Filter
Top Products
Interoperability with Windows 2000
Establishing Trust Between Kerberos Server and Windows 2000
Chapter 456
Establishing Trust Between Kerberos Server
and Windows 2000
To establish trust between Kerberos server KRB.REALM and Windows
2000 W2K.DOMAIN, complete the following steps:
Step 1. Add interrealm service principals to the Kerberos server realm. For more
information, see “HP Kerberos Administrator” on page 132.
• If the realm is the source realm, the name of the principal is
krbtgt/W2K.DOMAIN@KRB.REALM.
• If the realm is the target realm, the name of the principal is
krbtgt/KRB.REALM@W2K.DOMAIN.
Step 2. On the Windows 2000 domain controller, use the Active Directory
Domains and Trusts snap-in to create the trust relationship.
• If the domain trusts the Kerberos server realm, add the realm name
to the Domains that this domain trusts field.
• If the Kerberos server realm trusts the Windows 2000 domain, add
the realm name to the Domains that trust this domain’ field. Keep in
mind that the passwords in steps 1 and 2 must be identical for the
corresponding principals.
Step 3. Update the client configuration files or the DNS configuration with the
name of the foreign KDC.
• For the Kerberos server clients, perform the following steps:
a. Add the Windows 2000 domain controller domain name and fully
qualified domain name to the /etc/krb5.conf file of the client.
b. Configure the [capaths] section for the direct trust relationship
between the realms.
c. Add the host-to-realm name mapping data for each available
Windows 2000 service to the /etc/krb5.conf file of the client.
• To invoke the Windows 2000 Ksetup tool on the Windows 2000 client,
execute the following command:
Ksetup/addkdc KRB.REALM <fqdn>