Next: , Previous: Windows compatibility, Up: Windows compatibility


8.1 Configuring Windows to use a Heimdal KDC

You need the command line program called ksetup.exe. This program comes with the Windows Support Tools, available from either the installation CD-ROM (SUPPORT/TOOLS/SUPPORT.CAB), or from Microsoft web site. Starting from Windows 2008, it is already installed. This program is used to configure the Kerberos settings on a Workstation.

Ksetup store the domain information under the registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains.

Use the kadmin program in Heimdal to create a host principal in the Kerberos realm.

     unix% kadmin
     kadmin> ank --password=password host/datan.example.com

The name `datan.example.com' should be replaced with DNS name of the workstation.

You must configure the workstation as a member of a workgroup, as opposed to a member in an NT domain, and specify the KDC server of the realm as follows:

     C:> ksetup /setdomain EXAMPLE.COM
     C:> ksetup /addkdc EXAMPLE.COM kdc.example.com

Set the machine password, i.e. create the local keytab:

     C:> ksetup /SetComputerPassword password

The password used in ksetup /setmachpassword must be the same as the password used in the kadmin ank command.

The workstation must now be rebooted.

A mapping between local NT users and Kerberos principals must be specified. You have two choices. First:

     C:> ksetup /mapuser user@MY.REALM nt_user

This will map a user to a specific principal; this allows you to have other usernames in the realm than in your NT user database. (Don't ask me why on earth you would want that....)

You can also say:

     C:> ksetup /mapuser * *

The Windows machine will now map any user to the corresponding principal, for example `nisse' to the principal `nisse@MY.REALM'. (This is most likely what you want.)