[32998] in Kerberos
Re: some cross-realm trust questions
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Dec 28 14:35:47 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <ifd57l$12k4$1@relay.tomsk.ru> (Victor Sudakov's message of "Tue,
28 Dec 2010 17:02:45 +0000 (UTC)")
Date: Tue, 28 Dec 2010 11:35:41 -0800
Message-ID: <87d3olitbm.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> writes:
> Russ Allbery wrote:
>> You use a password. Enter the same password on both sides when creating
>> the key, and then be sure to remove any extraneous enctypes on the Heimdal
>> side that AD isn't configured to provide.
> Do you mean to say that the key derivation algorithm is the same in
> Heimdal and in MS AD? The same password will yield the same key
> anywhere, in any Kerberos implementation?
Of course. Otherwise, you couldn't authenticate with a password to a
Kerberos KDC provided by a different implementation.
> And BTW how do I figure out what enctypes AD is configured to provide?
> Is there anything like "kadmin get" for AD?
I don't know, personally, having not administered AD myself, but I know
that information is available from the AD admin interface. Current
Windows supports 256-bit AES, 128-bit AES, RC4, and DES (although DES I
think is disabled by default). Older Windows only supports RC4 and DES.
I don't believe any version of Windows has ever supported 3DES.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
