directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From azahur <aza...@gmail.com>
Subject Re: Apached DS and Cross realm authentication
Date Thu, 31 Jul 2008 01:08:44 GMT
One correction, the modification were made to kerberos-example.ldif and not
server.xml, for it be able to trust windows domains

On 7/30/08, azahur <azahur@gmail.com> wrote:
>
> I am trying to implement cross realm authentication between apacheds and
> windows 2003 domains
>
> Here is the set up.
> 2 Windows2003 domains with a  parent child relationship.
> 1 apachedDS realm (EXAMPLE.COM <http://example.com/>).
> I have setup a cross realm trust between the parent domain and EXAMPLE.COM<http://example.com/>by
using the windows mmc add new trust wizard. and have added the following
> in the server.xml on the apacheds side.
>
>
> dn: uid=krbtgtIncomingTrust,ou=users,dc=example,dc=com
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> objectclass: krb5Principal
> objectclass: krb5KDCEntry
> objectclass: top
> cn: Kerberos Server
> givenname: Kerberos
> krb5KeyVersionNumber: 0
> krb5principalname: krbtgt/EXAMPLE.COM@PARENT.LOCAL.COM
> ou: Directory
> ou: Users
> sn: Server
> uid: krbtgtIncomingTrust
> userpassword: password
>
>
> dn: uid=krbtgtOutGoingTrust,ou=users,dc=example,dc=com
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> objectclass: krb5Principal
> objectclass: krb5KDCEntry
> objectclass: top
> cn: Kerberos Server
> givenname: Kerberos
> krb5KeyVersionNumber: 0
> krb5principalname: krbtgt/PARENT.LOCAL.COM@EXAMPLE.COM
> ou: Directory
> ou: Users
> sn: Server
> uid: krbtgtOutGoingTrust
> userpassword: password
>
> and I have modified an XP client also so that it can see the new
> EXAMPLE.COM <http://example.com/> realm and changed the host file also to
> tell it were kdc.example.com is.I have also mapped the test user
> "erodriguiez" of Example.com domain with a user in the PARENT.LOCAL.COM<http://parent.local.com/>domain
(windows domain) by going throught the AD Users and Computer MMC.
>
>
>
> So now in the windows Gina screen I login as erodriguez and select
> EXAMPLE.COM <http://example.com/> domain and am able to logon to the
> computer. Then I access the network neighborhood and I can browse through
> resources provided by PARENT.LOCAL.COM <http://parent.local.com/> but when
> I try to access resources in the CHILD.PARENT.LOCAL.COM<http://child.parent.local.com/>I
get the error
>
> *\\Appserver (computer** name in child domain) is not accessible. You
> might not have permission to user this network resource. Contact the
> administrator of this server to findout if you have access permissions.*
>
> *Logon Failure: The target account name is incorrect.*
>
> Why would I unable to access the child domain resources? Does the initial
> TGT that is issued, is only good for the parent domain and cannot be used
> other domains even thought transitive two way trust is established between
> all the domains?
>
>
>
>
>

Mime
View raw message