I am trying to implement cross realm authentication between apacheds and windows 2003 domains
Here is the set up. 2 Windows2003 domains with a parent child relationship. 1 apachedDS realm (EXAMPLE.COM). I have setup a cross realm trust between the parent domain and EXAMPLE.COMby using the windows mmc add new trust wizard. and have added the following in the server.xml on the apacheds side. dn: uid=krbtgtIncomingTrust,ou=users,dc=example,dc=com objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: krb5Principal objectclass: krb5KDCEntry objectclass: top cn: Kerberos Server givenname: Kerberos krb5KeyVersionNumber: 0 krb5principalname: krbtgt/[EMAIL PROTECTED] ou: Directory ou: Users sn: Server uid: krbtgtIncomingTrust userpassword: password dn: uid=krbtgtOutGoingTrust,ou=users,dc=example,dc=com objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: krb5Principal objectclass: krb5KDCEntry objectclass: top cn: Kerberos Server givenname: Kerberos krb5KeyVersionNumber: 0 krb5principalname: krbtgt/[EMAIL PROTECTED] ou: Directory ou: Users sn: Server uid: krbtgtOutGoingTrust userpassword: password and I have modified an XP client also so that it can see the new EXAMPLE.COMrealm and changed the host file also to tell it were kdc.example.com is.I have also mapped the test user "erodriguiez" of Example.com domain with a user in the PARENT.LOCAL.COM domain (windows domain) by going throught the AD Users and Computer MMC. So now in the windows Gina screen I login as erodriguez and select EXAMPLE.COM domain and am able to logon to the computer. Then I access the network neighborhood and I can browse through resources provided by PARENT.LOCAL.COM but when I try to access resources in the CHILD.PARENT.LOCAL.COM I get the error *\\Appserver (computer* <file://\\Appserver (computer>* name in child domain) is not accessible. You might not have permission to user this network resource. Contact the administrator of this server to findout if you have access permissions.* *Logon Failure: The target account name is incorrect.* Why would I unable to access the child domain resources? Does the initial TGT that is issued, is only good for the parent domain and cannot be used other domains even thought transitive two way trust is established between all the domains?
