88
[24304] 1369911570.715623: Received answer from dgram 10.34.47.47:88
[24304] 1369911570.715667: Response was from master KDC
[24304] 1369911570.715687: Received error from KDC: -1765328316/Realm not local to KDC
[24304] 1369911570.715694: Following referral to realm SUBDOM.SUB
[24304] 1369911570.715745: Sending request (214 bytes) to SUBDOM.SUB (master)
[24304] 1369911570.715760: Resolving hostname 10.34.47.53
[24304] 1369911570.715940: Sending initial UDP request to dgram 10.34.47.53:88
[24304] 1369911570.802514: Received answer from dgram 10.34.47.53:88
[24304] 1369911570.802549: Received error from KDC: -1765328359/Additional pre-authentication required
[24304] 1369911570.802589: Processing preauth types: 16, 15, 19, 2
[24304] 1369911570.802606: Selected etype info: etype rc4-hmac, salt "(null)", params ""
Password for Administrator\@SUBDOM.SUB@DOM1.FOO:
[24304] 1369911575.606320: AS key obtained for encrypted timestamp: rc4-hmac/A4BB
[24304] 1369911575.606376: Encrypted timestamp (for 1369911575.606329): plain 301AA011180F32303133303533303130353933355AA1050203094079, encrypted B5539C54568D309820C9FEB5080E873529C3FE88CD182311A7CF701A3E35A862071540C31612703A7C2C9E874A4369883DB51F08
[24304] 1369911575.606405: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Erfolg
[24304] 1369911575.606410: Produced preauth for next request: 2
[24304] 1369911575.606428: Sending request (290 bytes) to SUBDOM.SUB (master)
[24304] 1369911575.606462: Resolving hostname 10.34.47.53
[24304] 1369911575.606679: Sending initial UDP request to dgram 10.34.47.53:88
[24304] 1369911575.713066: Received answer from dgram 10.34.47.53:88
[24304] 1369911575.713118: Salt derived from principal: SUBDOM.SUBAdministrator
[24304] 1369911575.713131: AS key determined by preauth: rc4-hmac/A4BB
[24304] 1369911575.713170: Decrypted AS reply; session key is: aes256-cts/1BA3
[24304] 1369911575.713174: FAST negotiation: unavailable
[24304] 1369911575.713202: Initializing FILE:./bla.ccfile with default princ Administrator@SUBDOM.SUB
[24304] 1369911575.731159: Removing Administrator@SUBDOM.SUB -> krbtgt/SUBDOM.SUB@SUBDOM.SUB from FILE:./bla.ccfile
[24304] 1369911575.731181: Storing Administrator@SUBDOM.SUB -> krbtgt/SUBDOM.SUB@SUBDOM.SUB in FILE:./bla.ccfile
To summarize, can the master KDC lookup be replace by a simple KDC lookup while
following client referrals?
Thank you.
bye,
Sumit