1 files changed, 240 insertions, 14 deletions

diff --git a/crypto/heimdal/doc/win2k.texi b/crypto/heimdal/doc/win2k.texi
index 1a0e731..baa1b47 100644
--- a/crypto/heimdal/doc/win2k.texi
+++ b/crypto/heimdal/doc/win2k.texi
@@ -1,4 +1,6 @@
-@node Windows 2000 compatability, Acknowledgments, Kerberos 4 issues, Top
+@c $Id: win2k.texi,v 1.12 2001/01/28 22:10:35 assar Exp $
+
+@node Windows 2000 compatability, Acknowledgments, Migration, Top
 @comment  node-name,  next,  previous,  up
 @chapter Windows 2000 compatability
 
@@ -7,37 +9,182 @@ Kerberos 5.  Their implementation, however, has some quirks,
 peculiarities, and bugs.  This chapter is a short summary of the things
 that we have found out while trying to test Heimdal against Windows
 2000.  Another big problem with the Kerberos implementation in Windows
-2000 is the almost complete lack of documentation.
+2000 is that the available documentation is more focused on getting
+things to work rather than how they work and not that useful in figuring
+out how things really work.
 
 This information should apply to Heimdal @value{VERSION} and Windows
-2000 RC1.  It's of course subject all the time and mostly consists of
+2000 Professional.  It's of course subject all the time and mostly consists of
 our not so inspired guesses.  Hopefully it's still somewhat useful.
 
 @menu
+* Configuring Windows 2000 to use a Heimdal KDC::  
+* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::  
+* Create account mappings::     
 * Encryption types::            
 * Authorization data::          
+* Quirks of Windows 2000 KDC::  
+* Useful links when reading about the Windows 2000::  
 @end menu
 
-@node Encryption types, Authorization data, Windows 2000 compatability, Windows 2000 compatability
+@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability
+@comment node-name, next, precious, up
+@section Configuring Windows 2000 to use a Heimdal KDC
+
+You need the command line program called @code{ksetup.exe} which is available
+in the file @code{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
+CD-ROM. This program is used to configure the Kerberos settings on a
+Workstation.
+
+@code{Ksetup} store the domain information under the registry key:
+@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}.
+
+Use the kadmin program in Heimdal to create a host principal in the
+Kerberos realm.
+
+@example
+unix% kadmin
+kadmin> ank -pw password host/datan.my.domain
+@end example
+
+You must configure the Workstation as a member of a workgroup, as opposed
+to a member in an NT domain, and specify the KDC server of the realm
+as follows:
+@example
+C:> ksetup /setdomain MY.REALM
+C:> ksetup /addkdc MY.REALM kdc.my.domain
+@end example
+
+Set the machine password, i.e. create the local keytab:
+@example
+C:> ksetup /setmachpassword password
+@end example
+
+The workstation must now be rebooted.
+
+A mapping between local NT users and Kerberos principals must be specified,
+you have two choices:
+
+@example
+C:> ksetup /mapuser user@@MY.REALM nt_user
+@end example
+
+This will map a user to a specific principal, this allows you to have
+other usernames in the realm than in your NT user database. (Don't ask
+me why on earth you would want that...)
+
+You can also say:
+@example
+C:> ksetup /mapuser * *
+@end example
+The Windows machine will now map any user to the corresponding principal,
+for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}.
+(This is most likely what you want.)
+
+@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability
+@comment node-name, next, precious, up
+@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
+
+See also the Step-by-Step guide from Microsoft, referenced below.
+
+Install Windows 2000, and create a new controller (Active Directory
+Server) for the domain.
+
+By default the trust will be non-transitive. This means that only users
+directly from the trusted domain may authenticate. This can be changed
+to transitive by using the @code{netdom.exe} tool.
+
+You need to tell Windows 2000 on what hosts to find the KDCs for the
+non-Windows realm with @code{ksetup}, see @xref{Configuring Windows 2000
+to use a Heimdal KDC}.
+
+This need to be done on all computers that want enable cross-realm
+login with @code{Mapped Names}.
+
+Then you need to add the inter-realm keys on the Windows kdc. Start the
+Domain Tree Management tool. (Found in Programs, Administrative tools,
+Active Directory Domains and Trusts).
+
+Right click on Properties of your domain, select the Trust tab.  Press
+Add on the appropriate trust windows and enter domain name and
+password. When prompted if this is a non-Windows Kerberos realm, press
+OK.
+
+Do not forget to add trusts in both directions.
+
+You also need to add the inter-realm keys to the Heimdal KDC. There are
+some tweaks that you need to do to @file{krb5.conf} beforehand.
+
+@example
+[libdefaults]
+	default_etypes = des-cbc-crc
+	default_etypes_des = des-cbc-crc
+@end example
+
+since otherwise checksum types that are not understood by Windows 2000
+will be generated (@xref{Quirks of Windows 2000 KDC}.).
+
+Another issue is salting.  Since Windows 2000 does not seem to
+understand Kerberos 4 salted hashes you might need to turn off anything
+similar to the following if you have it, at least while adding the
+principals that are going to share keys with Windows 2000.
+
+@example
+	[kadmin]default_keys = des3:pw-salt des:pw-salt des:pw-salt:
+@end example
+
+You must also set:
+
+Once that is also done, you can add the required inter-realm keys:
+
+@example
+kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
+kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM
+@end example
+
+Use the same passwords for both keys.
+
+Do not forget to reboot before trying the new realm-trust (after running
+@code{ksetup}). It looks like it might work, but packets are never sent to the
+non-Windows KDC.
+
+@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability
+@comment node-name, next, precious, up
+@section Create account mappings
+
+Start the @code{Active Directory Users and Computers} tool. Select the
+View menu, that is in the left corner just below the real menu (or press
+Alt-V), and select Advanced Features. Right click on the user that you
+are going to do a name mapping for and choose Name mapping.
+
+Click on the Kerberos Names tab and add a new principal from the
+non-Windows domain.
+
+@node Encryption types, Authorization data, Create account mappings, Windows 2000 compatability
 @comment  node-name,  next,  previous,  up
 @section Encryption types
 
 Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
-des-cbc-md5) and its own proprietary encryption that is based on md4 and
-rc4 and which is supposed to be described in
-draft-brezak-win2k-krb-rc4-hmac-01.txt.  To enable a given principal to
-use DES, it needs to have DES keys in the database.  To do this, you
-need to enable DES keys for the particular principal with the user
-administration tool and then change the password.
-
-@node Authorization data,  , Encryption types, Windows 2000 compatability
+des-cbc-md5) and its own proprietary encryption that is based on MD4 and
+rc4 that is documented in and is supposed to be described in
+@file{draft-brezak-win2k-krb-rc4-hmac-03.txt}.  New users will get both
+MD4 and DES keys.  Users that are converted from a NT4 database, will
+only have MD4 passwords and will need a password change to get a DES
+key.
+
+Heimdal implements both of these encryption types, but since DES is the
+standard and the hmac-code is somewhat newer, it is likely to work better.
+
+@node Authorization data, Quirks of Windows 2000 KDC, Encryption types, Windows 2000 compatability
 @comment  node-name,  next,  previous,  up
 @section Authorization data
 
 The Windows 2000 KDC also adds extra authorization data in tickets.
 It is at this point unclear what triggers it to do this.  The format of
-this data is unknown and according to Microsoft, subject to change.  A
-simple way of getting hold of the data to be able to understand it
+this data is only available under a ``secret'' license from Microsoft,
+which prohibits you implementing it.
+
+A simple way of getting hold of the data to be able to understand it
 better is described here.
 
 @enumerate
@@ -56,3 +203,82 @@ the file.
 analyzing the data.
 @end enumerate
 
+@node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorization data, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Quirks of Windows 2000 KDC
+
+There are some issues with salts and Windows 2000.  Using an empty salt,
+which is the only one that Kerberos 4 supported and is therefore known
+as a Kerberos 4 compatible salt does not work, as far as we can tell
+from out experiments and users reports.  Therefore, you have to make
+sure you keep around keys with all the different types of salts that are
+required.
+
+Microsoft seems also to have forgotten to implement the checksum
+algorithms @samp{rsa-md4-des} and @samp{rsa-md5-des}. This can make Name
+mapping (@pxref{Create account mappings}) fail if a @code{des-cbc-md5} key
+is used. To make the KDC return only @code{des-cbc-crc} you must delete
+the @code{des-cbc-md5} key from the kdc using the @code{kadmin
+del_enctype} command.
+
+@example
+kadmin del_enctype lha des-cbc-md5
+@end example
+
+You should also add the following entries to the @file{krb5.conf} file:
+
+@example
+[libdefaults]
+	default_etypes = des-cbc-crc
+	default_etypes_des = des-cbc-crc
+@end example
+
+These configuration options will make sure that no checksums of the
+unsupported types are generated.
+
+@node Useful links when reading about the Windows 2000,  , Quirks of Windows 2000 KDC, Windows 2000 compatability
+@comment  node-name,  next,  previous,  up
+@section Useful links when reading about the Windows 2000
+
+There are lots of text about Kerberos on Microsoft's web site, here is a
+short list of the interesting documents that we have managed to find.
+
+@itemize @bullet
+
+@item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability -
+@url{http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp}
+Kerberos GSS-API (in Windows-ize SSPI), Windows as a client in a
+non-Windows KDC realm, adding unix clients to a Windows 2000 KDC, and
+adding cross-realm trust (@xref{Inter-Realm keys (trust) between Windows 2000
+and a Heimdal KDC}.).
+
+@item Windows 2000 Kerberos Authentication - 
+@url{http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp}
+White paper that describes how Kerberos is used in Windows 2000.
+
+@item Overview of kerberos -
+@url{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP}
+Links to useful other links.
+
+@item Klist for windows - 
+@url{http://msdn.microsoft.com/library/periodic/period00/security0500.htm}
+Describes where to get a klist for Windows 2000.
+
+@item Event logging for kerberos -
+@url{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}.
+Basicly it say that you can add a registry key
+@code{HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel}
+with value DWORD equal to 1, and then you'll get logging in the Event
+Logger.
+
+@item Access to the active directory through LDAP
+@url{http://msdn.microsoft.com/library/techart/kerberossamp.htm}
+
+@end itemize
+
+Other useful programs include these:
+
+@itemize @bullet
+@item pwdump2
+@url{http://www.webspan.net/~tas/pwdump2/}
+@end itemize