Establishing Trust Between Kerberos Server and Windows 2000

To establish trust between Kerberos server KRB.REALM and Windows 2000 W2K.DOMAIN, complete the following steps:

Add interrealm service principals to the Kerberos server realm. For more information, see “HP Kerberos Administrator”.
- If the realm is the source realm, the name of the principal is krbtgt/W2K.DOMAIN@KRB.REALM.
- If the realm is the target realm, the name of the principal is krbtgt/KRB.REALM@W2K.DOMAIN.
On the Windows 2000 domain controller, use the Active Directory Domains and Trusts snap-in to create the trust relationship.
- If the domain trusts the Kerberos server realm, add the realm name to the Domains that this domain trusts field.
- If the Kerberos server realm trusts the Windows 2000 domain, add the realm name to the Domains that trust this domain’ field. Keep in mind that the passwords in steps 1 and 2 must be identical for the corresponding principals.
Update the client configuration files or the DNS configuration with the name of the foreign KDC.
- For the Kerberos server clients, perform the following steps:
  Add the Windows 2000 domain controller domain name and fully qualified domain name to the /etc/krb5.conf file of the client.
  Configure the [capaths] section for the direct trust relationship between the realms.
  Add the host-to-realm name mapping data for each available Windows 2000 service to the /etc/krb5.conf file of the client.
- To invoke the Windows 2000 Ksetup tool on the Windows 2000 client, execute the following command:
  Ksetup/addkdc KRB.REALM <fqdn>
  NOTE: The fqdn qualifier specifies the fully qualified domain name of the Kerberos KDC.
Reboot the Windows 2000 domain controller. You need not reboot the Kerberos server or client.

Establishing Trust Between Kerberos Server and Windows 2000

Technical documentation

» Table of Contents

» Glossary

» Index