(heimdal.info.gz) Quirks of Windows 2000 KDC
Info Catalog
(heimdal.info.gz) Authorisation data
(heimdal.info.gz) Windows 2000 compatability
(heimdal.info.gz) Useful links when reading about the Windows 2000
8.6 Quirks of Windows 2000 KDC
==============================
There are some issues with salts and Windows 2000. Using an empty
salt--which is the only one that Kerberos 4 supported, and is therefore
known as a Kerberos 4 compatible salt--does not work, as far as we can
tell from out experiments and users' reports. Therefore, you have to
make sure you keep around keys with all the different types of salts
that are required. Microsoft have fixed this issue post Windows 2003.
Microsoft seems also to have forgotten to implement the checksum
algorithms `rsa-md4-des' and `rsa-md5-des'. This can make Name mapping
( Create account mappings) fail if a `des-cbc-md5' key is used.
To make the KDC return only `des-cbc-crc' you must delete the
`des-cbc-md5' key from the kdc using the `kadmin del_enctype' command.
kadmin del_enctype lha des-cbc-md5
You should also add the following entries to the `krb5.conf' file:
[libdefaults]
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
These configuration options will make sure that no checksums of the
unsupported types are generated.
Info Catalog
(heimdal.info.gz) Authorisation data
(heimdal.info.gz) Windows 2000 compatability
(heimdal.info.gz) Useful links when reading about the Windows 2000
automatically generated byinfo2html