just wanted to bump it up to see if anyone has any idea what might the problem be
On 7/30/08, azahur <[EMAIL PROTECTED]> wrote: > > One correction, the modification were made to kerberos-example.ldif and not > server.xml, for it be able to trust windows domains > > On 7/30/08, azahur <[EMAIL PROTECTED]> wrote: >> >> I am trying to implement cross realm authentication between apacheds and >> windows 2003 domains >> >> Here is the set up. >> 2 Windows2003 domains with a parent child relationship. >> 1 apachedDS realm (EXAMPLE.COM <http://example.com/>). >> I have setup a cross realm trust between the parent domain and >> EXAMPLE.COM <http://example.com/> by using the windows mmc add new trust >> wizard. and have added the following in the server.xml on the apacheds side. >> >> >> dn: uid=krbtgtIncomingTrust,ou=users,dc=example,dc=com >> objectclass: person >> objectclass: organizationalPerson >> objectclass: inetOrgPerson >> objectclass: krb5Principal >> objectclass: krb5KDCEntry >> objectclass: top >> cn: Kerberos Server >> givenname: Kerberos >> krb5KeyVersionNumber: 0 >> krb5principalname: krbtgt/[EMAIL PROTECTED] >> ou: Directory >> ou: Users >> sn: Server >> uid: krbtgtIncomingTrust >> userpassword: password >> >> >> dn: uid=krbtgtOutGoingTrust,ou=users,dc=example,dc=com >> objectclass: person >> objectclass: organizationalPerson >> objectclass: inetOrgPerson >> objectclass: krb5Principal >> objectclass: krb5KDCEntry >> objectclass: top >> cn: Kerberos Server >> givenname: Kerberos >> krb5KeyVersionNumber: 0 >> krb5principalname: krbtgt/[EMAIL PROTECTED] >> ou: Directory >> ou: Users >> sn: Server >> uid: krbtgtOutGoingTrust >> userpassword: password >> >> and I have modified an XP client also so that it can see the new >> EXAMPLE.COM <http://example.com/> realm and changed the host file also to >> tell it were kdc.example.com is.I have also mapped the test user >> "erodriguiez" of Example.com domain with a user in the >> PARENT.LOCAL.COM<http://parent.local.com/>domain (windows domain) by going >> throught the AD Users and Computer MMC. >> >> >> >> So now in the windows Gina screen I login as erodriguez and select >> EXAMPLE.COM <http://example.com/> domain and am able to logon to the >> computer. Then I access the network neighborhood and I can browse through >> resources provided by PARENT.LOCAL.COM <http://parent.local.com/> but >> when I try to access resources in the >> CHILD.PARENT.LOCAL.COM<http://child.parent.local.com/>I get the error >> >> *\\Appserver (computer** name in child domain) is not accessible. You >> might not have permission to user this network resource. Contact the >> administrator of this server to findout if you have access permissions.* >> >> *Logon Failure: The target account name is incorrect.* >> >> Why would I unable to access the child domain resources? Does the initial >> TGT that is issued, is only good for the parent domain and cannot be used >> other domains even thought transitive two way trust is established between >> all the domains? >> >> >> >> >> > >
