DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH
 

(heimdal.info.gz) Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC

Info Catalog (heimdal.info.gz) Configuring Windows 2000 to use a Heimdal KDC (heimdal.info.gz) Windows 2000 compatability (heimdal.info.gz) Create account mappings 
 
 8.2 Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
 ===================================================================
 
 See also the Step-by-Step guide from Microsoft, referenced below.
 
 Install Windows 2000, and create a new controller (Active Directory
 Server) for the domain.
 
 By default the trust will be non-transitive. This means that only users
 directly from the trusted domain may authenticate. This can be changed
 to transitive by using the `netdom.exe' tool. `netdom.exe' can also be
 used to add the trust between two realms.
 
 You need to tell Windows 2000 on what hosts to find the KDCs for the
 non-Windows realm with `ksetup', see  Configuring Windows 2000 to
 use a Heimdal KDC.
 
 This needs to be done on all computers that want enable cross-realm
 login with `Mapped Names'.  Then you need to add the inter-realm keys
 on the Windows KDC. Start the Domain Tree Management tool (found in
 Programs, Administrative tools, Active Directory Domains and Trusts).
 
 Right click on Properties of your domain, select the Trust tab.  Press
 Add on the appropriate trust windows and enter domain name and
 password. When prompted if this is a non-Windows Kerberos realm, press
 OK.
 
 Do not forget to add trusts in both directions (if that's what you
 want).
 
 If you want to use `netdom.exe' instead of the Domain Tree Management
 tool, you do it like this:
 
      netdom trust NT.REALM.EXAMPLE.COM /Domain:EXAMPLE.COM /add /realm /passwordt:TrustPassword
 
 You also need to add the inter-realm keys to the Heimdal KDC. Make sure
 you have matching encryption types (DES, Arcfour and AES in case of
 Longhorn)
 
 Another issue is salting.  Since Windows 2000 does not seem to
 understand Kerberos 4 salted hashes you might need to turn off anything
 similar to the following if you have it, at least while adding the
 principals that are going to share keys with Windows 2000.
 
      [kadmin]
              default_keys = v5 v4
 
 So remove v4 from default keys.
 
 What you probably want to use is this:
 
      [kadmin]
              default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt
 
 Once that is also done, you can add the required inter-realm keys:
 
      kadmin add krbtgt/NT.REALM.EXAMPLE.COM@EXAMPLE.COM
      kadmin add krbtgt/REALM.EXAMPLE.COM@NT.EXAMPLE.COM
 
 Use the same passwords for both keys.
 
 Do not forget to reboot before trying the new realm-trust (after
 running `ksetup'). It looks like it might work, but packets are never
 sent to the non-Windows KDC.
Info Catalog (heimdal.info.gz) Configuring Windows 2000 to use a Heimdal KDC (heimdal.info.gz) Windows 2000 compatability (heimdal.info.gz) Create account mappings
automatically generated byinfo2html