summaryrefslogtreecommitdiff
path: root/crypto/heimdal/doc/win2k.texi
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/doc/win2k.texi')
-rw-r--r--crypto/heimdal/doc/win2k.texi288
1 files changed, 0 insertions, 288 deletions
diff --git a/crypto/heimdal/doc/win2k.texi b/crypto/heimdal/doc/win2k.texi
deleted file mode 100644
index 2db4da1e627c9..0000000000000
--- a/crypto/heimdal/doc/win2k.texi
+++ /dev/null
@@ -1,288 +0,0 @@
-@c $Id: win2k.texi,v 1.15 2001/07/19 16:44:41 assar Exp $
-
-@node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top
-@comment node-name, next, previous, up
-@chapter Windows 2000 compatability
-
-Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
-Kerberos 5. Their implementation, however, has some quirks,
-peculiarities, and bugs. This chapter is a short summary of the things
-that we have found out while trying to test Heimdal against Windows
-2000. Another big problem with the Kerberos implementation in Windows
-2000 is that the available documentation is more focused on getting
-things to work rather than how they work and not that useful in figuring
-out how things really work.
-
-This information should apply to Heimdal @value{VERSION} and Windows
-2000 Professional. It's of course subject all the time and mostly consists of
-our not so inspired guesses. Hopefully it's still somewhat useful.
-
-@menu
-* Configuring Windows 2000 to use a Heimdal KDC::
-* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::
-* Create account mappings::
-* Encryption types::
-* Authorization data::
-* Quirks of Windows 2000 KDC::
-* Useful links when reading about the Windows 2000::
-@end menu
-
-@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability
-@comment node-name, next, precious, up
-@section Configuring Windows 2000 to use a Heimdal KDC
-
-You need the command line program called @code{ksetup.exe} which is available
-in the file @code{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
-CD-ROM. This program is used to configure the Kerberos settings on a
-Workstation.
-
-@code{Ksetup} store the domain information under the registry key:
-@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}.
-
-Use the kadmin program in Heimdal to create a host principal in the
-Kerberos realm.
-
-@example
-unix% kadmin
-kadmin> ank -pw password host/datan.my.domain
-@end example
-
-You must configure the Workstation as a member of a workgroup, as opposed
-to a member in an NT domain, and specify the KDC server of the realm
-as follows:
-@example
-C:> ksetup /setdomain MY.REALM
-C:> ksetup /addkdc MY.REALM kdc.my.domain
-@end example
-
-Set the machine password, i.e. create the local keytab:
-@example
-C:> ksetup /setmachpassword password
-@end example
-
-The workstation must now be rebooted.
-
-A mapping between local NT users and Kerberos principals must be specified,
-you have two choices:
-
-@example
-C:> ksetup /mapuser user@@MY.REALM nt_user
-@end example
-
-This will map a user to a specific principal, this allows you to have
-other usernames in the realm than in your NT user database. (Don't ask
-me why on earth you would want that...)
-
-You can also say:
-@example
-C:> ksetup /mapuser * *
-@end example
-The Windows machine will now map any user to the corresponding principal,
-for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}.
-(This is most likely what you want.)
-
-@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability
-@comment node-name, next, precious, up
-@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
-
-See also the Step-by-Step guide from Microsoft, referenced below.
-
-Install Windows 2000, and create a new controller (Active Directory
-Server) for the domain.
-
-By default the trust will be non-transitive. This means that only users
-directly from the trusted domain may authenticate. This can be changed
-to transitive by using the @code{netdom.exe} tool.
-
-You need to tell Windows 2000 on what hosts to find the KDCs for the
-non-Windows realm with @code{ksetup}, see @xref{Configuring Windows 2000
-to use a Heimdal KDC}.
-
-This need to be done on all computers that want enable cross-realm
-login with @code{Mapped Names}.
-
-Then you need to add the inter-realm keys on the Windows kdc. Start the
-Domain Tree Management tool. (Found in Programs, Administrative tools,
-Active Directory Domains and Trusts).
-
-Right click on Properties of your domain, select the Trust tab. Press
-Add on the appropriate trust windows and enter domain name and
-password. When prompted if this is a non-Windows Kerberos realm, press
-OK.
-
-Do not forget to add trusts in both directions.
-
-You also need to add the inter-realm keys to the Heimdal KDC. There are
-some tweaks that you need to do to @file{krb5.conf} beforehand.
-
-@example
-[libdefaults]
- default_etypes = des-cbc-crc
- default_etypes_des = des-cbc-crc
-@end example
-
-since otherwise checksum types that are not understood by Windows 2000
-will be generated (@xref{Quirks of Windows 2000 KDC}.).
-
-Another issue is salting. Since Windows 2000 does not seem to
-understand Kerberos 4 salted hashes you might need to turn off anything
-similar to the following if you have it, at least while adding the
-principals that are going to share keys with Windows 2000.
-
-@example
- [kadmin]default_keys = v5 v4
-@end example
-
-You must also set:
-
-Once that is also done, you can add the required inter-realm keys:
-
-@example
-kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
-kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM
-@end example
-
-Use the same passwords for both keys.
-
-Do not forget to reboot before trying the new realm-trust (after running
-@code{ksetup}). It looks like it might work, but packets are never sent to the
-non-Windows KDC.
-
-@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability
-@comment node-name, next, precious, up
-@section Create account mappings
-
-Start the @code{Active Directory Users and Computers} tool. Select the
-View menu, that is in the left corner just below the real menu (or press
-Alt-V), and select Advanced Features. Right click on the user that you
-are going to do a name mapping for and choose Name mapping.
-
-Click on the Kerberos Names tab and add a new principal from the
-non-Windows domain.
-
-@node Encryption types, Authorization data, Create account mappings, Windows 2000 compatability
-@comment node-name, next, previous, up
-@section Encryption types
-
-Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
-des-cbc-md5) and its own proprietary encryption that is based on MD4 and
-rc4 that is documented in and is supposed to be described in
-@file{draft-brezak-win2k-krb-rc4-hmac-03.txt}. New users will get both
-MD4 and DES keys. Users that are converted from a NT4 database, will
-only have MD4 passwords and will need a password change to get a DES
-key.
-
-Heimdal implements both of these encryption types, but since DES is the
-standard and the hmac-code is somewhat newer, it is likely to work better.
-
-@node Authorization data, Quirks of Windows 2000 KDC, Encryption types, Windows 2000 compatability
-@comment node-name, next, previous, up
-@section Authorization data
-
-The Windows 2000 KDC also adds extra authorization data in tickets.
-It is at this point unclear what triggers it to do this. The format of
-this data is only available under a ``secret'' license from Microsoft,
-which prohibits you implementing it.
-
-A simple way of getting hold of the data to be able to understand it
-better is described here.
-
-@enumerate
-@item Find the client example on using the SSPI in the SDK documentation.
-@item Change ``AuthSamp'' in the source code to lowercase.
-@item Build the program.
-@item Add the ``authsamp'' principal with a known password to the
-database. Make sure it has a DES key.
-@item Run @kbd{ktutil add} to add the key for that principal to a
-keytab.
-@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp
---dump-auth=file} where file is an appropriate file.
-@item It should authenticate and dump for you the authorization data in
-the file.
-@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for
-analyzing the data.
-@end enumerate
-
-@node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorization data, Windows 2000 compatability
-@comment node-name, next, previous, up
-@section Quirks of Windows 2000 KDC
-
-There are some issues with salts and Windows 2000. Using an empty salt,
-which is the only one that Kerberos 4 supported and is therefore known
-as a Kerberos 4 compatible salt does not work, as far as we can tell
-from out experiments and users reports. Therefore, you have to make
-sure you keep around keys with all the different types of salts that are
-required.
-
-Microsoft seems also to have forgotten to implement the checksum
-algorithms @samp{rsa-md4-des} and @samp{rsa-md5-des}. This can make Name
-mapping (@pxref{Create account mappings}) fail if a @code{des-cbc-md5} key
-is used. To make the KDC return only @code{des-cbc-crc} you must delete
-the @code{des-cbc-md5} key from the kdc using the @code{kadmin
-del_enctype} command.
-
-@example
-kadmin del_enctype lha des-cbc-md5
-@end example
-
-You should also add the following entries to the @file{krb5.conf} file:
-
-@example
-[libdefaults]
- default_etypes = des-cbc-crc
- default_etypes_des = des-cbc-crc
-@end example
-
-These configuration options will make sure that no checksums of the
-unsupported types are generated.
-
-@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows 2000 compatability
-@comment node-name, next, previous, up
-@section Useful links when reading about the Windows 2000
-
-See also our paper presented at the 2001 usenix Annual Technical
-Conference, available in the proceedings or at
-@url{http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html}.
-
-There are lots of text about Kerberos on Microsoft's web site, here is a
-short list of the interesting documents that we have managed to find.
-
-@itemize @bullet
-
-@item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability -
-@url{http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp}
-Kerberos GSS-API (in Windows-ize SSPI), Windows as a client in a
-non-Windows KDC realm, adding unix clients to a Windows 2000 KDC, and
-adding cross-realm trust (@xref{Inter-Realm keys (trust) between Windows 2000
-and a Heimdal KDC}.).
-
-@item Windows 2000 Kerberos Authentication -
-@url{http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp}
-White paper that describes how Kerberos is used in Windows 2000.
-
-@item Overview of kerberos -
-@url{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP}
-Links to useful other links.
-
-@item Klist for windows -
-@url{http://msdn.microsoft.com/library/periodic/period00/security0500.htm}
-Describes where to get a klist for Windows 2000.
-
-@item Event logging for kerberos -
-@url{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}.
-Basicly it say that you can add a registry key
-@code{HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel}
-with value DWORD equal to 1, and then you'll get logging in the Event
-Logger.
-
-@item Access to the active directory through LDAP
-@url{http://msdn.microsoft.com/library/techart/kerberossamp.htm}
-
-@end itemize
-
-Other useful programs include these:
-
-@itemize @bullet
-@item pwdump2
-@url{http://www.webspan.net/~tas/pwdump2/}
-@end itemize
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-02 23:36:21 +0000