(heimdal.info) Quirks of Windows 2000 KDC
Info Catalog
(heimdal.info) Authorization data
(heimdal.info) Windows 2000 compatability
(heimdal.info) Useful links when reading about the Windows 2000
Quirks of Windows 2000 KDC
==========================
There are some issues with salts and Windows 2000. Using an empty salt,
which is the only one that Kerberos 4 supported and is therefore known
as a Kerberos 4 compatible salt does not work, as far as we can tell
from out experiments and users reports. Therefore, you have to make
sure you keep around keys with all the different types of salts that are
required.
Microsoft seems also to have forgotten to implement the checksum
algorithms `rsa-md4-des' and `rsa-md5-des'. This can make Name mapping
( Create account mappings) fail if a `des-cbc-md5' key is used.
To make the KDC return only `des-cbc-crc' you must delete the
`des-cbc-md5' key from the kdc using the `kadmin del_enctype' command.
kadmin del_enctype lha des-cbc-md5
You should also add the following entries to the `krb5.conf' file:
[libdefaults]
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
These configuration options will make sure that no checksums of the
unsupported types are generated.
Info Catalog
(heimdal.info) Authorization data
(heimdal.info) Windows 2000 compatability
(heimdal.info) Useful links when reading about the Windows 2000
automatically generated byinfo2html