[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    Re: [cifs-protocol] [REG:111020250601482] RE: Please provide
From:       Obaid Farooqi <obaidf () microsoft ! com>
Date:       2011-02-10 22:45:34
Message-ID: C76EE6B9CA401246BD8228089E50BC024C49424D () TK5EX14MBXC125 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]

Hi Andrew:
Yes,hHostname is the realm part of krbtgt principal e.g. s4dom in krbtgt/s4dom and \
s4dom.net in krbtgt/s4dom.net.

Please let me know if it answers your question.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org]
Sent: Thursday, February 10, 2011 4:36 PM
To: Obaid Farooqi
Cc: cifs-protocol@samba.org; MSSolve Case Email
Subject: Re: RE:[REG:111020250601482] Please provide windows behaviour notes on \
MS-KILE's reference to Referrals-11

On Thu, 2011-02-10 at 22:20 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> I am in the process of filing a document bug for this issue but in the meantime \
> here is the reason why Windows Server 2003 behaves this way and how Windows KDC \
> deals with it. 
> Windows Server 2003 has a test in the code that test if there is a referral loop. \
> Here is what happens: 
> My domain name is S4DOM.NET and the NETBIOS name is S4DOM. In this scenario, due to \
> referral, there are two TGT's. One returned in AS Response will be referred to as \
> TGT1 and the one returned in the TGS response will be referred to as TGT2.  For \
> this discussion, I'll use Sname as servicename/hostname where host name is either \
> <DNS domain name> or <NETBIOS domain name>. 
> Here is what happens:
> 1.	WS2k3 client sends AS Request with Realm = s4dom and Sname = krbtgt/s4dom
> 2.	In AS Response, Samba KDC sends TGT1. TGT1 contains Realm = s4dom.net and Sname \
> = krbtgt/s4dom 3.	WS2k3 send a TGS request with Realm = s4dom and Sname = \
> krbtgt/s4dom.net 4.	Samba KDC sends the TGS response that contains TGT2. In TGT2 , \
> Realm is s4dom.net and sname is krbtgt/s4dom.net 
> 
> Windows 2003 checks for referral loop as follows:
> 
> 
> (Realm in TGT1 == hostname in TGT2)  AND  !(hostname in TGT1 == 
> hostname in TGT2)

Just so I'm clear, hostname in your examples here is the realm component
of a krbtgt principal?   ie krbtgt/<hostname>@<REALM>?

> If the expression evaluates to TRUE, a loop is detected and the error you are \
> observing is shown to the user. 
> Clients of Windows Vista and onwards do not make this check.
> 
> Windows KDC deals with this situation by sending both Realm in TGT1 and hostname in \
> TGT1 the same (s4dom.net in this case).  This causes client to send TGS Request \
> with Realm and hostname as s4dom.net.  KDC send TGS response with Realm in TGT2 \
> being equal to hostname in TGT2 (s4dom.net in this case) and the expression \
> mentioned above evaluates to FALSE and no referral loop is detected. 
> You probably know it already, but I'll mention it just for completeness. I can \
> login by using Administrator@s4dom.net on WS2k3 client when KDC is Samba.

Yep, and it gave me great relief that it wasn't something more fundamental, but we \
have some proprietary products running on Windows that seem to trigger the alternate \
login, which is what was getting us stuck. 

> I'll update you as soon as I have the changes in the document. Please let me know \
> if it answers your question.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.


Microsoft is committed to protecting your privacy.  Please read the Microsoft Privacy \
Statement for more information.The above is an email for a support case from \
Microsoft Corp.REPLY ALL TO THIS MESSAGE or INCLUDE casemail@microsoft.com IN YOUR \
REPLY if you want your response added to the case automatically. For technical \
assistance, please include the Support Engineer on the TO: line. Thank you. \
_______________________________________________ cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol


[prev in list] [next in list] [prev in thread] [next in thread]