DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

(heimdal.info) Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC

Info Catalog (heimdal.info) Configuring Windows 2000 to use a Heimdal KDC (heimdal.info) Windows 2000 compatability (heimdal.info) Create account mappings 
 
 Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
 ===============================================================
 
 See also the Step-by-Step guide from Microsoft, referenced below.
 
 Install Windows 2000, and create a new controller (Active Directory
 Server) for the domain.
 
 By default the trust will be non-transitive. This means that only users
 directly from the trusted domain may authenticate. This can be changed
 to transitive by using the `netdom.exe' tool.
 
 You need to tell Windows 2000 on what hosts to find the KDCs for the
 non-Windows realm with `ksetup', see  Configuring Windows 2000 to
 use a Heimdal KDC.
 
 This need to be done on all computers that want enable cross-realm
 login with `Mapped Names'.
 
 Then you need to add the inter-realm keys on the Windows kdc. Start the
 Domain Tree Management tool. (Found in Programs, Administrative tools,
 Active Directory Domains and Trusts).
 
 Right click on Properties of your domain, select the Trust tab.  Press
 Add on the appropriate trust windows and enter domain name and
 password. When prompted if this is a non-Windows Kerberos realm, press
 OK.
 
 Do not forget to add trusts in both directions.
 
 You also need to add the inter-realm keys to the Heimdal KDC. There are
 some tweaks that you need to do to `krb5.conf' beforehand.
 
      [libdefaults]
      	default_etypes = des-cbc-crc
      	default_etypes_des = des-cbc-crc
 
 since otherwise checksum types that are not understood by Windows 2000
 will be generated ( Quirks of Windows 2000 KDC.).
 
 Another issue is salting.  Since Windows 2000 does not seem to
 understand Kerberos 4 salted hashes you might need to turn off anything
 similar to the following if you have it, at least while adding the
 principals that are going to share keys with Windows 2000.
 
      	[kadmin]default_keys = v5 v4
 
 You must also set:
 
 Once that is also done, you can add the required inter-realm keys:
 
      kadmin add krbtgt/NT.REALM.EXAMPLE.COM@EXAMPLE.COM
      kadmin add krbtgt/REALM.EXAMPLE.COM@NT.EXAMPLE.COM
 
 Use the same passwords for both keys.
 
 Do not forget to reboot before trying the new realm-trust (after running
 `ksetup'). It looks like it might work, but packets are never sent to
 the non-Windows KDC.
Info Catalog (heimdal.info) Configuring Windows 2000 to use a Heimdal KDC (heimdal.info) Windows 2000 compatability (heimdal.info) Create account mappings
automatically generated byinfo2html