(heimdal.info.gz) Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
Info Catalog
(heimdal.info.gz) Configuring Windows 2000 to use a Heimdal KDC
(heimdal.info.gz) Windows 2000 compatability
(heimdal.info.gz) Create account mappings
8.2 Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
===================================================================
See also the Step-by-Step guide from Microsoft, referenced below.
Install Windows 2000, and create a new controller (Active Directory
Server) for the domain.
By default the trust will be non-transitive. This means that only users
directly from the trusted domain may authenticate. This can be changed
to transitive by using the `netdom.exe' tool. `netdom.exe' can also be
used to add the trust between two realms.
You need to tell Windows 2000 on what hosts to find the KDCs for the
non-Windows realm with `ksetup', see Configuring Windows 2000 to
use a Heimdal KDC.
This needs to be done on all computers that want enable cross-realm
login with `Mapped Names'. Then you need to add the inter-realm keys
on the Windows KDC. Start the Domain Tree Management tool (found in
Programs, Administrative tools, Active Directory Domains and Trusts).
Right click on Properties of your domain, select the Trust tab. Press
Add on the appropriate trust windows and enter domain name and
password. When prompted if this is a non-Windows Kerberos realm, press
OK.
Do not forget to add trusts in both directions (if that's what you
want).
If you want to use `netdom.exe' instead of the Domain Tree Management
tool, you do it like this:
netdom trust NT.REALM.EXAMPLE.COM /Domain:EXAMPLE.COM /add /realm /passwordt:TrustPassword
You also need to add the inter-realm keys to the Heimdal KDC. Make sure
you have matching encryption types (DES, Arcfour and AES in case of
Longhorn)
Another issue is salting. Since Windows 2000 does not seem to
understand Kerberos 4 salted hashes you might need to turn off anything
similar to the following if you have it, at least while adding the
principals that are going to share keys with Windows 2000.
[kadmin]
default_keys = v5 v4
So remove v4 from default keys.
What you probably want to use is this:
[kadmin]
default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt
Once that is also done, you can add the required inter-realm keys:
kadmin add krbtgt/NT.REALM.EXAMPLE.COM@EXAMPLE.COM
kadmin add krbtgt/REALM.EXAMPLE.COM@NT.EXAMPLE.COM
Use the same passwords for both keys.
Do not forget to reboot before trying the new realm-trust (after
running `ksetup'). It looks like it might work, but packets are never
sent to the non-Windows KDC.
Info Catalog
(heimdal.info.gz) Configuring Windows 2000 to use a Heimdal KDC
(heimdal.info.gz) Windows 2000 compatability
(heimdal.info.gz) Create account mappings
automatically generated byinfo2html