Thank you Robbie, but I still can't get it to work :-(
When a win2k client tries to log in using my linux
kerberos realm, it fails with error message:
The system could not log you on. Make sure that the
username and password are correct. Letters in the
password must be typed in the correct case...bla bla
bla
So...I'm wondering if I have missed some steps.
Let's say that I use the following values:
Windows realm: EXAMPLE.COM
Linux realm: EXAMPLE1.COM
username: lara
These are the steps that I followed:
1. Create an External trust for EXAMPLE.COM
- On Active Directory Domains and Trusts, for domain
EXAMPLE.COM, I added EXAMPLE1.COM to 'Domains trusted
by this domain'
2. Create Account Mapping
- On Active Directory Users and Computers, for user
lara, I created the name mapping to kerberos realm:
[EMAIL PROTECTED]
3. Configure client to log in using linux kerberos
realm
- On client machine: ksetup \addkdc EXAMPLE1.COM
kerberos.example1.com
That's it..
Do I miss something here ? like resolving DNS ? any
case-sensitive issue ?
I also notice that when I check the ksetup on my
client:
C:> ksetup
default realm = example.com
EXAMPLE1.COM:
kdc = kerberos.example1.com
Failed to create Kerberos key: 5
Is this normal ?
O ya, btw my linux KDC is Heimdal and not MIT
Kerberos, I hope this won't be an issue...
Fiuhh...This is not as simple as I thought...
Anybody has got this work before ?
-lara-
--- Robbie Foust <[EMAIL PROTECTED]> wrote:
> Hi Lara,
>
> I think what you are looking for is this... In AD
> Users & Computers,
> click on "View" at the top and turn on "Advanced
> Features." Then, right
> click on the user account and click on "Name
> Mappings..." Then click on
> the "Kerberos Names" tab and add the principal name
> there (such as
> [EMAIL PROTECTED]).
>
> Hope this helps!
>
> - Robbie
>
> Robbie Foust, IT Analyst
> Systems and Core Services
> Duke University
>
>
>
>
> Lara Adianto wrote:
>
> >Thanks for all the replies guys..(I love this
> mailing
> >list) :-)
> >
> >After spending sometimes understanding the kerberos
> >concept in windows, I believe that to achieve my
> goal,
> >I need to create a two way trust relationship
> between
> >the windows 2000 domain and my kerberos realm on
> linux
> >machine (just like what Robbie has suggested)
> >
> >The following is an excerpt from windows 2000
> Kerberos
> >Interoperability white paper (page 15):
> >
> >Two-Way Trust
> >...
> >Goals
> >The analysts authenticate to the Kerberos realm and
> >can then access both UNIX-based resources and
> Windows
> >2000-based applications and services.
> >
> > * Kerberos Clients: Windows 2000 Professional
> > * Kerberos KDC: UNIX-based Kerberos V5 KDC
> > * Target Resource: Windows Application, File
> and
> >Print Services
> >
> >Implementation
> >This scenario builds on the client configuration
> and
> >one-way trust implementations. First, the Windows
> >2000-based clients will be configured to logon to
> the
> >Kerberos realm as discussed earlier. Secondly, a
> >one-way trust relationship must be set up between
> the
> >Windows 2000 domain and the Kerberos realm (the
> >Windows domain trusts the Kerberos realm as an
> account
> >domain). Finally, each Kerberos principal in the
> realm
> >must have a corresponding Windows 2000 account.
> Each
> >corresponding account (proxy account) in Windows
> 2000
> >must have the AltSecurityId property populated with
> >the Kerberos principal name including the realm,
> for
> >example, [EMAIL PROTECTED]
> >
> >....
> >
> >Currently, I'm in the middle of trying to implement
> >the above hints. I have added the external trust in
> my
> >win2k domain. I have configured the client to
> >authenticate to my linux's kerberos realm using
> ksetup
> >(thanks Robbie)...
> >
> >BUT....I'm stucked with the account mapping. I've
> >already got win2k account for my kerberos principal
> in
> >linux. Then the hint says that the mapping is
> >contained in the AltSecurityId property of each
> win2k
> >user.
> >
> >The problem is that I don't know how to set this
> >AltSecurityId. I can't find it in the Active
> Directory
> >Users and Computer.
> >
> >Where can I set the AltSecurityId to my linux
> kerberos
> >realm ? (This might be a dummy question, but I've
> >tried to seek help on the net, but couldn't find
> >anything)
> >
> >Thanks a bunch,
> >Lara
> >
> >--- Robbie Foust <[EMAIL PROTECTED]> wrote:
> >
> >
> >>You actually don't configure AD, what you need to
> do
> >>is run ksetup.exe
> >>on the workstations (must be 2000 or XP) and add
> the
> >>kerberos realm &
> >>kerberos servers. (ksetup is part of the support
> >>tools). For example:
> >>
> >>C:\> ksetup /addkdc MIT.KERBREALM.COM
> >>kserver.kerb.com
> >>
> >>and then when the user logs in, they must select
> >>that realm from the
> >>drop down list.
> >>
> >>Also, the user account in AD needs to have the
> >>kerberos name mapping
> >>added so AD will know how to match up the
> accounts.
> >>The name mapping
> >>would be something like "[EMAIL PROTECTED]".
> >>
> >>So basically, the password stored in AD is
> ignored.
> >>Let me know if this
> >>helps, or if this isn't what you're trying to do
> at
> >>all. :-)
> >>
> >>Robbie Foust, IT Analyst
> >>Systems and Core Services
> >>Duke University
> >>
> >>
> >>
> >>
> >>Lara Adianto wrote:
> >>
> >>
> >>>Hi guys,
> >>>
> >>>As what the subject title said: can Microsoft
> >>>
> >>>
> >>Active Directory be
> >>
> >>
> >>>configured to authenticate to an external ldap
> >>>
> >>>
> >>server (openLDAP in my
> >>
> >>
> >>>case) ?
> >>>
> >>>To make things clearer, this is the objective
> that
> >>>
> >>>
> >>I want to achieve:
> >>
> >>
> >>>I want authentication of Microsoft Active
> >>>
> >>>
> >>Directory's clients to be
> >>
> >>
> >>>done by OpenLDAP server on Linux. So, when a
> >>>
> >>>
> >>client of Microsoft Active
> >>
> >>
> >>>Directory authenticates itself to MS AD, MS AD
> >>>
> >>>
> >>will ask openLDAP for
> >>
> >>
> >>>authentication service. openLDAP will return
> >>>
> >>>
> >>return reject or allow to
> >>
> >>
>
=== message truncated ===
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de
Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
