more update compat stuff and some more text about inter-realm. lots
of the next text based on text from Love <lha@stacken.kth.se> git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8830 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
191
doc/win2k.texi
191
doc/win2k.texi
@@ -7,7 +7,9 @@ Kerberos 5. Their implementation, however, has some quirks,
|
||||
peculiarities, and bugs. This chapter is a short summary of the things
|
||||
that we have found out while trying to test Heimdal against Windows
|
||||
2000. Another big problem with the Kerberos implementation in Windows
|
||||
2000 is the almost complete lack of documentation.
|
||||
2000 is that the available documentation is more focused on getting
|
||||
things to work rather than how they work and not that useful in figuring
|
||||
out how things really work.
|
||||
|
||||
This information should apply to Heimdal @value{VERSION} and Windows
|
||||
2000 Professional. It's of course subject all the time and mostly consists of
|
||||
@@ -15,11 +17,15 @@ our not so inspired guesses. Hopefully it's still somewhat useful.
|
||||
|
||||
@menu
|
||||
* Configuring Windows 2000 to use a Heimdal KDC::
|
||||
* Interrealm trust between Windows 2000 and a Heimdal KDC::
|
||||
* Create account mappings::
|
||||
* Encryption types::
|
||||
* Authorization data::
|
||||
* Quirks of Windows 2000 KDC::
|
||||
* Useful links when reading about the Windows 2000::
|
||||
@end menu
|
||||
|
||||
@node Configuring Windows 2000 to use a Heimdal KDC, Encryption types, Windows 2000 compatability, Windows 2000 compatability
|
||||
@node Configuring Windows 2000 to use a Heimdal KDC, Interrealm trust between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability
|
||||
@comment node-name, next, precious, up
|
||||
@section Configuring Windows 2000 to use a Heimdal KDC
|
||||
|
||||
@@ -28,6 +34,9 @@ in the file @code{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
|
||||
CD-ROM. This program is used to configure the Kerberos settings on a
|
||||
Workstation.
|
||||
|
||||
@code{Ksetup} store the domain information under the registry key:
|
||||
@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}.
|
||||
|
||||
Use the kadmin program in Heimdal to create a host principal in the
|
||||
Kerberos realm.
|
||||
|
||||
@@ -68,30 +77,110 @@ C:> ksetup /mapuser * *
|
||||
@end example
|
||||
The Windows machine will now map any user to the corresponding principal,
|
||||
for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}.
|
||||
(This most likely what you want.)
|
||||
(This is most likely what you want.)
|
||||
|
||||
More information about the Windows 2000 Kerberos implementation can be found
|
||||
at @url{http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp}
|
||||
@node Interrealm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability
|
||||
@comment node-name, next, precious, up
|
||||
@section Interrealm keys (trust) between Windows 2000 and a Heimdal KDC
|
||||
|
||||
@node Encryption types, Authorization data, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability
|
||||
See also the Step-by-Step guide from Microsoft, referenced below.
|
||||
|
||||
Install Windows 2000, and create a new controller (Active Directory
|
||||
Server) for the domain.
|
||||
|
||||
By default the trust will be non-transitive. This means that only users
|
||||
directly from the trusted domain may authenticate. This can be changed
|
||||
to transitive by using the @code{netdom.exe} tool.
|
||||
|
||||
You need to tell Windows 2000 on what hosts to find the KDCs for the
|
||||
non-Windows realm with @code{ksetup}, see @xref{Configuring Windows 2000
|
||||
to use a Heimdal KDC}.
|
||||
|
||||
This need to be done on all computers that want enable cross-realm
|
||||
login with @code{Mapped Names}.
|
||||
|
||||
Then you need to add the inter-realm keys on the Windows kdc. Start the
|
||||
Domain Tree Management tool. (Found in Programs, Administrative tools,
|
||||
Active Directory Domains and Trusts).
|
||||
|
||||
Right click on Properties of your domain, select the Trust tab. Press
|
||||
Add on the appropriate trust windows and enter domain name and
|
||||
password. When prompted if this is a non-Windows Kerberos realm, press
|
||||
OK.
|
||||
|
||||
Do not forget to add trusts in both directions.
|
||||
|
||||
You also need to add the inter-realm keys to the Heimdal kdc. There are
|
||||
some tweaks that you need to do to @file{krb5.conf} beforehand.
|
||||
Since Windows 2000 does not seem to understand Kerberos 4 salted hashes you
|
||||
might need to turn off anything similar to the following if you have it:
|
||||
|
||||
@example
|
||||
[kadmin]use_v4_salt=yes
|
||||
@end example
|
||||
|
||||
You must also set:
|
||||
|
||||
@example
|
||||
[libdefaults]
|
||||
default_etypes = des-cbc-crc
|
||||
default_etypes_des = des-cbc-crc
|
||||
@end example
|
||||
|
||||
since Windows 2000 KDC have trouble understanding des-cbc-md5
|
||||
(@xref{Quirks of Windows 2000 KDC}.).
|
||||
|
||||
@comment XXX Should add [kadmin]default_keys = des3:pw-salt des:pw-salt des:pw-salt: ?
|
||||
|
||||
Once that is also done, you can add the required inter-realm keys:
|
||||
|
||||
@example
|
||||
kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
|
||||
kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM
|
||||
@end example
|
||||
|
||||
Use the same passwords for both keys.
|
||||
|
||||
Do not forget to reboot before trying the new realm-trust (after running
|
||||
@code{ksetup}). It looks like it might work, but packets are never sent to the
|
||||
non-Windows KDC.
|
||||
|
||||
@node Create account mappings, Encryption types, Interrealm trust between Windows 2000 and a Heimdal KDC, Windows 2000 compatability
|
||||
@comment node-name, next, precious, up
|
||||
@section Create account mappings
|
||||
|
||||
Start the @code{Active Directory Users and Computers} tool. Select the
|
||||
View menu, that is in the left corner just below the real menu (or press
|
||||
Alt-V), and select Advanced Features. Right click on the user that you
|
||||
are going to do a name mapping for and choose Name mapping.
|
||||
|
||||
Click on the Kerberos Names tab and add the new principal in the non-Windows domain.
|
||||
|
||||
@node Encryption types, Authorization data, Create account mappings, Windows 2000 compatability
|
||||
@comment node-name, next, previous, up
|
||||
@section Encryption types
|
||||
|
||||
Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
|
||||
des-cbc-md5) and its own proprietary encryption that is based on MD4 and
|
||||
rc4 and which is supposed to be described in
|
||||
draft-brezak-win2k-krb-rc4-hmac-01.txt. New users will get both MD4 and
|
||||
DES keys. Users that are converted from a NT4 database, will only have
|
||||
MD4 passwords and will need a password change to get a DES key.
|
||||
rc4 that is documented in and is supposed to be described in
|
||||
@file{draft-brezak-win2k-krb-rc4-hmac-03.txt}. New users will get both
|
||||
MD4 and DES keys. Users that are converted from a NT4 database, will
|
||||
only have MD4 passwords and will need a password change to get a DES
|
||||
key.
|
||||
|
||||
@node Authorization data, , Encryption types, Windows 2000 compatability
|
||||
Heimdal implements both of these encryption types, but since DES is the
|
||||
standard and the hmac-code is somewhat newer, it is likely to work better.
|
||||
|
||||
@node Authorization data, Quirks of Windows 2000 KDC , Encryption types, Windows 2000 compatability
|
||||
@comment node-name, next, previous, up
|
||||
@section Authorization data
|
||||
|
||||
The Windows 2000 KDC also adds extra authorization data in tickets.
|
||||
It is at this point unclear what triggers it to do this. The format of
|
||||
this data is unknown and according to Microsoft, subject to change. A
|
||||
simple way of getting hold of the data to be able to understand it
|
||||
this data is only available under a ``secret'' license from Microsoft,
|
||||
which prohibits you implementing it.
|
||||
|
||||
A simple way of getting hold of the data to be able to understand it
|
||||
better is described here.
|
||||
|
||||
@enumerate
|
||||
@@ -110,3 +199,79 @@ the file.
|
||||
analyzing the data.
|
||||
@end enumerate
|
||||
|
||||
@node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorization data, Windows 2000 compatability
|
||||
@comment node-name, next, previous, up
|
||||
@section Quirks of Windows 2000 KDC
|
||||
|
||||
There are some issues with salts and Windows 2000. Using an empty salt,
|
||||
which is the only one that Kerberos 4 supported and is therefore known
|
||||
as a Kerberos 4 compatible salt does not work, as far as we can tell
|
||||
from out experiments and users reports. Therefore, you have to make
|
||||
sure you keep around keys with all the different types of salts that are
|
||||
required.
|
||||
|
||||
Microsoft seems also to have forgotten to implement the checksum
|
||||
algorithms @samp{rsa-md4-des} and @samp{rsa-md5-des}. This can make Name
|
||||
mapping @xref{Create account mappings} fail if a @code{des-cbc-md5} key
|
||||
is used. To make the KDC return only @code{des-cbc-crc} you must delete
|
||||
the @code{des-cbc-md5} key from the kdc using the @code{kadmin
|
||||
del_enctype} command.
|
||||
|
||||
@example
|
||||
kadmin del_enctype lha des-cbc-md5
|
||||
@end example
|
||||
|
||||
You should also add the following entries to the @file{krb5.conf} file:
|
||||
|
||||
@example
|
||||
[libdefaults]
|
||||
default_etypes = des-cbc-crc
|
||||
default_etypes_des = des-cbc-crc
|
||||
@end example
|
||||
|
||||
These configuration options will make sure that no checksums of the
|
||||
unsupported types are generated.
|
||||
|
||||
@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows 2000 compatability
|
||||
@comment node-name, next, previous, up
|
||||
@section Useful links when reading about the Windows 2000
|
||||
|
||||
There are lots of text about Kerberos on Microsoft's web site, here is a
|
||||
short list of the interesting documents that we have managed to find.
|
||||
|
||||
@itemize @bullet
|
||||
|
||||
@item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability -
|
||||
@url{http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp}
|
||||
Kerberos GSS-API (in Windows-ize SSPI), Windows as a client in a
|
||||
non-Windows KDC realm, adding unix clients to a Windows 2000 KDC, and
|
||||
adding cross-realm trust (@xref{Interrealm trust between Windows 2000
|
||||
and a Heimdal KDC}.).
|
||||
|
||||
@item Windows 2000 Kerberos Authentication -
|
||||
@url{http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp}
|
||||
White paper that describes how Kerberos is used in Windows 2000.
|
||||
|
||||
@item Overview of kerberos -
|
||||
@url{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP}
|
||||
Links to useful other links.
|
||||
|
||||
@item Klist for windows -
|
||||
@url{http://msdn.microsoft.com/library/periodic/period00/security0500.htm}
|
||||
Describes where to get a klist for Windows 2000.
|
||||
|
||||
@item Event logging for kerberos -
|
||||
@url{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}.
|
||||
Basicly it say that you can add a registry key
|
||||
@code{HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel}
|
||||
with value DWORD equal to 1, and then you'll get logging in the Event
|
||||
Logger.
|
||||
|
||||
@end itemize
|
||||
|
||||
Other useful programs include these:
|
||||
|
||||
@itemize @bullet
|
||||
@item pwdump2
|
||||
@url{http://www.webspan.net/~tas/pwdump2/}
|
||||
@end itemize
|
||||
|
||||
Reference in New Issue
Block a user