From 09378d4ca317268d60e37e7ab361e401651a39d6 Mon Sep 17 00:00:00 2001 From: Assar Westerlund Date: Thu, 23 Sep 1999 03:05:58 +0000 Subject: [PATCH] add win2k git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7016 ec53bebd-3082-4978-b11e-865c3cabbd6b --- doc/ack.texi | 2 +- doc/heimdal.texi | 10 +++----- doc/kerberos4.texi | 2 +- doc/win2k.texi | 57 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 62 insertions(+), 9 deletions(-) create mode 100644 doc/win2k.texi diff --git a/doc/ack.texi b/doc/ack.texi index 62243d86b..8c95b76c7 100644 --- a/doc/ack.texi +++ b/doc/ack.texi @@ -1,4 +1,4 @@ -@node Acknowledgments, , Kerberos 4 issues, Top +@node Acknowledgments, , Windows 2000 compatability, Top @comment node-name, next, previous, up @appendix Acknowledgments diff --git a/doc/heimdal.texi b/doc/heimdal.texi index cd74c12fa..96bed561e 100644 --- a/doc/heimdal.texi +++ b/doc/heimdal.texi @@ -17,7 +17,7 @@ @c not yet @include version.texi @set UPDATED $Date$ @set EDITION 0.0 -@set VERSION 0.1c +@set VERSION 0.1m @ifinfo @dircategory Heimdal @@ -226,14 +226,9 @@ to the following restrictions: * Setting up a realm:: * Things in search for a better place:: * Kerberos 4 issues:: +* Windows 2000 compatability:: * Acknowledgments:: - --- The Detailed Node Listing --- - -Kerberos 4 issues - -* Principal conversion issues:: -* Converting a version 4 database:: @end menu @include intro.texi @@ -242,6 +237,7 @@ Kerberos 4 issues @include setup.texi @include misc.texi @include kerberos4.texi +@include win2k.texi @include ack.texi @c @shortcontents diff --git a/doc/kerberos4.texi b/doc/kerberos4.texi index f56e742fa..93671f9d1 100644 --- a/doc/kerberos4.texi +++ b/doc/kerberos4.texi @@ -1,4 +1,4 @@ -@node Kerberos 4 issues, Acknowledgments, Things in search for a better place, Top +@node Kerberos 4 issues, Windows 2000 compatability, Things in search for a better place, Top @comment node-name, next, previous, up @chapter Kerberos 4 issues diff --git a/doc/win2k.texi b/doc/win2k.texi new file mode 100644 index 000000000..f5ec057f1 --- /dev/null +++ b/doc/win2k.texi @@ -0,0 +1,57 @@ +@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top +@comment node-name, next, previous, up +@chapter Windows 2000 compatability + +Windows 2000 (formerly known as Windows NT 5) from Microsoft implements +Kerberos 5. Their implementation, however, has some quirks, +peculiarities, and bugs. This chapter is a short summary of the things +that we have found out while trying to test Heimdal against Windows +2000. Another big problem with the Kerberos implementation in Windows +2000 is the almost complete lack of documentation. + +This information should apply to Heimdal @value{VERSION} and Windows +2000 RC1. It's of course subject all the time and mostly consists of +our not so inspired guesses. Hopefully it's still somewhat useful. + +@menu +* Encryption types:: +* Authorization data:: +@end menu + +@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability +@comment node-name, next, previous, up +@section Encryption types + +Windows 2000 supports both the standard DES encryptions (des-cbc-crc and +des-cbc-md5) and its own proprietary encryption that is based on md4 and +rc4 and which you cannot get hold of how it works with a NDA. To enable +a given principal to use DES, it needs to have DES keys in the database. +To do this, you need to enable DES keys for the particular principal +with the user administration tool and then change the password. + +@node Authorization data, , Encryption types, Windows 2000 compatability +@comment node-name, next, previous, up +@section Authorization data + +The Windows 2000 KDC also adds extra authorization data in tickets. +It is at this point unclear what triggers it to do this. The format of +this data is unknown and according to Microsoft, subject to change. A +simple way of getting hold of the data to be able to understand it +better is described here. + +@enumerate +@item Find the client example on using the SSPI in the SDK documentation. +@item Change ``AuthSamp'' in the source code to lowercase. +@item Build the program. +@item Add the ``authsamp'' principal with a known password to the +database. Make sure it has a DES key. +@item Run @kbd{ktutil add} to add the key for that principal to a +keytab. +@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp +--dump-auth=file} where file is an appropriate file. +@item It should authenticate and dump for you the authorization data in +the file. +@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for +analyzing the data. +@end enumerate +