Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Interoperability With Windows 2000
Establishing Trust Between HP’s Kerberos Servers and Windows 2000
Chapter 456
Establishing Trust Between HP’s Kerberos
Servers and Windows 2000
If you want to establish trust between Kerberos Server KRB.REALM, and
Windows 2000, W2K.DOMAIN, you would need to do the following:
Step 1. Add inter-realm service principals to the Kerberos Server realm. For
more information, refer to “Administrator” on page 114.
• If the realm is the source realm, the name of the principal is:
krbtgt/W2K.DOMAIN@KRB.REALM
• If the realm is the target realm, the name of the principal is:
krbtgt/KRB.REALM@W2K.DOMAIN
Step 2. On the Windows 2000 domain controller, use the Active Directory
Domains and Trusts snap-in to create the trust relationship.
• If the domain trusts the Kerberos Server realm, add the realm
name to the Domains that this domain trusts’ field.
• If the Kerberos Server realm trusts the Windows 2000 domain, add
the realm name to the Domains that trust this domain’ field. Keep in
mind that the passwords in Steps 1 and 2 must be identical.
Step 3. Update the client configuration files or the DNS configuration with the
name of the foreign KDC.
• For the Kerberos Server clients, add the Windows 2000 domain
controller domain name and fully qualified domain name to the
client’s /etc/krb5.conf file, and the host-to-realm name mapping
data for each available Windows 2000 service to the client’s
/etc/krb5.conf file.
• On the Windows 2000 client, invoke the Windows 2000 Ksetup tool
as follows:
Ksetup/addkdc KRB.REALM KRB_KDC_<fqdn>
Step 4. Reboot the Windows 2000 client system. It is not necessary to reboot the
Kerberos Server or Client.