Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

Andrew Bartlett abartlet at
Thu Sep 23 18:40:28 MDT 2010

On Thu, 2010-09-23 at 15:06 -0700, Joshua Hawkinson wrote:
> Ugh!  So we've reviewed both Heimdal and MIT krb5 and it seems that the problem persists everywhere. After reading the krb5 RFC it seems that Microsoft should not be so touchy about the NAME-TYPE, but the linux Kerberos implementations should also set the correct NAME-TYPE.  We're thinking that perhaps we should modify the krb libs on the system to inspect the principal as it is building it and if it is krbtgt at REALM we'll just set the NAME-TYPE to NT-SRV-INST.  This approach seems to be consistent with a) what works in this situation, b) the krb5 rfc.  I realize this is super hacky but I'd like to know your thoughts on the matter.
> Have you guys integrated Heimdal into samba 4 so you can customize it to work with windows servers in cases like this? 

It is amusing the see MS being stricter in the KDC here, because for
ages it was MS that took interesting liberties with the RFCs, and has
generally been more compatible and accommodating.  

Anyway, yes, that is one of the many reasons we use Heimdal, and have
lorikeet-heimdal (our bundled friendly fork).  We are happy to make
whatever changes are required (and will shortly be doing RODC work and
learning much about this area in Samba4).  We will also submit those
upstream, and so they will be included in future Heimdal releases. 

It is understandable that Microsoft is quite strict here, because they
need to be very careful not to introduce security holes with the RODC. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list