Thanks for all the replies guys..(I love this mailing
list) :-)
After spending sometimes understanding the kerberos
concept in windows, I believe that to achieve my goal,
I need to create a two way trust relationship between
the windows 2000 domain and my kerberos realm on linux
machine (just like what Robbie has suggested)
The following is an excerpt from windows 2000 Kerberos
Interoperability white paper (page 15):
Two-Way Trust
...
Goals
The analysts authenticate to the Kerberos realm and
can then access both UNIX-based resources and Windows
2000-based applications and services.
* Kerberos Clients: Windows 2000 Professional
* Kerberos KDC: UNIX-based Kerberos V5 KDC
* Target Resource: Windows Application, File and
Print Services
Implementation
This scenario builds on the client configuration and
one-way trust implementations. First, the Windows
2000-based clients will be configured to logon to the
Kerberos realm as discussed earlier. Secondly, a
one-way trust relationship must be set up between the
Windows 2000 domain and the Kerberos realm (the
Windows domain trusts the Kerberos realm as an account
domain). Finally, each Kerberos principal in the realm
must have a corresponding Windows 2000 account. Each
corresponding account (proxy account) in Windows 2000
must have the AltSecurityId property populated with
the Kerberos principal name including the realm, for
example, [EMAIL PROTECTED]
....
Currently, I'm in the middle of trying to implement
the above hints. I have added the external trust in my
win2k domain. I have configured the client to
authenticate to my linux's kerberos realm using ksetup
(thanks Robbie)...
BUT....I'm stucked with the account mapping. I've
already got win2k account for my kerberos principal in
linux. Then the hint says that the mapping is
contained in the AltSecurityId property of each win2k
user.
The problem is that I don't know how to set this
AltSecurityId. I can't find it in the Active Directory
Users and Computer.
Where can I set the AltSecurityId to my linux kerberos
realm ? (This might be a dummy question, but I've
tried to seek help on the net, but couldn't find
anything)
Thanks a bunch,
Lara
--- Robbie Foust <[EMAIL PROTECTED]> wrote:
> You actually don't configure AD, what you need to do
> is run ksetup.exe
> on the workstations (must be 2000 or XP) and add the
> kerberos realm &
> kerberos servers. (ksetup is part of the support
> tools). For example:
>
> C:\> ksetup /addkdc MIT.KERBREALM.COM
> kserver.kerb.com
>
> and then when the user logs in, they must select
> that realm from the
> drop down list.
>
> Also, the user account in AD needs to have the
> kerberos name mapping
> added so AD will know how to match up the accounts.
> The name mapping
> would be something like "[EMAIL PROTECTED]".
>
> So basically, the password stored in AD is ignored.
> Let me know if this
> helps, or if this isn't what you're trying to do at
> all. :-)
>
> Robbie Foust, IT Analyst
> Systems and Core Services
> Duke University
>
>
>
>
> Lara Adianto wrote:
> > Hi guys,
> >
> > As what the subject title said: can Microsoft
> Active Directory be
> > configured to authenticate to an external ldap
> server (openLDAP in my
> > case) ?
> >
> > To make things clearer, this is the objective that
> I want to achieve:
> > I want authentication of Microsoft Active
> Directory's clients to be
> > done by OpenLDAP server on Linux. So, when a
> client of Microsoft Active
> > Directory authenticates itself to MS AD, MS AD
> will ask openLDAP for
> > authentication service. openLDAP will return
> return reject or allow to
> > MS AD.
> >
> > I believe that this can be achieved by using
> Kerberos. I currently have
> > GSSAPI mechanism running on my openLDAP server,
> but I am not sure how to
> > make MS AD talk to my openLDAP server.
> >
> > Any idea, suggestions, hints will be very
> appreciated....
> >
> > Cheers
> > - Lara -
> >
> >
> >
> >
>
------------------------------------------------------------------------------------
>
> >
> > La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
> > - Guy de Maupassant -
> >
>
------------------------------------------------------------------------------------
> >
> > Do you Yahoo!?
> > *Yahoo! Mail*
>
<http://us.rd.yahoo.com/mailtag_us/*http://mail.yahoo.com>
>
> > - More reliable, more storage, less spam
> >
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de
Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
