[33012] in Kerberos
Re: some cross-realm trust questions
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Mark_Pr=F6hl?=)
Sat Jan 1 10:21:41 2011
Message-ID: <4D1F4676.2030504@mproehl.net>
Date: Sat, 01 Jan 2011 16:21:26 +0100
From: =?ISO-8859-1?Q?Mark_Pr=F6hl?= <mark@mproehl.net>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <ifd57l$12k4$1@relay.tomsk.ru>
Reply-To: mark@mproehl.net
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 12/28/2010 06:02 PM, Victor Sudakov wrote:
> Russ Allbery wrote:
>
> [dd]
>
>>> But it still escapes me how on earth I will end up with
>>> krbtgt/UNIX.REALM@WINDOWS.REALM andkrbtgt/WINDOWS.REALM@UNIX.REALM
>>> having the same key. There is nothing in the above articles about
>>> exporting and importing keytabs.
>> You use a password. Enter the same password on both sides when creating
>> the key, and then be sure to remove any extraneous enctypes on the Heimdal
>> side that AD isn't configured to provide.
> Do you mean to say that the key derivation algorithm is the same in
> Heimdal and in MS AD? The same password will yield the same key
> anywhere, in any Kerberos implementation?
>
> And BTW how do I figure out what enctypes AD is configured to provide?
> Is there anything like "kadmin get" for AD?
>
In Windows 2008 R2 the encryption types of inter-realm keys can
be configured with ksetup.exe. Cross realm trusts to kerberos
realms use rc4 inter realm keys by default. To change this to aes256
you can use the following command on a domain controller:
ksetup.exe /SetEncTypeAttr MIT.REALM AES256-CTS-HMAC-SHA1-96
("MIT.REALM" is the name of the MIT Kerberos realm)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
