Arden, Thank you VERY much for taking time to answer my question. You have provided a very clear explanation... I've tried it and it works like magic :-)
I have even added registries for the Group Policy Refresh, as explained in http://www.jsiinc.com/sube/tip2100/rh2184.htm so that any changes made on the registries we added in the Group Policy Object will be reflected on the machines in the domain. I've tested it, and it looks okay. However, I notice that the group policy refresh doesn't apply when you undefined the value of the registry (for example changing KdcNames from kerberos.lara.com to Not defined) or if you try to remove the registry (for example removing KdcNames). I've tried rebooting the machine that serves as the DC, as well as rebooting the client machine (which is the member of the domain), but it didn't work. I've tried the following way as well: - rename the secedit.sdb file to "secedit.old" - run secedit /refreshpolicy machine_policy /enforce The new secedit.sdb is created successfully, the the registries that I've been trying to remove are still there (in Computer Configuration mode windows settings\securitysettings\local policies\security options). I wonder if you have the same experience as me... By the way, I have another problem that you might have encountered as well... I have w2k client which authenticates to a Kerberos Realm. This works perfectly. I have also configured a cross-realm authentication between the Kerberos Realm and a w2k domain so that (based on the following articles: Step by step Guide to Kerberos 5 Interoperability and Windows 2000 compatibility section of Heimdal manual). So, when the w2k client (which is in a Kerberos Realm domain) wants to access another machine in another domain (which is a w2k domain), it will sends a request for cross-realm referral to the Kerberos Realm KDC, and the KDC should be able to give a referral ticket. The problem is that win2k machine sends request in short names instead of in FQDN (host/foo.example.org will be sent as host/foo, as explained in 'Implementation of Crossrealm Referral Handling in the MIT Kerberos Client' by Michael Swift, Irina Kosinovsky, and Johathan Trostle), hence the burden to find the correct realm of the requested server falls to the KDC. When I debug the code, I found out that for host/foo, the KDC will try to find a match in [domain_realm] section of krb5.conf or DNS lookup for foo. In this way I have to provide a one-to-one mapping of foo to the correct realm (foo = W2K.COm for example). Imagine if you have so many machines in one domain, with so many service available and you have to provide a one to one mapping of the hostname / service name to its realm....It's not so practical, isn't it ? The better and correct way (to me) is to provide mapping of domain name of the service/hostname to its realm....But I don't know whether this is possible, and if yes...how to do it. Do you encounter this problem ? If yes, how did you solve it ? By the way, I'm using Heimdal. Once again, thanks a lot !! -lara- PS: By the way is there any guidelines on how to determine the value of the GroupPolicyRefreshTime and GroupPolicyRefreshTimeOffset ? --- Arden Pineda <[EMAIL PROTECTED]> wrote: > Lara, > > I am trying to refresh my memory since I had to > perform the same steps while > rebuilding our test environment a while back. > Basically, we had to do it in > 2 steps in the order listed below. > > 1. Create and import a custom ADM template that > predefines the Kerberos > REALM key in the registry. This insures that the > REALM name is created in > UPPERCASE. If you try doing this in SCEREGVL.INF > file, the realm name is > created, but in lowercase. Proceed to step 2 once > the registry key has been > propagated. > > 2. Edit the SCEREGVL.INF file and add the specific > entries for your > KERBEROS realm. Once you reload the file, the > settings will show up under > the Computer Configuration node within Windows > Settings\Security > Settings\Local Policies\Security Options. > > I have added the sample ADM file and entries for the > Security Configuration > Editor file below. > > Also, if you haven't already, you may also want to > look at the NSA Windows > 2000 Security Configuration guides at: > > http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1 > > I hope this helps. > > Arden > > ***************ADM > FILE*************************************** > Class MACHINE > Category !!AdministrativeServices > Category !!Kerberos > Policy !!SetRealmFlags > Keyname > "System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM" > Explain !!SetRealmFlags_Help > Part !!RealmFlags Numeric Required > Valuename "RealmFlags" > Default 8 > End Part > End Policy > End Category ;;Kerberos > > End Category ;;AdministrativeServices > [strings] > AdministrativeServices="System" > Kerberos="Kerberos RealmFlags" > RealmFlags="RealmFlags value" > SetRealmFlags="Set YOURREALM.COM Kerberos RealmFlags > variable" > SetRealmFlags_Help="Creates the realm name variable > key for YOURREALM.COM > and allows referrals to work properly.\n\nThis key > is created to allow the > security policy defining the KDC mappings for the > realm to have the proper > realm name variable in the registry.\n\nThe value > set here (RealmFlags) > allows proper referrals from the MIT-based Kerberos > realm. See > http://www.citi.umich.edu/u/kwc/krb5stuff/referral.html"; > ;End of Strings > > **************SCEREGVL.INF > file******************************** > > [Register Registry Values] > > ; Kerberos > ; > ============================================================================ > ====== > ; > http://www.microsoft.com/windows2000/techinfo/reskit/en/regentry/95146.htm > ; > http://www.microsoft.com/windows2000/techinfo/reskit/en/regentry/95141.htm > > MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM\ > KpasswdNames,7,%Kpasswd%,4 > MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM\ > KdcNames,7,%Knames%,4 > ; > ============================================================================ > ====== > > [Strings] > > ; =============================== YOURREALM > ========================================= > Kpasswd = "Kerberos: YOURREALM.COM realm Change > Password Protocol Servers > (YOURREALM)" > Knames = "Kerberos: YOURREALM.COM realm KDC servers > (YOURREALM)" > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > Behalf Of Lara Adianto > > Sent: Wednesday, April 14, 2004 1:53 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Using Security Configuration > Template > > instead of Ksetup... > > > > Hello, > > > > In 'Step-by-step Guide to Kerberos 5 > Interoperability' > > document, it is stated as follows: > > "To deploy realm configuration data to multiple > computers, > > use the security configuration template mechanism > instead of > > using Ksetup explicitly on individual computers" > > > > Is there any good document / howto about how to > use security > > configuration template to achieve the same results > as ksetup ? > > > > I've been reading some of microsoft knowledge > articles such > > as: How to add custom registry settings to > security > > configuration editor, how to create custom > administrative > > templates in windows 2000, etc..but I haven't got > a clear > > picture of how it can be done using security > configuration template. > > > > This is the part that I don't understand: > > "Once the Sceregvl.inf file has been modified and > registered, > > your custom registry values are exposed in the SCM > UI's on > > that machine. You can then create security > templates or > > policies that define your new registry values. > These > > templates or policies can then be applied to any > machine > > regardless of whether Sceregvl.inf has been > modified on the > > target machine or not." (taken from Microsoft's > article: How > > to add custom registry settings to security > configuration > > editor). Is SCM the same as security configuration > tool and analysis ? > > > > Well...from reading the article, my guess is that > I will need > > to update sceregvl.inf, register the changes by > doing > > 'regsvr32 scecli.dll', and also change the group > policy. > > > > Anyway, I've tried to update sceregvl.inf but it > didn't work > > :-( The changes didn't seem to be reflected in the > registry > > editor as what usually happen using ksetup. > > > > -lara- > > > > ===== > > > -------------------------------------------------------------- > > ---------------------- > > La vie, voyez-vous, ca n'est jamais si bon ni si > mauvais qu'on croit > > > > > - Guy de Maupassant - > > > -------------------------------------------------------------- > > ---------------------- > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > Yahoo! Tax Center - File online by April 15th > === message truncated === ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
