directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From azahur <aza...@gmail.com>
Subject Re: Apached DS and Cross realm authentication
Date Wed, 13 Aug 2008 19:15:41 GMT
just wanted to bump it up to see if anyone has any idea what might the
problem be

On 7/30/08, azahur <azahur@gmail.com> wrote:
>
> One correction, the modification were made to kerberos-example.ldif and not
> server.xml, for it be able to trust windows domains
>
> On 7/30/08, azahur <azahur@gmail.com> wrote:
>>
>> I am trying to implement cross realm authentication between apacheds and
>> windows 2003 domains
>>
>> Here is the set up.
>> 2 Windows2003 domains with a  parent child relationship.
>> 1 apachedDS realm (EXAMPLE.COM <http://example.com/>).
>> I have setup a cross realm trust between the parent domain and
>> EXAMPLE.COM <http://example.com/> by using the windows mmc add new trust
>> wizard. and have added the following in the server.xml on the apacheds side.
>>
>>
>> dn: uid=krbtgtIncomingTrust,ou=users,dc=example,dc=com
>> objectclass: person
>> objectclass: organizationalPerson
>> objectclass: inetOrgPerson
>> objectclass: krb5Principal
>> objectclass: krb5KDCEntry
>> objectclass: top
>> cn: Kerberos Server
>> givenname: Kerberos
>> krb5KeyVersionNumber: 0
>> krb5principalname: krbtgt/EXAMPLE.COM@PARENT.LOCAL.COM
>> ou: Directory
>> ou: Users
>> sn: Server
>> uid: krbtgtIncomingTrust
>> userpassword: password
>>
>>
>> dn: uid=krbtgtOutGoingTrust,ou=users,dc=example,dc=com
>> objectclass: person
>> objectclass: organizationalPerson
>> objectclass: inetOrgPerson
>> objectclass: krb5Principal
>> objectclass: krb5KDCEntry
>> objectclass: top
>> cn: Kerberos Server
>> givenname: Kerberos
>> krb5KeyVersionNumber: 0
>> krb5principalname: krbtgt/PARENT.LOCAL.COM@EXAMPLE.COM
>> ou: Directory
>> ou: Users
>> sn: Server
>> uid: krbtgtOutGoingTrust
>> userpassword: password
>>
>> and I have modified an XP client also so that it can see the new
>> EXAMPLE.COM <http://example.com/> realm and changed the host file also to
>> tell it were kdc.example.com is.I have also mapped the test user
>> "erodriguiez" of Example.com domain with a user in the PARENT.LOCAL.COM<http://parent.local.com/>domain
(windows domain) by going throught the AD Users and Computer MMC.
>>
>>
>>
>> So now in the windows Gina screen I login as erodriguez and select
>> EXAMPLE.COM <http://example.com/> domain and am able to logon to the
>> computer. Then I access the network neighborhood and I can browse through
>> resources provided by PARENT.LOCAL.COM <http://parent.local.com/> but
>> when I try to access resources in the CHILD.PARENT.LOCAL.COM<http://child.parent.local.com/>I
get the error
>>
>> *\\Appserver (computer** name in child domain) is not accessible. You
>> might not have permission to user this network resource. Contact the
>> administrator of this server to findout if you have access permissions.*
>>
>> *Logon Failure: The target account name is incorrect.*
>>
>> Why would I unable to access the child domain resources? Does the initial
>> TGT that is issued, is only good for the parent domain and cannot be used
>> other domains even thought transitive two way trust is established between
>> all the domains?
>>
>>
>>
>>
>>
>
>

Mime
View raw message