some cross-realm trust questions

Russ Allbery rra at stanford.edu
Tue Dec 28 14:35:41 EST 2010


Victor Sudakov <vas at mpeks.no-spam-here.tomsk.su> writes:
> Russ Allbery wrote:

>> You use a password.  Enter the same password on both sides when creating
>> the key, and then be sure to remove any extraneous enctypes on the Heimdal
>> side that AD isn't configured to provide.

> Do you mean to say that the key derivation algorithm is the same in
> Heimdal and in MS AD? The same password will yield the same key
> anywhere, in any Kerberos implementation?

Of course.  Otherwise, you couldn't authenticate with a password to a
Kerberos KDC provided by a different implementation.

> And BTW how do I figure out what enctypes AD is configured to provide?
> Is there anything like "kadmin get" for AD?

I don't know, personally, having not administered AD myself, but I know
that information is available from the AD admin interface.  Current
Windows supports 256-bit AES, 128-bit AES, RC4, and DES (although DES I
think is disabled by default).  Older Windows only supports RC4 and DES.
I don't believe any version of Windows has ever supported 3DES.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list