Patch from Guillaume Rousse to update the Windows situation
This commit is contained in:
Love Hornquist Astrand
@@ -1,26 +1,23 @@
|
||||
@c $Id$
|
||||
|
||||
@node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top
|
||||
@node Windows compatibility, Programming with Kerberos, Kerberos 4 issues, Top
|
||||
@comment node-name, next, previous, up
|
||||
@chapter Windows 2000 compatability
|
||||
@chapter Windows compatibility
|
||||
|
||||
Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
|
||||
Kerberos 5. Their implementation, however, has some quirks,
|
||||
peculiarities, and bugs. This chapter is a short summary of the things
|
||||
that we have found out while trying to test Heimdal against Windows
|
||||
2000. Another big problem with the Kerberos implementation in Windows
|
||||
2000 is that the available documentation is more focused on getting
|
||||
Microsoft Windows, starting from version 2000 (formerly known as Windows NT 5), implements Kerberos 5. Their implementation, however, has some quirks,
|
||||
peculiarities, and bugs. This chapter is a short summary of the compatibility
|
||||
issues between Heimdal and various Windows versions.
|
||||
|
||||
The big problem with the Kerberos implementation in Windows
|
||||
is that the available documentation is more focused on getting
|
||||
things to work rather than how they work, and not that useful in figuring
|
||||
out how things really work.
|
||||
|
||||
This information should apply to Heimdal @value{VERSION} and Windows
|
||||
2000 Professional. It's of course subject to change all the time and
|
||||
out how things really work. It's of course subject to change all the time and
|
||||
mostly consists of our not so inspired guesses. Hopefully it's still
|
||||
somewhat useful.
|
||||
|
||||
@menu
|
||||
* Configuring Windows 2000 to use a Heimdal KDC::
|
||||
* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::
|
||||
* Configuring Windows to use a Heimdal KDC::
|
||||
* Inter-Realm keys (trust) between Windows and a Heimdal KDC::
|
||||
* Create account mappings::
|
||||
* Encryption types::
|
||||
* Authorisation data::
|
||||
@@ -28,14 +25,11 @@ somewhat useful.
|
||||
* Useful links when reading about the Windows 2000::
|
||||
@end menu
|
||||
|
||||
@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability
|
||||
@node Configuring Windows to use a Heimdal KDC, Inter-Realm keys (trust) between Windows and a Heimdal KDC, Windows compatability, Windows compatability
|
||||
@comment node-name, next, precious, up
|
||||
@section Configuring Windows 2000 to use a Heimdal KDC
|
||||
@section Configuring Windows to use a Heimdal KDC
|
||||
|
||||
You need the command line program called @command{ksetup.exe} which is available
|
||||
in the file @file{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
|
||||
CD-ROM. This program is used to configure the Kerberos settings on a
|
||||
Workstation.
|
||||
You need the command line program called @command{ksetup.exe}. This program comes with the Windows Support Tools, available from either the installation CD-ROM (@file{SUPPORT/TOOLS/SUPPORT.CAB}), or from Microsoft web site. Starting from Windows 2008, it is already installed. This program is used to configure the Kerberos settings on a Workstation.
|
||||
|
||||
@command{Ksetup} store the domain information under the registry key:
|
||||
@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}.
|
||||
@@ -88,13 +82,13 @@ The Windows machine will now map any user to the corresponding principal,
|
||||
for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}.
|
||||
(This is most likely what you want.)
|
||||
|
||||
@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability
|
||||
@node Inter-Realm keys (trust) between Windows and a Heimdal KDC, Create account mappings, Configuring Windows to use a Heimdal KDC, Windows compatability
|
||||
@comment node-name, next, precious, up
|
||||
@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
|
||||
@section Inter-Realm keys (trust) between Windows and a Heimdal KDC
|
||||
|
||||
See also the Step-by-Step guide from Microsoft, referenced below.
|
||||
|
||||
Install Windows 2000, and create a new controller (Active Directory
|
||||
Install Windows, and create a new controller (Active Directory
|
||||
Server) for the domain.
|
||||
|
||||
By default the trust will be non-transitive. This means that only users
|
||||
@@ -102,8 +96,8 @@ directly from the trusted domain may authenticate. This can be changed
|
||||
to transitive by using the @command{netdom.exe} tool. @command{netdom.exe}
|
||||
can also be used to add the trust between two realms.
|
||||
|
||||
You need to tell Windows 2000 on what hosts to find the KDCs for the
|
||||
non-Windows realm with @command{ksetup}, see @xref{Configuring Windows 2000
|
||||
You need to tell Windows on what hosts to find the KDCs for the
|
||||
non-Windows realm with @command{ksetup}, see @xref{Configuring Windows
|
||||
to use a Heimdal KDC}.
|
||||
|
||||
This needs to be done on all computers that want enable cross-realm
|
||||
@@ -127,33 +121,35 @@ Management tool, you do it like this:
|
||||
netdom trust NT.REALM.EXAMPLE.COM /Domain:EXAMPLE.COM /add /realm /passwordt:TrustPassword
|
||||
@end example
|
||||
|
||||
You also need to add the inter-realm keys to the Heimdal KDC. Make sure
|
||||
you have matching encryption types (DES, Arcfour and AES in case of Longhorn)
|
||||
You also need to add the inter-realm keys to the Heimdal KDC. But take
|
||||
cares to the encodings and salting used for those keys. There should be
|
||||
no encoding stronger than the one configured on Windows side for this
|
||||
relationship, itself limited to the ones supported by this specific version of
|
||||
Windows, nor any Kerberos 4 salted hashes, as Windows does not seem to
|
||||
understand them. Otherwise, the relationship will not works.
|
||||
|
||||
Another issue is salting. Since Windows 2000 does not seem to
|
||||
understand Kerberos 4 salted hashes you might need to turn off anything
|
||||
similar to the following if you have it, at least while adding the
|
||||
principals that are going to share keys with Windows 2000.
|
||||
Here are the version-specific needed information:
|
||||
- Windows 2000: maximum encoding is DES
|
||||
- Windows 2003: maximum encoding is DES
|
||||
- Windows 2003RC2: maximum encoding is RC4, relationship defaults to DES
|
||||
- Windows 2008: maximum encoding is AES, relationship defaults to RC4
|
||||
|
||||
For Windows 2003RC2, to change the relationship encoding, you have to use the
|
||||
@command{ktpass}, from the Windows 2003 Resource kit *service pack2*, available
|
||||
from Microsoft web site.
|
||||
|
||||
@example
|
||||
[kadmin]
|
||||
default_keys = v5 v4
|
||||
C:> ktpass /MITRealmName DOMAINE.UNIX /TrustEncryp RC4
|
||||
@end example
|
||||
|
||||
So remove v4 from default keys.
|
||||
|
||||
What you probably want to use is this:
|
||||
For Windows 2008, the same operation can be done with the @command{ksetup}, installed by default.
|
||||
|
||||
@example
|
||||
[kadmin]
|
||||
default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt
|
||||
C:> ksetup /SetEncTypeAttre DOMAINE.UNIX AES256-SHA1
|
||||
@end example
|
||||
|
||||
@c XXX check this
|
||||
@c It is definitely not supported in base 2003. I haven't been able to
|
||||
@c get SP1 installed here, but it is supposed to work in that.
|
||||
|
||||
Once that is also done, you can add the required inter-realm keys:
|
||||
Once the relationship is correctly configured, you can add the required
|
||||
inter-realm keys, using heimdal default encodings:
|
||||
|
||||
@example
|
||||
kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
|
||||
@@ -162,11 +158,20 @@ kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM
|
||||
|
||||
Use the same passwords for both keys.
|
||||
|
||||
And if needed, to remove unsupported encryptions, such as the following ones for a Windows 2003RC2 server.
|
||||
|
||||
@example
|
||||
kadmin del_enctype krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM aes256-cts-hmac-sha1-96
|
||||
kadmin del_enctype krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM des3-cbc-sha1
|
||||
kadmin del_enctype krbtgt/NT.EXAMPLE.COM@@EXAMPLE.COM aes256-cts-hmac-sha1-96
|
||||
kadmin del_enctype krbtgt/NT.EXAMPLE.COM@@EXAMPLE.COM des3-cbc-sha1
|
||||
@end example
|
||||
|
||||
Do not forget to reboot before trying the new realm-trust (after
|
||||
running @command{ksetup}). It looks like it might work, but packets are
|
||||
never sent to the non-Windows KDC.
|
||||
|
||||
@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability
|
||||
@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows and a Heimdal KDC, Windows compatability
|
||||
@comment node-name, next, precious, up
|
||||
@section Create account mappings
|
||||
|
||||
@@ -255,7 +260,7 @@ You should also add the following entries to the @file{krb5.conf} file:
|
||||
These configuration options will make sure that no checksums of the
|
||||
unsupported types are generated.
|
||||
|
||||
@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows 2000 compatability
|
||||
@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows compatability
|
||||
@comment node-name, next, previous, up
|
||||
@section Useful links when reading about the Windows 2000
|
||||
|
||||
|
||||
Reference in New Issue
Block a user