One correction, the modification were made to kerberos-example.ldif and not server.xml, for it be able to trust windows domains
On 7/30/08, azahur <[EMAIL PROTECTED]> wrote: > > I am trying to implement cross realm authentication between apacheds and > windows 2003 domains > > Here is the set up. > 2 Windows2003 domains with a parent child relationship. > 1 apachedDS realm (EXAMPLE.COM <http://example.com/>). > I have setup a cross realm trust between the parent domain and > EXAMPLE.COM<http://example.com/>by using the windows mmc add new trust > wizard. and have added the following > in the server.xml on the apacheds side. > > > dn: uid=krbtgtIncomingTrust,ou=users,dc=example,dc=com > objectclass: person > objectclass: organizationalPerson > objectclass: inetOrgPerson > objectclass: krb5Principal > objectclass: krb5KDCEntry > objectclass: top > cn: Kerberos Server > givenname: Kerberos > krb5KeyVersionNumber: 0 > krb5principalname: krbtgt/[EMAIL PROTECTED] > ou: Directory > ou: Users > sn: Server > uid: krbtgtIncomingTrust > userpassword: password > > > dn: uid=krbtgtOutGoingTrust,ou=users,dc=example,dc=com > objectclass: person > objectclass: organizationalPerson > objectclass: inetOrgPerson > objectclass: krb5Principal > objectclass: krb5KDCEntry > objectclass: top > cn: Kerberos Server > givenname: Kerberos > krb5KeyVersionNumber: 0 > krb5principalname: krbtgt/[EMAIL PROTECTED] > ou: Directory > ou: Users > sn: Server > uid: krbtgtOutGoingTrust > userpassword: password > > and I have modified an XP client also so that it can see the new > EXAMPLE.COM <http://example.com/> realm and changed the host file also to > tell it were kdc.example.com is.I have also mapped the test user > "erodriguiez" of Example.com domain with a user in the > PARENT.LOCAL.COM<http://parent.local.com/>domain (windows domain) by going > throught the AD Users and Computer MMC. > > > > So now in the windows Gina screen I login as erodriguez and select > EXAMPLE.COM <http://example.com/> domain and am able to logon to the > computer. Then I access the network neighborhood and I can browse through > resources provided by PARENT.LOCAL.COM <http://parent.local.com/> but when > I try to access resources in the > CHILD.PARENT.LOCAL.COM<http://child.parent.local.com/>I get the error > > *\\Appserver (computer** name in child domain) is not accessible. You > might not have permission to user this network resource. Contact the > administrator of this server to findout if you have access permissions.* > > *Logon Failure: The target account name is incorrect.* > > Why would I unable to access the child domain resources? Does the initial > TGT that is issued, is only good for the parent domain and cannot be used > other domains even thought transitive two way trust is established between > all the domains? > > > > >
