Next: Inter-Realm keys (trust) between Windows and a Heimdal KDC, Previous: Windows compatibility, Up: Windows compatibility [Contents]
You need the command line program called ksetup.exe
. This program comes with the Windows Support Tools, available from either the installation CD-ROM (SUPPORT/TOOLS/SUPPORT.CAB), or from Microsoft web site. Starting from Windows 2008, it is already installed. This program is used to configure the Kerberos settings on a Workstation.
Ksetup
store the domain information under the registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains
.
Use the kadmin
program in Heimdal to create a host principal in the
Kerberos realm.
unix% kadmin kadmin> ank --password=password host/datan.example.com
The name ‘datan.example.com’ should be replaced with DNS name of the workstation.
You must configure the workstation as a member of a workgroup, as opposed to a member in an NT domain, and specify the KDC server of the realm as follows:
C:> ksetup /setdomain EXAMPLE.COM C:> ksetup /addkdc EXAMPLE.COM kdc.example.com
Set the machine password, i.e. create the local keytab:
C:> ksetup /SetComputerPassword password
The password used in ksetup /setmachpassword must be the same as the password used in the kadmin ank command.
The workstation must now be rebooted.
A mapping between local NT users and Kerberos principals must be specified. You have two choices. First:
C:> ksetup /mapuser user@MY.REALM nt_user
This will map a user to a specific principal; this allows you to have other usernames in the realm than in your NT user database. (Don’t ask me why on earth you would want that...)
You can also say:
C:> ksetup /mapuser * *
The Windows machine will now map any user to the corresponding principal, for example ‘nisse’ to the principal ‘nisse@MY.REALM’. (This is most likely what you want.)
Next: Inter-Realm keys (trust) between Windows and a Heimdal KDC, Previous: Windows compatibility, Up: Windows compatibility [Contents]