krb auth weirdness found out

Sam Liddicott sam at liddicott.com
Fri Apr 3 07:56:37 GMT 2009 

* Andrew Bartlett wrote, On 03/04/09 02:28:
> On Thu, 2009-04-02 at 15:11 +0100, Sam Liddicott wrote:
>   
>> I have the answer (which turns out to be another question) after
>> spending a couple of dreary days investigating why I get
>> dcerpc_bind_auth_send() from openchange (with specified creds) causing
>> errors like this:
>>
>> kinit for Sam at GALAXY failed (Cannot contact any KDC for requested realm:
>> unable to reach any KDC in realm GALAXY)
>> Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for
>> requested realm
>> Cannot reach a KDC we require to contact host at NOVA
>> Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
>>
>> (when GALAXY is a domain value not a REALM value which should be
>> galaxy.test.dbamsystems.local) and I have to wait for the time it takes
>> to fail this before it continues with the NTML auth (which is what it
>> should have been doing all along).
>>     
>
> If GALAXY was in the krb5.conf as a realm, it would actually work
> (strange, but true).
>   
Yeah, I'd found that, but then I was failing with these ASN.1 errors, so
I followed this path to see where it led and ended up in the same place
with the same ASN.1 errors :-(
> What we need is to provide a DC location plugin to Heimdal that does a
> lookup for the DCs in that domain, and returns them as possible kerberos
> KDCs.
>   
Does it make sense for an old windows domain to be part of a
krb5_principal, even briefly?

If so, then maybe you are right and it looks like
krb5_principal_get_realm() is a good stub function, or
krb5_get_init_creds_password()

I'm not certain that this lookup belongs in Heimdal or that a
krb5_principal should ever hold a domain (unless the the realm member is
badly named).

Surely such a lookup should be called from
cli_credentials_get_principal, which is not part of Heimdal? - so that
the krb5_principal never holds a domain, but only a kerbros realm. The
file credentials.c which holds this function seems to manage enough
callbacks that one could be installed for converting from domains to realms.

Sam

More information about the samba-technical mailing list