I think what you are looking for is this... In AD Users & Computers, click on "View" at the top and turn on "Advanced Features." Then, right click on the user account and click on "Name Mappings..." Then click on the "Kerberos Names" tab and add the principal name there (such as [EMAIL PROTECTED]).
Hope this helps!
- Robbie
Robbie Foust, IT Analyst Systems and Core Services Duke University
Lara Adianto wrote:
Thanks for all the replies guys..(I love this mailing list) :-)
After spending sometimes understanding the kerberos concept in windows, I believe that to achieve my goal, I need to create a two way trust relationship between the windows 2000 domain and my kerberos realm on linux machine (just like what Robbie has suggested)
The following is an excerpt from windows 2000 Kerberos Interoperability white paper (page 15):
Two-Way Trust ... Goals The analysts authenticate to the Kerberos realm and can then access both UNIX-based resources and Windows 2000-based applications and services.
* Kerberos Clients: Windows 2000 Professional
* Kerberos KDC: UNIX-based Kerberos V5 KDC
* Target Resource: Windows Application, File and
Print Services
Implementation
This scenario builds on the client configuration and
one-way trust implementations. First, the Windows
2000-based clients will be configured to logon to the
Kerberos realm as discussed earlier. Secondly, a
one-way trust relationship must be set up between the
Windows 2000 domain and the Kerberos realm (the
Windows domain trusts the Kerberos realm as an account
domain). Finally, each Kerberos principal in the realm
must have a corresponding Windows 2000 account. Each
corresponding account (proxy account) in Windows 2000
must have the AltSecurityId property populated with
the Kerberos principal name including the realm, for
example, [EMAIL PROTECTED]
....
Currently, I'm in the middle of trying to implement the above hints. I have added the external trust in my win2k domain. I have configured the client to authenticate to my linux's kerberos realm using ksetup (thanks Robbie)...
BUT....I'm stucked with the account mapping. I've
already got win2k account for my kerberos principal in
linux. Then the hint says that the mapping is
contained in the AltSecurityId property of each win2k
user.
The problem is that I don't know how to set this AltSecurityId. I can't find it in the Active Directory Users and Computer.
Where can I set the AltSecurityId to my linux kerberos realm ? (This might be a dummy question, but I've tried to seek help on the net, but couldn't find anything)
Thanks a bunch, Lara
--- Robbie Foust <[EMAIL PROTECTED]> wrote:
You actually don't configure AD, what you need to do------------------------------------------------------------------------------------
is run ksetup.exe on the workstations (must be 2000 or XP) and add the
kerberos realm & kerberos servers. (ksetup is part of the support
tools). For example:
C:\> ksetup /addkdc MIT.KERBREALM.COM kserver.kerb.com
and then when the user logs in, they must select
that realm from the drop down list.
Also, the user account in AD needs to have the
kerberos name mapping added so AD will know how to match up the accounts. The name mapping would be something like "[EMAIL PROTECTED]".
So basically, the password stored in AD is ignored. Let me know if this helps, or if this isn't what you're trying to do at
all. :-)
Robbie Foust, IT Analyst Systems and Core Services Duke University
Lara Adianto wrote:
Hi guys,Active Directory be
As what the subject title said: can Microsoft
configured to authenticate to an external ldapserver (openLDAP in my
case) ?I want to achieve:
To make things clearer, this is the objective that
I want authentication of Microsoft ActiveDirectory's clients to be
done by OpenLDAP server on Linux. So, when aclient of Microsoft Active
Directory authenticates itself to MS AD, MS ADwill ask openLDAP for
authentication service. openLDAP will returnreturn reject or allow to
MS AD.Kerberos. I currently have
I believe that this can be achieved by using
GSSAPI mechanism running on my openLDAP server,but I am not sure how to
make MS AD talk to my openLDAP server.appreciated....
Any idea, suggestions, hints will be very
Cheers - Lara -
------------------------------------------------------------------------------------La vie, voyez-vous, ca n'est jamais si bon ni simauvais qu'on croit
- Guy de Maupassant -
<http://us.rd.yahoo.com/mailtag_us/*http://mail.yahoo.com>Do you Yahoo!?
*Yahoo! Mail*
http://www.mail-archive.com/activedir%40mail.activedir.org/- More reliable, more storage, less spamList info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
=====
------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
