directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From azahur <aza...@gmail.com>
Subject Apached DS and Cross realm authentication
Date Thu, 31 Jul 2008 01:05:25 GMT
I am trying to implement cross realm authentication between apacheds and
windows 2003 domains

Here is the set up.
2 Windows2003 domains with a  parent child relationship.
1 apachedDS realm (EXAMPLE.COM).
I have setup a cross realm trust between the parent domain and
EXAMPLE.COMby using the windows mmc add new trust wizard. and have
added the following
in the server.xml on the apacheds side.


dn: uid=krbtgtIncomingTrust,ou=users,dc=example,dc=com
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: krb5Principal
objectclass: krb5KDCEntry
objectclass: top
cn: Kerberos Server
givenname: Kerberos
krb5KeyVersionNumber: 0
krb5principalname: krbtgt/EXAMPLE.COM@PARENT.LOCAL.COM
ou: Directory
ou: Users
sn: Server
uid: krbtgtIncomingTrust
userpassword: password


dn: uid=krbtgtOutGoingTrust,ou=users,dc=example,dc=com
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: krb5Principal
objectclass: krb5KDCEntry
objectclass: top
cn: Kerberos Server
givenname: Kerberos
krb5KeyVersionNumber: 0
krb5principalname: krbtgt/PARENT.LOCAL.COM@EXAMPLE.COM
ou: Directory
ou: Users
sn: Server
uid: krbtgtOutGoingTrust
userpassword: password

and I have modified an XP client also so that it can see the new
EXAMPLE.COMrealm and changed the host file also to tell it were
kdc.example.com is.I have also mapped the test user "erodriguiez" of
Example.com domain with a user in the PARENT.LOCAL.COM domain (windows
domain) by going throught the AD Users and Computer MMC.



So now in the windows Gina screen I login as erodriguez and select
EXAMPLE.COM domain and am able to logon to the computer. Then I access the
network neighborhood and I can browse through resources provided by
PARENT.LOCAL.COM but when I try to access resources in the
CHILD.PARENT.LOCAL.COM I get the error

*\\Appserver (computer* <file://\\Appserver (computer>* name in child
domain) is not accessible. You might not have permission to user this
network resource. Contact the administrator of this server to findout if you
have access permissions.*

*Logon Failure: The target account name is incorrect.*

Why would I unable to access the child domain resources? Does the initial
TGT that is issued, is only good for the parent domain and cannot be used
other domains even thought transitive two way trust is established between
all the domains?

Mime
View raw message