289 lines
11 KiB
Plaintext
289 lines
11 KiB
Plaintext
@c $Id: win2k.texi,v 1.15 2001/07/19 16:44:41 assar Exp $
|
|
|
|
@node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top
|
|
@comment node-name, next, previous, up
|
|
@chapter Windows 2000 compatability
|
|
|
|
Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
|
|
Kerberos 5. Their implementation, however, has some quirks,
|
|
peculiarities, and bugs. This chapter is a short summary of the things
|
|
that we have found out while trying to test Heimdal against Windows
|
|
2000. Another big problem with the Kerberos implementation in Windows
|
|
2000 is that the available documentation is more focused on getting
|
|
things to work rather than how they work and not that useful in figuring
|
|
out how things really work.
|
|
|
|
This information should apply to Heimdal @value{VERSION} and Windows
|
|
2000 Professional. It's of course subject all the time and mostly consists of
|
|
our not so inspired guesses. Hopefully it's still somewhat useful.
|
|
|
|
@menu
|
|
* Configuring Windows 2000 to use a Heimdal KDC::
|
|
* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::
|
|
* Create account mappings::
|
|
* Encryption types::
|
|
* Authorization data::
|
|
* Quirks of Windows 2000 KDC::
|
|
* Useful links when reading about the Windows 2000::
|
|
@end menu
|
|
|
|
@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability
|
|
@comment node-name, next, precious, up
|
|
@section Configuring Windows 2000 to use a Heimdal KDC
|
|
|
|
You need the command line program called @code{ksetup.exe} which is available
|
|
in the file @code{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
|
|
CD-ROM. This program is used to configure the Kerberos settings on a
|
|
Workstation.
|
|
|
|
@code{Ksetup} store the domain information under the registry key:
|
|
@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}.
|
|
|
|
Use the kadmin program in Heimdal to create a host principal in the
|
|
Kerberos realm.
|
|
|
|
@example
|
|
unix% kadmin
|
|
kadmin> ank -pw password host/datan.my.domain
|
|
@end example
|
|
|
|
You must configure the Workstation as a member of a workgroup, as opposed
|
|
to a member in an NT domain, and specify the KDC server of the realm
|
|
as follows:
|
|
@example
|
|
C:> ksetup /setdomain MY.REALM
|
|
C:> ksetup /addkdc MY.REALM kdc.my.domain
|
|
@end example
|
|
|
|
Set the machine password, i.e. create the local keytab:
|
|
@example
|
|
C:> ksetup /setmachpassword password
|
|
@end example
|
|
|
|
The workstation must now be rebooted.
|
|
|
|
A mapping between local NT users and Kerberos principals must be specified,
|
|
you have two choices:
|
|
|
|
@example
|
|
C:> ksetup /mapuser user@@MY.REALM nt_user
|
|
@end example
|
|
|
|
This will map a user to a specific principal, this allows you to have
|
|
other usernames in the realm than in your NT user database. (Don't ask
|
|
me why on earth you would want that...)
|
|
|
|
You can also say:
|
|
@example
|
|
C:> ksetup /mapuser * *
|
|
@end example
|
|
The Windows machine will now map any user to the corresponding principal,
|
|
for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}.
|
|
(This is most likely what you want.)
|
|
|
|
@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability
|
|
@comment node-name, next, precious, up
|
|
@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
|
|
|
|
See also the Step-by-Step guide from Microsoft, referenced below.
|
|
|
|
Install Windows 2000, and create a new controller (Active Directory
|
|
Server) for the domain.
|
|
|
|
By default the trust will be non-transitive. This means that only users
|
|
directly from the trusted domain may authenticate. This can be changed
|
|
to transitive by using the @code{netdom.exe} tool.
|
|
|
|
You need to tell Windows 2000 on what hosts to find the KDCs for the
|
|
non-Windows realm with @code{ksetup}, see @xref{Configuring Windows 2000
|
|
to use a Heimdal KDC}.
|
|
|
|
This need to be done on all computers that want enable cross-realm
|
|
login with @code{Mapped Names}.
|
|
|
|
Then you need to add the inter-realm keys on the Windows kdc. Start the
|
|
Domain Tree Management tool. (Found in Programs, Administrative tools,
|
|
Active Directory Domains and Trusts).
|
|
|
|
Right click on Properties of your domain, select the Trust tab. Press
|
|
Add on the appropriate trust windows and enter domain name and
|
|
password. When prompted if this is a non-Windows Kerberos realm, press
|
|
OK.
|
|
|
|
Do not forget to add trusts in both directions.
|
|
|
|
You also need to add the inter-realm keys to the Heimdal KDC. There are
|
|
some tweaks that you need to do to @file{krb5.conf} beforehand.
|
|
|
|
@example
|
|
[libdefaults]
|
|
default_etypes = des-cbc-crc
|
|
default_etypes_des = des-cbc-crc
|
|
@end example
|
|
|
|
since otherwise checksum types that are not understood by Windows 2000
|
|
will be generated (@xref{Quirks of Windows 2000 KDC}.).
|
|
|
|
Another issue is salting. Since Windows 2000 does not seem to
|
|
understand Kerberos 4 salted hashes you might need to turn off anything
|
|
similar to the following if you have it, at least while adding the
|
|
principals that are going to share keys with Windows 2000.
|
|
|
|
@example
|
|
[kadmin]default_keys = v5 v4
|
|
@end example
|
|
|
|
You must also set:
|
|
|
|
Once that is also done, you can add the required inter-realm keys:
|
|
|
|
@example
|
|
kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
|
|
kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM
|
|
@end example
|
|
|
|
Use the same passwords for both keys.
|
|
|
|
Do not forget to reboot before trying the new realm-trust (after running
|
|
@code{ksetup}). It looks like it might work, but packets are never sent to the
|
|
non-Windows KDC.
|
|
|
|
@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability
|
|
@comment node-name, next, precious, up
|
|
@section Create account mappings
|
|
|
|
Start the @code{Active Directory Users and Computers} tool. Select the
|
|
View menu, that is in the left corner just below the real menu (or press
|
|
Alt-V), and select Advanced Features. Right click on the user that you
|
|
are going to do a name mapping for and choose Name mapping.
|
|
|
|
Click on the Kerberos Names tab and add a new principal from the
|
|
non-Windows domain.
|
|
|
|
@node Encryption types, Authorization data, Create account mappings, Windows 2000 compatability
|
|
@comment node-name, next, previous, up
|
|
@section Encryption types
|
|
|
|
Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
|
|
des-cbc-md5) and its own proprietary encryption that is based on MD4 and
|
|
rc4 that is documented in and is supposed to be described in
|
|
@file{draft-brezak-win2k-krb-rc4-hmac-03.txt}. New users will get both
|
|
MD4 and DES keys. Users that are converted from a NT4 database, will
|
|
only have MD4 passwords and will need a password change to get a DES
|
|
key.
|
|
|
|
Heimdal implements both of these encryption types, but since DES is the
|
|
standard and the hmac-code is somewhat newer, it is likely to work better.
|
|
|
|
@node Authorization data, Quirks of Windows 2000 KDC, Encryption types, Windows 2000 compatability
|
|
@comment node-name, next, previous, up
|
|
@section Authorization data
|
|
|
|
The Windows 2000 KDC also adds extra authorization data in tickets.
|
|
It is at this point unclear what triggers it to do this. The format of
|
|
this data is only available under a ``secret'' license from Microsoft,
|
|
which prohibits you implementing it.
|
|
|
|
A simple way of getting hold of the data to be able to understand it
|
|
better is described here.
|
|
|
|
@enumerate
|
|
@item Find the client example on using the SSPI in the SDK documentation.
|
|
@item Change ``AuthSamp'' in the source code to lowercase.
|
|
@item Build the program.
|
|
@item Add the ``authsamp'' principal with a known password to the
|
|
database. Make sure it has a DES key.
|
|
@item Run @kbd{ktutil add} to add the key for that principal to a
|
|
keytab.
|
|
@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp
|
|
--dump-auth=file} where file is an appropriate file.
|
|
@item It should authenticate and dump for you the authorization data in
|
|
the file.
|
|
@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for
|
|
analyzing the data.
|
|
@end enumerate
|
|
|
|
@node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorization data, Windows 2000 compatability
|
|
@comment node-name, next, previous, up
|
|
@section Quirks of Windows 2000 KDC
|
|
|
|
There are some issues with salts and Windows 2000. Using an empty salt,
|
|
which is the only one that Kerberos 4 supported and is therefore known
|
|
as a Kerberos 4 compatible salt does not work, as far as we can tell
|
|
from out experiments and users reports. Therefore, you have to make
|
|
sure you keep around keys with all the different types of salts that are
|
|
required.
|
|
|
|
Microsoft seems also to have forgotten to implement the checksum
|
|
algorithms @samp{rsa-md4-des} and @samp{rsa-md5-des}. This can make Name
|
|
mapping (@pxref{Create account mappings}) fail if a @code{des-cbc-md5} key
|
|
is used. To make the KDC return only @code{des-cbc-crc} you must delete
|
|
the @code{des-cbc-md5} key from the kdc using the @code{kadmin
|
|
del_enctype} command.
|
|
|
|
@example
|
|
kadmin del_enctype lha des-cbc-md5
|
|
@end example
|
|
|
|
You should also add the following entries to the @file{krb5.conf} file:
|
|
|
|
@example
|
|
[libdefaults]
|
|
default_etypes = des-cbc-crc
|
|
default_etypes_des = des-cbc-crc
|
|
@end example
|
|
|
|
These configuration options will make sure that no checksums of the
|
|
unsupported types are generated.
|
|
|
|
@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows 2000 compatability
|
|
@comment node-name, next, previous, up
|
|
@section Useful links when reading about the Windows 2000
|
|
|
|
See also our paper presented at the 2001 usenix Annual Technical
|
|
Conference, available in the proceedings or at
|
|
@url{http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html}.
|
|
|
|
There are lots of text about Kerberos on Microsoft's web site, here is a
|
|
short list of the interesting documents that we have managed to find.
|
|
|
|
@itemize @bullet
|
|
|
|
@item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability -
|
|
@url{http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp}
|
|
Kerberos GSS-API (in Windows-ize SSPI), Windows as a client in a
|
|
non-Windows KDC realm, adding unix clients to a Windows 2000 KDC, and
|
|
adding cross-realm trust (@xref{Inter-Realm keys (trust) between Windows 2000
|
|
and a Heimdal KDC}.).
|
|
|
|
@item Windows 2000 Kerberos Authentication -
|
|
@url{http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp}
|
|
White paper that describes how Kerberos is used in Windows 2000.
|
|
|
|
@item Overview of kerberos -
|
|
@url{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP}
|
|
Links to useful other links.
|
|
|
|
@item Klist for windows -
|
|
@url{http://msdn.microsoft.com/library/periodic/period00/security0500.htm}
|
|
Describes where to get a klist for Windows 2000.
|
|
|
|
@item Event logging for kerberos -
|
|
@url{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}.
|
|
Basicly it say that you can add a registry key
|
|
@code{HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel}
|
|
with value DWORD equal to 1, and then you'll get logging in the Event
|
|
Logger.
|
|
|
|
@item Access to the active directory through LDAP
|
|
@url{http://msdn.microsoft.com/library/techart/kerberossamp.htm}
|
|
|
|
@end itemize
|
|
|
|
Other useful programs include these:
|
|
|
|
@itemize @bullet
|
|
@item pwdump2
|
|
@url{http://www.webspan.net/~tas/pwdump2/}
|
|
@end itemize
|