Lara, I haven't really spent any time trying to undo the kerberos entries created by the custom admin template, so I don't have any useful input at this point. I'll see if I can take a look at this at some point in time.
As for your problem with the Service Principal names, we do not encounter this issue since we pre-populate the ServicePrincipalName attribute of all member machines to include the following: HOST/hostname HOST/hostname.domainsuffix We do this using a script that pre-creates the computer accounts and populates the necessary attributes. Administrators have to run this script from a member machine before joining new machines to the domain. If you are interested, here is the link to the create computer script on our website: http://calnetad.berkeley.edu/documentation/scripts Hope this helps. Arden > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Lara Adianto > Sent: Friday, April 16, 2004 5:47 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Using Security Configuration > Template instead of Ksetup... > > Arden, > > Thank you VERY much for taking time to answer my question. > You have provided a very clear explanation... > I've tried it and it works like magic :-) > > I have even added registries for the Group Policy Refresh, as > explained in http://www.jsiinc.com/sube/tip2100/rh2184.htm so > that any changes made on the registries we added in the Group > Policy Object will be reflected on the machines in the > domain. I've tested it, and it looks okay. > > However, I notice that the group policy refresh doesn't apply > when you undefined the value of the registry (for example > changing KdcNames from kerberos.lara.com to Not defined) or > if you try to remove the registry (for example removing KdcNames). > > I've tried rebooting the machine that serves as the DC, as > well as rebooting the client machine (which is the member of > the domain), but it didn't work. > I've tried the following way as well: > - rename the secedit.sdb file to "secedit.old" > - run secedit /refreshpolicy machine_policy /enforce The new > secedit.sdb is created successfully, the the registries that > I've been trying to remove are still there (in Computer > Configuration mode windows settings\securitysettings\local > policies\security options). I wonder if you have the same > experience as me... > > By the way, I have another problem that you might have > encountered as well... > I have w2k client which authenticates to a Kerberos Realm. > This works perfectly. I have also configured a cross-realm > authentication between the Kerberos Realm and a w2k domain so > that (based on the following > articles: Step by step Guide to Kerberos 5 Interoperability > and Windows 2000 compatibility section of Heimdal manual). > > So, when the w2k client (which is in a Kerberos Realm > domain) wants to access another machine in another domain > (which is a w2k domain), it will sends a request for > cross-realm referral to the Kerberos Realm KDC, and the KDC > should be able to give a referral ticket. > > The problem is that win2k machine sends request in short > names instead of in FQDN (host/foo.example.org will be sent > as host/foo, as explained in 'Implementation of Crossrealm > Referral Handling in the MIT Kerberos Client' by Michael > Swift, Irina Kosinovsky, and Johathan Trostle), hence the > burden to find the correct realm of the requested server > falls to the KDC. When I debug the code, I found out that for > host/foo, the KDC will try to find a match in [domain_realm] > section of krb5.conf or DNS lookup for foo. In this way I > have to provide a one-to-one mapping of foo to the correct > realm (foo = W2K.COm for example). Imagine if you have so > many machines in one domain, with so many service available > and you have to provide a one to one mapping of the hostname > / service name to its realm....It's not so practical, isn't it ? > The better and correct way (to me) is to provide mapping of > domain name of the service/hostname to its realm....But I > don't know whether this is possible, and if yes...how to do it. > > Do you encounter this problem ? If yes, how did you solve it > ? By the way, I'm using Heimdal. > > Once again, thanks a lot !! > -lara- > > PS: By the way is there any guidelines on how to determine > the value of the GroupPolicyRefreshTime and > GroupPolicyRefreshTimeOffset ? > > --- Arden Pineda <[EMAIL PROTECTED]> wrote: > > Lara, > > > > I am trying to refresh my memory since I had to perform the > same steps > > while rebuilding our test environment a while back. > > Basically, we had to do it in > > 2 steps in the order listed below. > > > > 1. Create and import a custom ADM template that predefines the > > Kerberos REALM key in the registry. This insures that the > REALM name > > is created in UPPERCASE. If you try doing this in > SCEREGVL.INF file, > > the realm name is created, but in lowercase. Proceed to > step 2 once > > the registry key has been propagated. > > > > 2. Edit the SCEREGVL.INF file and add the specific entries > for your > > KERBEROS realm. Once you reload the file, the settings > will show up > > under the Computer Configuration node within Windows > Settings\Security > > Settings\Local Policies\Security Options. > > > > I have added the sample ADM file and entries for the Security > > Configuration Editor file below. > > > > Also, if you haven't already, you may also want to look at the NSA > > Windows 2000 Security Configuration guides at: > > > > > http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1 > > > > I hope this helps. > > > > Arden > > > > ***************ADM > > FILE*************************************** > > Class MACHINE > > Category !!AdministrativeServices > > Category !!Kerberos > > Policy !!SetRealmFlags > > Keyname > > > "System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM" > > Explain !!SetRealmFlags_Help > > Part !!RealmFlags Numeric Required > > Valuename "RealmFlags" > > Default 8 > > End Part > > End Policy > > End Category ;;Kerberos > > > > End Category ;;AdministrativeServices > > [strings] > > AdministrativeServices="System" > > Kerberos="Kerberos RealmFlags" > > RealmFlags="RealmFlags value" > > SetRealmFlags="Set YOURREALM.COM Kerberos RealmFlags > > variable" > > SetRealmFlags_Help="Creates the realm name variable > > key for YOURREALM.COM > > and allows referrals to work properly.\n\nThis key > > is created to allow the > > security policy defining the KDC mappings for the > > realm to have the proper > > realm name variable in the registry.\n\nThe value > > set here (RealmFlags) > > allows proper referrals from the MIT-based Kerberos > > realm. See > > > http://www.citi.umich.edu/u/kwc/krb5stuff/referral.html"; > > ;End of Strings > > > > **************SCEREGVL.INF > > file******************************** > > > > [Register Registry Values] > > > > ; Kerberos > > ; > > > ============================================================== > ============== > > ====== > > ; > > > http://www.microsoft.com/windows2000/techinfo/reskit/en/regent > ry/95146.htm > > ; > > > http://www.microsoft.com/windows2000/techinfo/reskit/en/regent > ry/95141.htm > > > > > MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\ > YOURREALM.COM\ > > KpasswdNames,7,%Kpasswd%,4 > > > MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\ > YOURREALM.COM\ > > KdcNames,7,%Knames%,4 > > ; > > > ============================================================== > ============== > > ====== > > > > [Strings] > > > > ; =============================== YOURREALM > > ========================================= > > Kpasswd = "Kerberos: YOURREALM.COM realm Change > > Password Protocol Servers > > (YOURREALM)" > > Knames = "Kerberos: YOURREALM.COM realm KDC servers > > (YOURREALM)" > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On > > Behalf Of Lara Adianto > > > Sent: Wednesday, April 14, 2004 1:53 AM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Using Security Configuration > > Template > > > instead of Ksetup... > > > > > > Hello, > > > > > > In 'Step-by-step Guide to Kerberos 5 > > Interoperability' > > > document, it is stated as follows: > > > "To deploy realm configuration data to multiple > > computers, > > > use the security configuration template mechanism > > instead of > > > using Ksetup explicitly on individual computers" > > > > > > Is there any good document / howto about how to > > use security > > > configuration template to achieve the same results > > as ksetup ? > > > > > > I've been reading some of microsoft knowledge > > articles such > > > as: How to add custom registry settings to > > security > > > configuration editor, how to create custom > > administrative > > > templates in windows 2000, etc..but I haven't got > > a clear > > > picture of how it can be done using security > > configuration template. > > > > > > This is the part that I don't understand: > > > "Once the Sceregvl.inf file has been modified and > > registered, > > > your custom registry values are exposed in the SCM > > UI's on > > > that machine. You can then create security > > templates or > > > policies that define your new registry values. > > These > > > templates or policies can then be applied to any > > machine > > > regardless of whether Sceregvl.inf has been > > modified on the > > > target machine or not." (taken from Microsoft's > > article: How > > > to add custom registry settings to security > > configuration > > > editor). Is SCM the same as security configuration > > tool and analysis ? > > > > > > Well...from reading the article, my guess is that > > I will need > > > to update sceregvl.inf, register the changes by > > doing > > > 'regsvr32 scecli.dll', and also change the group > > policy. > > > > > > Anyway, I've tried to update sceregvl.inf but it > > didn't work > > > :-( The changes didn't seem to be reflected in the > > registry > > > editor as what usually happen using ksetup. > > > > > > -lara- > > > > > > ===== > > > > > > -------------------------------------------------------------- > > > ---------------------- > > > La vie, voyez-vous, ca n'est jamais si bon ni si > > mauvais qu'on croit > > > > > > > > - Guy de Maupassant - > > > > > > -------------------------------------------------------------- > > > ---------------------- > > > > > > > > > > > > > > > __________________________________ > > > Do you Yahoo!? > > > Yahoo! Tax Center - File online by April 15th > > > === message truncated === > > > ===== > -------------------------------------------------------------- > ---------------------- > La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit > > - Guy de Maupassant - > -------------------------------------------------------------- > ---------------------- > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Tax Center - File online by April 15th > http://taxes.yahoo.com/filing.html > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
