Cross realm authentication have not been implemented I think.  Well this catalog thingy was put into the Krb server a while back but I have not seen it in action. 

In a couple months we intend to refactor the KDC code to make sure a proper mechanism is used to enable multiple domains in the server.  Until then you might want to take a look at the code yourself.  You're always welcome to get involved.

Cheers,
Alex

On Wed, Aug 13, 2008 at 3:15 PM, azahur <azahur@gmail.com> wrote:
just wanted to bump it up to see if anyone has any idea what might the problem be


On 7/30/08, azahur <azahur@gmail.com> wrote:
One correction, the modification were made to kerberos-example.ldif and not server.xml, for it be able to trust windows domains


On 7/30/08, azahur <azahur@gmail.com> wrote:
I am trying to implement cross realm authentication between apacheds and windows 2003 domains
 
Here is the set up.
2 Windows2003 domains with a  parent child relationship.
1 apachedDS realm (EXAMPLE.COM).
I have setup a cross realm trust between the parent domain and EXAMPLE.COM by using the windows mmc add new trust wizard. and have added the following in the server.xml on the apacheds side.
 

dn: uid=krbtgtIncomingTrust,ou=users,dc=example,dc=com
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: krb5Principal
objectclass: krb5KDCEntry
objectclass: top
cn: Kerberos Server
givenname: Kerberos
krb5KeyVersionNumber: 0
krb5principalname: krbtgt/EXAMPLE.COM@PARENT.LOCAL.COM
ou: Directory
ou: Users
sn: Server
uid: krbtgtIncomingTrust
userpassword: password


dn: uid=krbtgtOutGoingTrust,ou=users,dc=example,dc=com
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: krb5Principal
objectclass: krb5KDCEntry
objectclass: top
cn: Kerberos Server
givenname: Kerberos
krb5KeyVersionNumber: 0
krb5principalname: krbtgt/PARENT.LOCAL.COM@EXAMPLE.COM
ou: Directory
ou: Users
sn: Server
uid: krbtgtOutGoingTrust
userpassword: password

and I have modified an XP client also so that it can see the new EXAMPLE.COM realm and changed the host file also to tell it were kdc.example.com is.I have also mapped the test user "erodriguiez" of Example.com domain with a user in the PARENT.LOCAL.COM domain (windows domain) by going throught the AD Users and Computer MMC.

 

So now in the windows Gina screen I login as erodriguez and select EXAMPLE.COM domain and am able to logon to the computer. Then I access the network neighborhood and I can browse through resources provided by PARENT.LOCAL.COM but when I try to access resources in the CHILD.PARENT.LOCAL.COM I get the error

\\Appserver (computer name in child domain) is not accessible. You might not have permission to user this network resource. Contact the administrator of this server to findout if you have access permissions.

Logon Failure: The target account name is incorrect.

Why would I unable to access the child domain resources? Does the initial TGT that is issued, is only good for the parent domain and cannot be used other domains even thought transitive two way trust is established between all the domains?

 

 






--
Microsoft gives you Windows, Linux gives you the whole house ...