| |||||||||
|
Patch to allow referrals to multiple Windows 2000 domains.
This is a modification of a patch written by Microsoft and obtained from MIT. Our modification allows referrals to more than one W2K forest from a single MIT realm. We needed this to allow referrals to both a test and production forest...- Unified diff from MIT 1.6.3 (12K) (Thanks to Dan Hyde and Marcus Watts)
- Unified diff from MIT 1.4.3 (12K)
- Unified diff from MIT 1.4.2 (12K)
- Unified diff from MIT 1.3.4 (12K)
- Unified diff from MIT 1.3.1 (17K)
- Unified diff from MIT 1.2.5 (11K)
- Context diff from MIT 1.2.1 (12K)
UPDATES:
- 11/12/2008: Add patch for the MIT 1.6.3 release.
- 4/29/2008: Add patch for the MIT 1.4.3 release. This patch
also includes a fix to not return authorization data in a referral ticket.
Vista SP1 clients reject the referral ticket if it contains authorization data.
It also includes a fix supplied by Phil Pishioneri
- 11/16/2005: Update patch for the MIT 1.4.2 release to add krb5_get_host_referral_realm to the list of exported symbols from libkrb5.so.
- 11/9/2005: Add patch for the MIT 1.4.2 release.
- 7/19/2004: Add patch for the MIT 1.3.4 release.
- 3/24/2004: Add patch for the MIT 1.3.1 release.
- 5/20/2002: Add patch for the MIT 1.2.5 release.
- 3/13/2002: Include fix for memory leak in the patch.
- 12/14/2001: This is an update to the original patch that was posted here. We were having problems with W2K requests coming in with short names. Without a fully-qualified DNS name of the requested service, we cannot determine where the referral should go. This update adds back use of the referral_realm entry in the realm stanza of the config file as used in the original Microsoft patch. If the correct referral destination cannot be determined by using the host name in the request, then the referral is made to the default referral realm as configured by the referral_realm entry.
Here is an example of our domain_referral stanza that we added to our KDC's krb5.conf file. This is only required in the KDC's config file. (See below for client configuration.)
Here is the original patch we received from MIT (believed to be written by Microsoft).
Client Configuration
There is also some client configuration necessary in order to get this to work. The Windows 2000 clients must include a RealmFlags for the MIT realm against which it does it's initial authentication.There is an /AddRealmFlag option on the
ksetup command. This should be set to 0x8.
This option was not available in SP1, it may be in SP2? Alternatively,
you can set the Registry entry directly:
Comments? Suggestions? Send them to: iaa@umich.edu
| Referrals |
 |
|
 |
