Patch from Guillaume Rousse to update the Windows situation
This commit is contained in:
Love Hornquist Astrand
@@ -1,26 +1,23 @@
|
|||||||
@c $Id$
|
@c $Id$
|
||||||
|
|
||||||
@node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top
|
@node Windows compatibility, Programming with Kerberos, Kerberos 4 issues, Top
|
||||||
@comment node-name, next, previous, up
|
@comment node-name, next, previous, up
|
||||||
@chapter Windows 2000 compatability
|
@chapter Windows compatibility
|
||||||
|
|
||||||
Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
|
Microsoft Windows, starting from version 2000 (formerly known as Windows NT 5), implements Kerberos 5. Their implementation, however, has some quirks,
|
||||||
Kerberos 5. Their implementation, however, has some quirks,
|
peculiarities, and bugs. This chapter is a short summary of the compatibility
|
||||||
peculiarities, and bugs. This chapter is a short summary of the things
|
issues between Heimdal and various Windows versions.
|
||||||
that we have found out while trying to test Heimdal against Windows
|
|
||||||
2000. Another big problem with the Kerberos implementation in Windows
|
The big problem with the Kerberos implementation in Windows
|
||||||
2000 is that the available documentation is more focused on getting
|
is that the available documentation is more focused on getting
|
||||||
things to work rather than how they work, and not that useful in figuring
|
things to work rather than how they work, and not that useful in figuring
|
||||||
out how things really work.
|
out how things really work. It's of course subject to change all the time and
|
||||||
|
|
||||||
This information should apply to Heimdal @value{VERSION} and Windows
|
|
||||||
2000 Professional. It's of course subject to change all the time and
|
|
||||||
mostly consists of our not so inspired guesses. Hopefully it's still
|
mostly consists of our not so inspired guesses. Hopefully it's still
|
||||||
somewhat useful.
|
somewhat useful.
|
||||||
|
|
||||||
@menu
|
@menu
|
||||||
* Configuring Windows 2000 to use a Heimdal KDC::
|
* Configuring Windows to use a Heimdal KDC::
|
||||||
* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::
|
* Inter-Realm keys (trust) between Windows and a Heimdal KDC::
|
||||||
* Create account mappings::
|
* Create account mappings::
|
||||||
* Encryption types::
|
* Encryption types::
|
||||||
* Authorisation data::
|
* Authorisation data::
|
||||||
@@ -28,14 +25,11 @@ somewhat useful.
|
|||||||
* Useful links when reading about the Windows 2000::
|
* Useful links when reading about the Windows 2000::
|
||||||
@end menu
|
@end menu
|
||||||
|
|
||||||
@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability
|
@node Configuring Windows to use a Heimdal KDC, Inter-Realm keys (trust) between Windows and a Heimdal KDC, Windows compatability, Windows compatability
|
||||||
@comment node-name, next, precious, up
|
@comment node-name, next, precious, up
|
||||||
@section Configuring Windows 2000 to use a Heimdal KDC
|
@section Configuring Windows to use a Heimdal KDC
|
||||||
|
|
||||||
You need the command line program called @command{ksetup.exe} which is available
|
You need the command line program called @command{ksetup.exe}. This program comes with the Windows Support Tools, available from either the installation CD-ROM (@file{SUPPORT/TOOLS/SUPPORT.CAB}), or from Microsoft web site. Starting from Windows 2008, it is already installed. This program is used to configure the Kerberos settings on a Workstation.
|
||||||
in the file @file{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
|
|
||||||
CD-ROM. This program is used to configure the Kerberos settings on a
|
|
||||||
Workstation.
|
|
||||||
|
|
||||||
@command{Ksetup} store the domain information under the registry key:
|
@command{Ksetup} store the domain information under the registry key:
|
||||||
@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}.
|
@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}.
|
||||||
@@ -88,13 +82,13 @@ The Windows machine will now map any user to the corresponding principal,
|
|||||||
for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}.
|
for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}.
|
||||||
(This is most likely what you want.)
|
(This is most likely what you want.)
|
||||||
|
|
||||||
@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability
|
@node Inter-Realm keys (trust) between Windows and a Heimdal KDC, Create account mappings, Configuring Windows to use a Heimdal KDC, Windows compatability
|
||||||
@comment node-name, next, precious, up
|
@comment node-name, next, precious, up
|
||||||
@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
|
@section Inter-Realm keys (trust) between Windows and a Heimdal KDC
|
||||||
|
|
||||||
See also the Step-by-Step guide from Microsoft, referenced below.
|
See also the Step-by-Step guide from Microsoft, referenced below.
|
||||||
|
|
||||||
Install Windows 2000, and create a new controller (Active Directory
|
Install Windows, and create a new controller (Active Directory
|
||||||
Server) for the domain.
|
Server) for the domain.
|
||||||
|
|
||||||
By default the trust will be non-transitive. This means that only users
|
By default the trust will be non-transitive. This means that only users
|
||||||
@@ -102,8 +96,8 @@ directly from the trusted domain may authenticate. This can be changed
|
|||||||
to transitive by using the @command{netdom.exe} tool. @command{netdom.exe}
|
to transitive by using the @command{netdom.exe} tool. @command{netdom.exe}
|
||||||
can also be used to add the trust between two realms.
|
can also be used to add the trust between two realms.
|
||||||
|
|
||||||
You need to tell Windows 2000 on what hosts to find the KDCs for the
|
You need to tell Windows on what hosts to find the KDCs for the
|
||||||
non-Windows realm with @command{ksetup}, see @xref{Configuring Windows 2000
|
non-Windows realm with @command{ksetup}, see @xref{Configuring Windows
|
||||||
to use a Heimdal KDC}.
|
to use a Heimdal KDC}.
|
||||||
|
|
||||||
This needs to be done on all computers that want enable cross-realm
|
This needs to be done on all computers that want enable cross-realm
|
||||||
@@ -127,33 +121,35 @@ Management tool, you do it like this:
|
|||||||
netdom trust NT.REALM.EXAMPLE.COM /Domain:EXAMPLE.COM /add /realm /passwordt:TrustPassword
|
netdom trust NT.REALM.EXAMPLE.COM /Domain:EXAMPLE.COM /add /realm /passwordt:TrustPassword
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
You also need to add the inter-realm keys to the Heimdal KDC. Make sure
|
You also need to add the inter-realm keys to the Heimdal KDC. But take
|
||||||
you have matching encryption types (DES, Arcfour and AES in case of Longhorn)
|
cares to the encodings and salting used for those keys. There should be
|
||||||
|
no encoding stronger than the one configured on Windows side for this
|
||||||
|
relationship, itself limited to the ones supported by this specific version of
|
||||||
|
Windows, nor any Kerberos 4 salted hashes, as Windows does not seem to
|
||||||
|
understand them. Otherwise, the relationship will not works.
|
||||||
|
|
||||||
Another issue is salting. Since Windows 2000 does not seem to
|
Here are the version-specific needed information:
|
||||||
understand Kerberos 4 salted hashes you might need to turn off anything
|
- Windows 2000: maximum encoding is DES
|
||||||
similar to the following if you have it, at least while adding the
|
- Windows 2003: maximum encoding is DES
|
||||||
principals that are going to share keys with Windows 2000.
|
- Windows 2003RC2: maximum encoding is RC4, relationship defaults to DES
|
||||||
|
- Windows 2008: maximum encoding is AES, relationship defaults to RC4
|
||||||
|
|
||||||
|
For Windows 2003RC2, to change the relationship encoding, you have to use the
|
||||||
|
@command{ktpass}, from the Windows 2003 Resource kit *service pack2*, available
|
||||||
|
from Microsoft web site.
|
||||||
|
|
||||||
@example
|
@example
|
||||||
[kadmin]
|
C:> ktpass /MITRealmName DOMAINE.UNIX /TrustEncryp RC4
|
||||||
default_keys = v5 v4
|
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
So remove v4 from default keys.
|
For Windows 2008, the same operation can be done with the @command{ksetup}, installed by default.
|
||||||
|
|
||||||
What you probably want to use is this:
|
|
||||||
|
|
||||||
@example
|
@example
|
||||||
[kadmin]
|
C:> ksetup /SetEncTypeAttre DOMAINE.UNIX AES256-SHA1
|
||||||
default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt
|
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
@c XXX check this
|
Once the relationship is correctly configured, you can add the required
|
||||||
@c It is definitely not supported in base 2003. I haven't been able to
|
inter-realm keys, using heimdal default encodings:
|
||||||
@c get SP1 installed here, but it is supposed to work in that.
|
|
||||||
|
|
||||||
Once that is also done, you can add the required inter-realm keys:
|
|
||||||
|
|
||||||
@example
|
@example
|
||||||
kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
|
kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
|
||||||
@@ -162,11 +158,20 @@ kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM
|
|||||||
|
|
||||||
Use the same passwords for both keys.
|
Use the same passwords for both keys.
|
||||||
|
|
||||||
|
And if needed, to remove unsupported encryptions, such as the following ones for a Windows 2003RC2 server.
|
||||||
|
|
||||||
|
@example
|
||||||
|
kadmin del_enctype krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM aes256-cts-hmac-sha1-96
|
||||||
|
kadmin del_enctype krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM des3-cbc-sha1
|
||||||
|
kadmin del_enctype krbtgt/NT.EXAMPLE.COM@@EXAMPLE.COM aes256-cts-hmac-sha1-96
|
||||||
|
kadmin del_enctype krbtgt/NT.EXAMPLE.COM@@EXAMPLE.COM des3-cbc-sha1
|
||||||
|
@end example
|
||||||
|
|
||||||
Do not forget to reboot before trying the new realm-trust (after
|
Do not forget to reboot before trying the new realm-trust (after
|
||||||
running @command{ksetup}). It looks like it might work, but packets are
|
running @command{ksetup}). It looks like it might work, but packets are
|
||||||
never sent to the non-Windows KDC.
|
never sent to the non-Windows KDC.
|
||||||
|
|
||||||
@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability
|
@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows and a Heimdal KDC, Windows compatability
|
||||||
@comment node-name, next, precious, up
|
@comment node-name, next, precious, up
|
||||||
@section Create account mappings
|
@section Create account mappings
|
||||||
|
|
||||||
@@ -255,7 +260,7 @@ You should also add the following entries to the @file{krb5.conf} file:
|
|||||||
These configuration options will make sure that no checksums of the
|
These configuration options will make sure that no checksums of the
|
||||||
unsupported types are generated.
|
unsupported types are generated.
|
||||||
|
|
||||||
@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows 2000 compatability
|
@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows compatability
|
||||||
@comment node-name, next, previous, up
|
@comment node-name, next, previous, up
|
||||||
@section Useful links when reading about the Windows 2000
|
@section Useful links when reading about the Windows 2000
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user