add win2k

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7016 ec53bebd-3082-4978-b11e-865c3cabbd6b

doc/ack.texi

@@ -1,4 +1,4 @@
-@node  Acknowledgments, , Kerberos 4 issues, Top
+@node  Acknowledgments, , Windows 2000 compatability, Top
 @comment  node-name,  next,  previous,  up
 @appendix Acknowledgments
 

doc/heimdal.texi

@@ -17,7 +17,7 @@
 @c not yet @include version.texi
 @set UPDATED $Date$
 @set EDITION 0.0
-@set VERSION 0.1c
+@set VERSION 0.1m
 
 @ifinfo
 @dircategory Heimdal
@@ -226,14 +226,9 @@ to the following restrictions:
 * Setting up a realm::          
 * Things in search for a better place::  
 * Kerberos 4 issues::           
+* Windows 2000 compatability::
 * Acknowledgments::             
 
- --- The Detailed Node Listing ---
-
-Kerberos 4 issues
-
-* Principal conversion issues::  
-* Converting a version 4 database::  
 @end menu
 
 @include intro.texi
@@ -242,6 +237,7 @@ Kerberos 4 issues
 @include setup.texi
 @include misc.texi
 @include kerberos4.texi
+@include win2k.texi
 @include ack.texi
 
 @c @shortcontents

doc/kerberos4.texi

@@ -1,4 +1,4 @@
-@node Kerberos 4 issues, Acknowledgments, Things in search for a better place, Top
+@node Kerberos 4 issues, Windows 2000 compatability, Things in search for a better place, Top
 @comment  node-name,  next,  previous,  up
 @chapter Kerberos 4 issues
 

doc/win2k.texi

@@ -0,0 +1,57 @@
+@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top
+@comment  node-name,  next,  previous,  up
+@chapter Windows 2000 compatability
+
+Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
+Kerberos 5.  Their implementation, however, has some quirks,
+peculiarities, and bugs.  This chapter is a short summary of the things
+that we have found out while trying to test Heimdal against Windows
+2000.  Another big problem with the Kerberos implementation in Windows
+2000 is the almost complete lack of documentation.
+
+This information should apply to Heimdal @value{VERSION} and Windows
+2000 RC1.  It's of course subject all the time and mostly consists of
+our not so inspired guesses.  Hopefully it's still somewhat useful.
+
+@menu
+* Encryption types::            
+* Authorization data::          
+@end menu
+
+@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Encryption types
+
+Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
+des-cbc-md5) and its own proprietary encryption that is based on md4 and
+rc4 and which you cannot get hold of how it works with a NDA.  To enable
+a given principal to use DES, it needs to have DES keys in the database.
+To do this, you need to enable DES keys for the particular principal
+with the user administration tool and then change the password.
+
+@node Authorization data,  , Encryption types, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Authorization data
+
+The Windows 2000 KDC also adds extra authorization data in tickets.
+It is at this point unclear what triggers it to do this.  The format of
+this data is unknown and according to Microsoft, subject to change.  A
+simple way of getting hold of the data to be able to understand it
+better is described here.
+
+@enumerate
+@item Find the client example on using the SSPI in the SDK documentation.
+@item Change ``AuthSamp'' in the source code to lowercase.
+@item Build the program.
+@item Add the ``authsamp'' principal with a known password to the
+database.  Make sure it has a DES key.
+@item Run @kbd{ktutil add} to add the key for that principal to a
+keytab.
+@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp
+--dump-auth=file} where file is an appropriate file.
+@item It should authenticate and dump for you the authorization data in
+the file.
+@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for
+analyzing the data.
+@end enumerate
+