Interoperability with Windows 2000
Establishing Trust Between Kerberos Server and Windows 2000
Establishing Trust Between Kerberos Server and Windows 2000
To establish trust between Kerberos server KRB.REALM and Windows
2000 W2K.DOMAIN, complete the following steps:
Step 1. Add interrealm service principals to the Kerberos server realm. For more information, see “HP Kerberos Administrator” on page 132.
•If the realm is the source realm, the name of the principal is krbtgt/W2K.DOMAIN@KRB.REALM.
•If the realm is the target realm, the name of the principal is krbtgt/KRB.REALM@W2K.DOMAIN.
Step 2. On the Windows 2000 domain controller, use the Active Directory Domains and Trusts
•If the domain trusts the Kerberos server realm, add the realm name to the Domains that this domain trusts field.
•If the Kerberos server realm trusts the Windows 2000 domain, add the realm name to the Domains that trust this domain’ field. Keep in mind that the passwords in steps 1 and 2 must be identical for the corresponding principals.
Step 3. Update the client configuration files or the DNS configuration with the name of the foreign KDC.
•For the Kerberos server clients, perform the following steps:
a.Add the Windows 2000 domain controller domain name and fully qualified domain name to the /etc/krb5.conf file of the client.
b.Configure the [capaths] section for the direct trust relationship between the realms.
c.Add the
•To invoke the Windows 2000 Ksetup tool on the Windows 2000 client, execute the following command:
Ksetup/addkdc KRB.REALM <fqdn>
56 | Chapter 4 |