(heimdal.info) Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
Info Catalog
(heimdal.info) Configuring Windows 2000 to use a Heimdal KDC
(heimdal.info) Windows 2000 compatability
(heimdal.info) Create account mappings
Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
===============================================================
See also the Step-by-Step guide from Microsoft, referenced below.
Install Windows 2000, and create a new controller (Active Directory
Server) for the domain.
By default the trust will be non-transitive. This means that only users
directly from the trusted domain may authenticate. This can be changed
to transitive by using the `netdom.exe' tool.
You need to tell Windows 2000 on what hosts to find the KDCs for the
non-Windows realm with `ksetup', see Configuring Windows 2000 to
use a Heimdal KDC.
This need to be done on all computers that want enable cross-realm
login with `Mapped Names'.
Then you need to add the inter-realm keys on the Windows kdc. Start the
Domain Tree Management tool. (Found in Programs, Administrative tools,
Active Directory Domains and Trusts).
Right click on Properties of your domain, select the Trust tab. Press
Add on the appropriate trust windows and enter domain name and
password. When prompted if this is a non-Windows Kerberos realm, press
OK.
Do not forget to add trusts in both directions.
You also need to add the inter-realm keys to the Heimdal KDC. There are
some tweaks that you need to do to `krb5.conf' beforehand.
[libdefaults]
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
since otherwise checksum types that are not understood by Windows 2000
will be generated ( Quirks of Windows 2000 KDC.).
Another issue is salting. Since Windows 2000 does not seem to
understand Kerberos 4 salted hashes you might need to turn off anything
similar to the following if you have it, at least while adding the
principals that are going to share keys with Windows 2000.
[kadmin]default_keys = v5 v4
You must also set:
Once that is also done, you can add the required inter-realm keys:
kadmin add krbtgt/NT.REALM.EXAMPLE.COM@EXAMPLE.COM
kadmin add krbtgt/REALM.EXAMPLE.COM@NT.EXAMPLE.COM
Use the same passwords for both keys.
Do not forget to reboot before trying the new realm-trust (after running
`ksetup'). It looks like it might work, but packets are never sent to
the non-Windows KDC.
Info Catalog
(heimdal.info) Configuring Windows 2000 to use a Heimdal KDC
(heimdal.info) Windows 2000 compatability
(heimdal.info) Create account mappings
automatically generated byinfo2html