[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AD Cross Realm Trust Integration

I assume you're using a Heimdal Kerberos realm as your primary
authentication source and you've a one-way trust (Windows Domain trusts
your Heimdal realm).

You're right Windows only supports DES and RC4 keying material. For the
above mentioned setup you only need to restrict the keytypes to the
cross-realm-trust-principal krbtgt/WINDOWSDOMAIN.TDL@HEIMDALREAL.TDL
(where WINDOWSDOMAIN.TDL is your Windows realm, and HEIMDALREAL.TDL your
Heimdal realm), which you add to your Heimdal database.

If you're using Windows 2000 or Windows 2003 Server w/o SP1, then you
*must* delete all keytypes different from DES (ie, 3DES, RC4(!!), AES) of
this principal. These releases of Windows require that only single DES
type keys are present (otherwise you'll get troubles, especially with
Samba). If you're using Windows 2003 w/SP1, I recommend to delete all
keytypes different from RC4 and to use RC4 for the cross-realm-trust
principal (this requires you to install the new Support Tools of SP1).

For all the other principals, you can safely delete the DES and/or 3DES
keys, but you must keep at least one key with a keytype that the Microsoft
KDC supports (thus either DES or RC4; RC4 recommended). If you're primarly
using AES, Heimdal Kerberos will then use these keys and Windows the RC4
ones. That's all you need to do!


Thomas Schweizer
University of Bern