its enctyps not encodings
This commit is contained in:
Love Hornquist Astrand
@@ -122,34 +122,36 @@ netdom trust NT.REALM.EXAMPLE.COM /Domain:EXAMPLE.COM /add /realm /passwordt:Tru
|
|||||||
@end example
|
@end example
|
||||||
|
|
||||||
You also need to add the inter-realm keys to the Heimdal KDC. But take
|
You also need to add the inter-realm keys to the Heimdal KDC. But take
|
||||||
cares to the encodings and salting used for those keys. There should be
|
care to the encryption types and salting used for those keys. There should be
|
||||||
no encoding stronger than the one configured on Windows side for this
|
no encryption type stronger than the one configured on Windows side for this
|
||||||
relationship, itself limited to the ones supported by this specific version of
|
relationship, itself limited to the ones supported by this specific version of
|
||||||
Windows, nor any Kerberos 4 salted hashes, as Windows does not seem to
|
Windows, nor any Kerberos 4 salted hashes, as Windows does not seem to
|
||||||
understand them. Otherwise, the relationship will not works.
|
understand them. Otherwise, the trust will not works.
|
||||||
|
|
||||||
Here are the version-specific needed information:
|
Here are the version-specific needed information:
|
||||||
- Windows 2000: maximum encoding is DES
|
@enumerate
|
||||||
- Windows 2003: maximum encoding is DES
|
@item Windows 2000: maximum encryption type is DES
|
||||||
- Windows 2003RC2: maximum encoding is RC4, relationship defaults to DES
|
@item Windows 2003: maximum encryption type is DES
|
||||||
- Windows 2008: maximum encoding is AES, relationship defaults to RC4
|
@item Windows 2003RC2: maximum encryption type is RC4, relationship defaults to DES
|
||||||
|
@item Windows 2008: maximum encryption type is AES, relationship defaults to RC4
|
||||||
|
@end enumerate
|
||||||
|
|
||||||
For Windows 2003RC2, to change the relationship encoding, you have to use the
|
For Windows 2003RC2, to change the trust encryption type, you have to use the
|
||||||
@command{ktpass}, from the Windows 2003 Resource kit *service pack2*, available
|
@command{ktpass}, from the Windows 2003 Resource kit *service pack2*, available
|
||||||
from Microsoft web site.
|
from Microsoft web site.
|
||||||
|
|
||||||
@example
|
@example
|
||||||
C:> ktpass /MITRealmName DOMAINE.UNIX /TrustEncryp RC4
|
C:> ktpass /MITRealmName UNIX.EXAMPLE.COM /TrustEncryp RC4
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
For Windows 2008, the same operation can be done with the @command{ksetup}, installed by default.
|
For Windows 2008, the same operation can be done with the @command{ksetup}, installed by default.
|
||||||
|
|
||||||
@example
|
@example
|
||||||
C:> ksetup /SetEncTypeAttre DOMAINE.UNIX AES256-SHA1
|
C:> ksetup /SetEncTypeAttre EXAMPLE.COM AES256-SHA1
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
Once the relationship is correctly configured, you can add the required
|
Once the relationship is correctly configured, you can add the required
|
||||||
inter-realm keys, using heimdal default encodings:
|
inter-realm keys, using heimdal default encryption types:
|
||||||
|
|
||||||
@example
|
@example
|
||||||
kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
|
kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
|
||||||
|
|||||||
Reference in New Issue
Block a user