Windows 2003 SP1, cross-domain trust

[Chris Stromsoe <cbs@cts.ucla.edu>]

I'm trying to set up a cross-domain trust from a W2K3 SP1 AD domain 
controller to a heimdal 0.7.2 KDC ("pass-thru authentication").

I can authenticate stand-alone workstations fine.  kerbtray shows all of 
the proper tickets showing up.

After setting up the trust on the DC, I get KDC_ERR_ETYPE_NOTSUPP on the 
DC when I try to authenticate with credentials from the heimdal realm.

I am in the same position as this thread (same configuration elements, try 
to do the same thing), which did not seem to ever get resolved:

http://www.stacken.kth.se/lists/heimdal-discuss/2006-03/msg00050.html


I've read plenty of reports of people claiming to have working Win 2000 
cross-realm trust relationships (generally with MIT), but haven't found 
any that claim success with W2K3.

Can anybody confirm that they have a W2K3 SP1 domain controller that has 
an outgoing trust to a heimdal KDC, and that pass-thru authentication 
actually works?

If you do have a working trust, did you have to do anything not mentioned 
in the documentation on the windows side?  Are you using rc4 or des 
keytypes?  What do your principles look like in the KDC?

Thanks.


-Chris