(Optional) Enable a Windows Host to Communicate to a UNIX KDC
Your environment may have a Windows workstation that is not part of a Windows domain. The workstation must be able to communicate with the UNIX KDC. Use the Windows ksetup command-line tool to configure this set up.
Your environment may have a Windows workstation that is not part of a Windows domain. The workstation must be able to communicate with the UNIX KDC. Use the Windows
ksetupcommand-line tool to configure this set up.
Follow these steps:
- In the Kerberos realm, create a host principal for the Windows host. Use the following kadmin command:addprinc host/machine-name.dns-domain_nameFor example, if the Windows workstation name is w2kw and the Kerberos realm is EXAMPLE.COM, the principal name is host/w2kw.example.com.
- Configure the Windows host as a member of a workgroup because it is not in a Windows domain:
- Remove the host from the Windows domain.
- Add the test user, for example, testkrb, to the local user database.
- Add the Kerberos realm by entering:ksetup /SetRealm EXAMPLE.COM
- Restart the Windows host.
- Add the KDC by entering:ksetup /addkdc EXAMPLE.COM rhasmit
- Set a new password by entering:ksetup /setmachpasswordpasswordThis password is same as the one used while creating the host principal account in the MIT KDC.
- Restart the host.
- Set the Realm Flag by entering:ksetup /SetRealmFlags EXAMPLE.COM delegate
- Run the AddKpasswd command by entering:ksetup /AddKpasswd EXAMPLE.COM rhasmit
- Use ksetup to configure single sign-on to local workstation accounts by defining the account mappings between the Windows host accounts to Kerberos principals. For example:ksetup /mapuser [email protected] testkrbksetup /mapuser * *The second command maps clients to local accounts of the same name. Use the ksetup command with no arguments to see the current settings.