From 205fb5e608e4b4bd97afa2fb6b3561e03568eee9 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Mon, 12 Oct 2009 07:27:47 -0700 Subject: [PATCH] Patch from Guillaume Rousse to update the Windows situation --- doc/win2k.texi | 97 ++++++++++++++++++++++++++++++---------------------------- 1 file changed, 51 insertions(+), 46 deletions(-) diff --git a/doc/win2k.texi b/doc/win2k.texi index 6175a3c61..03bc9bd67 100644 --- a/doc/win2k.texi +++ b/doc/win2k.texi @@ -1,26 +1,23 @@ @c $Id$ -@node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top +@node Windows compatibility, Programming with Kerberos, Kerberos 4 issues, Top @comment node-name, next, previous, up -@chapter Windows 2000 compatability - -Windows 2000 (formerly known as Windows NT 5) from Microsoft implements -Kerberos 5. Their implementation, however, has some quirks, -peculiarities, and bugs. This chapter is a short summary of the things -that we have found out while trying to test Heimdal against Windows -2000. Another big problem with the Kerberos implementation in Windows -2000 is that the available documentation is more focused on getting -things to work rather than how they work, and not that useful in figuring -out how things really work. +@chapter Windows compatibility + +Microsoft Windows, starting from version 2000 (formerly known as Windows NT 5), implements Kerberos 5. Their implementation, however, has some quirks, +peculiarities, and bugs. This chapter is a short summary of the compatibility +issues between Heimdal and various Windows versions. -This information should apply to Heimdal @value{VERSION} and Windows -2000 Professional. It's of course subject to change all the time and +The big problem with the Kerberos implementation in Windows +is that the available documentation is more focused on getting +things to work rather than how they work, and not that useful in figuring +out how things really work. It's of course subject to change all the time and mostly consists of our not so inspired guesses. Hopefully it's still somewhat useful. @menu -* Configuring Windows 2000 to use a Heimdal KDC:: -* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC:: +* Configuring Windows to use a Heimdal KDC:: +* Inter-Realm keys (trust) between Windows and a Heimdal KDC:: * Create account mappings:: * Encryption types:: * Authorisation data:: @@ -28,14 +25,11 @@ somewhat useful. * Useful links when reading about the Windows 2000:: @end menu -@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability +@node Configuring Windows to use a Heimdal KDC, Inter-Realm keys (trust) between Windows and a Heimdal KDC, Windows compatability, Windows compatability @comment node-name, next, precious, up -@section Configuring Windows 2000 to use a Heimdal KDC +@section Configuring Windows to use a Heimdal KDC -You need the command line program called @command{ksetup.exe} which is available -in the file @file{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional -CD-ROM. This program is used to configure the Kerberos settings on a -Workstation. +You need the command line program called @command{ksetup.exe}. This program comes with the Windows Support Tools, available from either the installation CD-ROM (@file{SUPPORT/TOOLS/SUPPORT.CAB}), or from Microsoft web site. Starting from Windows 2008, it is already installed. This program is used to configure the Kerberos settings on a Workstation. @command{Ksetup} store the domain information under the registry key: @code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}. @@ -88,13 +82,13 @@ The Windows machine will now map any user to the corresponding principal, for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}. (This is most likely what you want.) -@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability +@node Inter-Realm keys (trust) between Windows and a Heimdal KDC, Create account mappings, Configuring Windows to use a Heimdal KDC, Windows compatability @comment node-name, next, precious, up -@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC +@section Inter-Realm keys (trust) between Windows and a Heimdal KDC See also the Step-by-Step guide from Microsoft, referenced below. -Install Windows 2000, and create a new controller (Active Directory +Install Windows, and create a new controller (Active Directory Server) for the domain. By default the trust will be non-transitive. This means that only users @@ -102,8 +96,8 @@ directly from the trusted domain may authenticate. This can be changed to transitive by using the @command{netdom.exe} tool. @command{netdom.exe} can also be used to add the trust between two realms. -You need to tell Windows 2000 on what hosts to find the KDCs for the -non-Windows realm with @command{ksetup}, see @xref{Configuring Windows 2000 +You need to tell Windows on what hosts to find the KDCs for the +non-Windows realm with @command{ksetup}, see @xref{Configuring Windows to use a Heimdal KDC}. This needs to be done on all computers that want enable cross-realm @@ -127,33 +121,35 @@ Management tool, you do it like this: netdom trust NT.REALM.EXAMPLE.COM /Domain:EXAMPLE.COM /add /realm /passwordt:TrustPassword @end example -You also need to add the inter-realm keys to the Heimdal KDC. Make sure -you have matching encryption types (DES, Arcfour and AES in case of Longhorn) +You also need to add the inter-realm keys to the Heimdal KDC. But take +cares to the encodings and salting used for those keys. There should be +no encoding stronger than the one configured on Windows side for this +relationship, itself limited to the ones supported by this specific version of +Windows, nor any Kerberos 4 salted hashes, as Windows does not seem to +understand them. Otherwise, the relationship will not works. -Another issue is salting. Since Windows 2000 does not seem to -understand Kerberos 4 salted hashes you might need to turn off anything -similar to the following if you have it, at least while adding the -principals that are going to share keys with Windows 2000. +Here are the version-specific needed information: +- Windows 2000: maximum encoding is DES +- Windows 2003: maximum encoding is DES +- Windows 2003RC2: maximum encoding is RC4, relationship defaults to DES +- Windows 2008: maximum encoding is AES, relationship defaults to RC4 + +For Windows 2003RC2, to change the relationship encoding, you have to use the +@command{ktpass}, from the Windows 2003 Resource kit *service pack2*, available +from Microsoft web site. @example -[kadmin] - default_keys = v5 v4 +C:> ktpass /MITRealmName DOMAINE.UNIX /TrustEncryp RC4 @end example -So remove v4 from default keys. - -What you probably want to use is this: +For Windows 2008, the same operation can be done with the @command{ksetup}, installed by default. @example -[kadmin] - default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt +C:> ksetup /SetEncTypeAttre DOMAINE.UNIX AES256-SHA1 @end example -@c XXX check this -@c It is definitely not supported in base 2003. I haven't been able to -@c get SP1 installed here, but it is supposed to work in that. - -Once that is also done, you can add the required inter-realm keys: +Once the relationship is correctly configured, you can add the required +inter-realm keys, using heimdal default encodings: @example kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM @@ -162,11 +158,20 @@ kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM Use the same passwords for both keys. +And if needed, to remove unsupported encryptions, such as the following ones for a Windows 2003RC2 server. + +@example +kadmin del_enctype krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM aes256-cts-hmac-sha1-96 +kadmin del_enctype krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM des3-cbc-sha1 +kadmin del_enctype krbtgt/NT.EXAMPLE.COM@@EXAMPLE.COM aes256-cts-hmac-sha1-96 +kadmin del_enctype krbtgt/NT.EXAMPLE.COM@@EXAMPLE.COM des3-cbc-sha1 +@end example + Do not forget to reboot before trying the new realm-trust (after running @command{ksetup}). It looks like it might work, but packets are never sent to the non-Windows KDC. -@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability +@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows and a Heimdal KDC, Windows compatability @comment node-name, next, precious, up @section Create account mappings @@ -255,7 +260,7 @@ You should also add the following entries to the @file{krb5.conf} file: These configuration options will make sure that no checksums of the unsupported types are generated. -@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows 2000 compatability +@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows compatability @comment node-name, next, previous, up @section Useful links when reading about the Windows 2000 -- 2.11.4.GIT