directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: Apached DS and Cross realm authentication
Date Wed, 13 Aug 2008 20:30:57 GMT
Cross realm authentication have not been implemented I think.  Well this
catalog thingy was put into the Krb server a while back but I have not seen
it in action.

In a couple months we intend to refactor the KDC code to make sure a proper
mechanism is used to enable multiple domains in the server.  Until then you
might want to take a look at the code yourself.  You're always welcome to
get involved.

Cheers,
Alex

On Wed, Aug 13, 2008 at 3:15 PM, azahur <azahur@gmail.com> wrote:

> just wanted to bump it up to see if anyone has any idea what might the
> problem be
>
>
> On 7/30/08, azahur <azahur@gmail.com> wrote:
>>
>> One correction, the modification were made to kerberos-example.ldif and
>> not server.xml, for it be able to trust windows domains
>>
>> On 7/30/08, azahur <azahur@gmail.com> wrote:
>>>
>>> I am trying to implement cross realm authentication between apacheds and
>>> windows 2003 domains
>>>
>>> Here is the set up.
>>> 2 Windows2003 domains with a  parent child relationship.
>>> 1 apachedDS realm (EXAMPLE.COM <http://example.com/>).
>>> I have setup a cross realm trust between the parent domain and
>>> EXAMPLE.COM <http://example.com/> by using the windows mmc add new trust
>>> wizard. and have added the following in the server.xml on the apacheds side.
>>>
>>>
>>> dn: uid=krbtgtIncomingTrust,ou=users,dc=example,dc=com
>>> objectclass: person
>>> objectclass: organizationalPerson
>>> objectclass: inetOrgPerson
>>> objectclass: krb5Principal
>>> objectclass: krb5KDCEntry
>>> objectclass: top
>>> cn: Kerberos Server
>>> givenname: Kerberos
>>> krb5KeyVersionNumber: 0
>>> krb5principalname: krbtgt/EXAMPLE.COM@PARENT.LOCAL.COM
>>> ou: Directory
>>> ou: Users
>>> sn: Server
>>> uid: krbtgtIncomingTrust
>>> userpassword: password
>>>
>>>
>>> dn: uid=krbtgtOutGoingTrust,ou=users,dc=example,dc=com
>>> objectclass: person
>>> objectclass: organizationalPerson
>>> objectclass: inetOrgPerson
>>> objectclass: krb5Principal
>>> objectclass: krb5KDCEntry
>>> objectclass: top
>>> cn: Kerberos Server
>>> givenname: Kerberos
>>> krb5KeyVersionNumber: 0
>>> krb5principalname: krbtgt/PARENT.LOCAL.COM@EXAMPLE.COM
>>> ou: Directory
>>> ou: Users
>>> sn: Server
>>> uid: krbtgtOutGoingTrust
>>> userpassword: password
>>>
>>> and I have modified an XP client also so that it can see the new
>>> EXAMPLE.COM <http://example.com/> realm and changed the host file also
>>> to tell it were kdc.example.com is.I have also mapped the test user
>>> "erodriguiez" of Example.com domain with a user in the PARENT.LOCAL.COM<http://parent.local.com/>domain
(windows domain) by going throught the AD Users and Computer MMC.
>>>
>>>
>>>
>>> So now in the windows Gina screen I login as erodriguez and select
>>> EXAMPLE.COM <http://example.com/> domain and am able to logon to the
>>> computer. Then I access the network neighborhood and I can browse through
>>> resources provided by PARENT.LOCAL.COM <http://parent.local.com/> but
>>> when I try to access resources in the CHILD.PARENT.LOCAL.COM<http://child.parent.local.com/>I
get the error
>>>
>>> *\\Appserver (computer** name in child domain) is not accessible. You
>>> might not have permission to user this network resource. Contact the
>>> administrator of this server to findout if you have access permissions.*
>>>
>>> *Logon Failure: The target account name is incorrect.*
>>>
>>> Why would I unable to access the child domain resources? Does the initial
>>> TGT that is issued, is only good for the parent domain and cannot be used
>>> other domains even thought transitive two way trust is established between
>>> all the domains?
>>>
>>>
>>>
>>>
>>>
>>
>>
>


-- 
Microsoft gives you Windows, Linux gives you the whole house ...

Mime
View raw message