@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability
@comment node-name, next, precious, up
@section Configuring Windows 2000 to use a Heimdal KDC
You need the command line program called @code{ksetup.exe} which is available
in the file @code{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
CD-ROM. This program is used to configure the Kerberos settings on a
Workstation.
@code{Ksetup} store the domain information under the registry key:
Use the kadmin program in Heimdal to create a host principal in the
Kerberos realm.
@example
unix% kadmin
kadmin> ank -pw password host/datan.my.domain
@end example
You must configure the Workstation as a member of a workgroup, as opposed
to a member in an NT domain, and specify the KDC server of the realm
as follows:
@example
C:> ksetup /setdomain MY.REALM
C:> ksetup /addkdc MY.REALM kdc.my.domain
@end example
Set the machine password, i.e. create the local keytab:
@example
C:> ksetup /setmachpassword password
@end example
The workstation must now be rebooted.
A mapping between local NT users and Kerberos principals must be specified,
you have two choices:
@example
C:> ksetup /mapuser user@@MY.REALM nt_user
@end example
This will map a user to a specific principal, this allows you to have
other usernames in the realm than in your NT user database. (Don't ask
me why on earth you would want that...)
You can also say:
@example
C:> ksetup /mapuser * *
@end example
The Windows machine will now map any user to the corresponding principal,
for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}.
(This is most likely what you want.)
@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability
@comment node-name, next, precious, up
@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
See also the Step-by-Step guide from Microsoft, referenced below.
Install Windows 2000, and create a new controller (Active Directory
Server) for the domain.
By default the trust will be non-transitive. This means that only users
directly from the trusted domain may authenticate. This can be changed
to transitive by using the @code{netdom.exe} tool.
You need to tell Windows 2000 on what hosts to find the KDCs for the
non-Windows realm with @code{ksetup}, see @xref{Configuring Windows 2000
to use a Heimdal KDC}.
This need to be done on all computers that want enable cross-realm
login with @code{Mapped Names}.
Then you need to add the inter-realm keys on the Windows kdc. Start the
Domain Tree Management tool. (Found in Programs, Administrative tools,
Active Directory Domains and Trusts).
Right click on Properties of your domain, select the Trust tab. Press
Add on the appropriate trust windows and enter domain name and
password. When prompted if this is a non-Windows Kerberos realm, press
OK.
Do not forget to add trusts in both directions.
You also need to add the inter-realm keys to the Heimdal KDC. There are
some tweaks that you need to do to @file{krb5.conf} beforehand.
@example
[libdefaults]
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
@end example
since otherwise checksum types that are not understood by Windows 2000
will be generated (@xref{Quirks of Windows 2000 KDC}.).
Another issue is salting. Since Windows 2000 does not seem to
understand Kerberos 4 salted hashes you might need to turn off anything
similar to the following if you have it, at least while adding the
principals that are going to share keys with Windows 2000.
