some cross-realm trust questions

Nicolas Williams Nicolas.Williams at oracle.com
Tue Dec 28 14:57:42 EST 2010


On Tue, Dec 28, 2010 at 05:02:45PM +0000, Victor Sudakov wrote:
> Russ Allbery wrote:
> > You use a password.  Enter the same password on both sides when creating
> > the key, and then be sure to remove any extraneous enctypes on the Heimdal
> > side that AD isn't configured to provide.
> 
> Do you mean to say that the key derivation algorithm is the same in
> Heimdal and in MS AD? The same password will yield the same key
> anywhere, in any Kerberos implementation?

Of course: that's part of the standard, else there'd be no interop.

> And BTW how do I figure out what enctypes AD is configured to provide?
> Is there anything like "kadmin get" for AD?

Our adjoin[0] script (which was referenced in a BigAdmin paper by Baban
Kenkre[1]) implements a heuristic to detect what enctypes are available
based on, IIRC, trying to add an LDAP attribute named
"msDS-SupportedEncryptionTypes" to the machine account object.  Failure
denotes older AD supporting 1DES and RC4 only; success denotes support
for AES-128 and AES-256.  (The script then sets up the
userAccountControl and msDS-SupportedEncryptionTypes attributes to
configure the user of the intersection of the enctypes offered by AD and
the enctypes available and enabled on the host being joined to AD.)

You can probably port adjoin to work with Heimdal with relatively little
work.

[0] http://hub.opensolaris.org/bin/view/Project+winchester/files?viewer=history&language=en
[1] http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp

Nico
-- 



More information about the Kerberos mailing list