I'm working on an issue that involves authentication between various unix distros and windows KDC. Right now the issue is a bit esoteric (i.e. I don't have a lot of hard data to deliver right now) - but I was hoping I could get some guidance as to what might be the root issue.
I have found an old comment here that are the only fruits of my search to find a similar problem ( http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/3877), but despite being a very old post, I'm not sure if it is germane to my point, as I am not concerned as much here about auditing, but simply authentication functionality. I would like to know if there are any known limitations in modern kerb implementations that would cause failures of TGT tickets to be issued if the same principal was requesting them simultaneously. The simplest example would be a parallel execution of a kinit across multiple systems. Is there a point where these TGT exchanges can't be properly tracked, and/or possibly considered as a replay attack by the KDC? If no - why not? What is the data structure being used to prevent this? If so - what are the limits? e.g. How many simultaneous attempts might cause this? What time skew would these attempts have to fall within to be affected? I assume this issue (if it exists) would only occur if all authentication attempts were happening against the same KDC. Preliminary data would indicate that this has been an issue in some of our tests, and that small delays in the parallel execution (a few milliseconds) eliminated the failed attempts. TIA for any information that might lead me down the right path. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
