[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Interoperating with Win2K

	From:  Assar Westerlund <assar@sics.se>
	Date:  24 Jul 2000 09:15:17 +0200

> I can't say progress is always very fast when trying to figure out how
> to make a w2k box do what you want it to...

Tell me about it :-)
> You need to make sure that you have added both of these principals to
> your KDC database with v5 salt, since the w2k has no way of knowing
> what particular salt you're using.  If you have `[kadmin]use_v4_salt'
> or something related to that in your configuration, that might cause
> you to loose.

Well the config is pretty much default. Here is the krb5.conf for "b"
("a" is the same except for the "default_realm"):

        default_realm = MCS.VUW.AC.NZ
        default_etypes = des-cbc-crc
        default_etypes_des = des-cbc-crc
        MCS.VUW.AC.NZ = {
                kdc = test.mcs.vuw.ac.nz
        POC.VUW.AC.NZ = {
                kdc = pocdc01.poc.vuw.ac.nz
        .mcs.vuw.ac.nz = MCS.VUW.AC.NZ
        .poc.vuw.ac.nz = POC.VUW.AC.NZ

> (I got the impression from the MS document that it had to be the same
> password in both directions so that's what I tried, but it's not clear
> if it has to be.)

Well my reading was that they could be different but when setting them up
on the w2k end it wasn't clear which principle was being set up at any
point so we used the same password for both.
> > telneting from "a" to "b" gives this error:
> > 
> >   Kerberos V5: mk_req failed (Decrypt integrity check failed)
> I think this implies that you do not have identical keys between your
> Heimdal and your w2k KDC.

Its possible. I got a Microsoft bod to set up the cross-realm principles on
the w2k box and he made other typos when setting parts of this up.  Will
try resetting them tomorrow morning when I can get at the w2k box.

> > and do you really have to make that change to krb5.conf files for machines 
> > that aren't directly in a w2k managed realm?
> You would need the `default_etypes'-stuff for machines that are going
> to act as clients to a w2k KDC.  There should of course be some more
> automatic way of detecting and doing this, but I haven't stumpled on
> it yet...

Could this be defined as a per realm thing?  Or don't you know at the time
this stuff is set up what realm/kdc you are dealing with?