[cifs-protocol] [REG:111020250601482] Please provide windows behaviour notes on MS-KILE's reference to Referrals-11

Thu Feb 10 15:35:40 MST 2011

On Thu, 2011-02-10 at 22:20 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> I am in the process of filing a document bug for this issue but in the meantime here is the reason why Windows Server 2003 behaves this way and how Windows KDC deals with it.
> 
> Windows Server 2003 has a test in the code that test if there is a referral loop. Here is what happens:
> 
> My domain name is S4DOM.NET and the NETBIOS name is S4DOM. In this scenario, due to referral, there are two TGT’s. One returned in AS Response will be referred to as TGT1 and the one returned in the TGS response will be referred to as TGT2. 
> For this discussion, I’ll use Sname as servicename/hostname where host name is either <DNS domain name> or <NETBIOS domain name>.
> 
> Here is what happens:
> 1.	WS2k3 client sends AS Request with Realm = s4dom and Sname = krbtgt/s4dom
> 2.	In AS Response, Samba KDC sends TGT1. TGT1 contains Realm = s4dom.net and Sname = krbtgt/s4dom
> 3.	WS2k3 send a TGS request with Realm = s4dom and Sname = krbtgt/s4dom.net
> 4.	Samba KDC sends the TGS response that contains TGT2. In TGT2 , Realm is s4dom.net and sname is krbtgt/s4dom.net
> 
> 
> Windows 2003 checks for referral loop as follows:
> 
> 
> (Realm in TGT1 == hostname in TGT2)  AND  !(hostname in TGT1 == hostname in TGT2)

Just so I'm clear, hostname in your examples here is the realm component
of a krbtgt principal?   ie krbtgt/<hostname>@<REALM>?

> If the expression evaluates to TRUE, a loop is detected and the error you are observing is shown to the user.
> 
> Clients of Windows Vista and onwards do not make this check.
> 
> Windows KDC deals with this situation by sending both Realm in TGT1 and hostname in TGT1 the same (s4dom.net in this case). 
> This causes client to send TGS Request with Realm and hostname as s4dom.net. 
> KDC send TGS response with Realm in TGT2 being equal to hostname in TGT2 (s4dom.net in this case) and the expression mentioned above evaluates to FALSE and no referral loop is detected.
> 
> You probably know it already, but I'll mention it just for completeness. I can login by using Administrator at s4dom.net on WS2k3 client when KDC is Samba.

Yep, and it gave me great relief that it wasn't something more
fundamental, but we have some proprietary products running on Windows
that seem to trigger the alternate login, which is what was getting us
stuck. 

> I’ll update you as soon as I have the changes in the document. Please let me know if it answers your question.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.