Cross realm authentication have not been implemented I think. Well this catalog thingy was put into the Krb server a while back but I have not seen it in action.
In a couple months we intend to refactor the KDC code to make sure a proper mechanism is used to enable multiple domains in the server. Until then you might want to take a look at the code yourself. You're always welcome to get involved. Cheers, Alex On Wed, Aug 13, 2008 at 3:15 PM, azahur <[EMAIL PROTECTED]> wrote: > just wanted to bump it up to see if anyone has any idea what might the > problem be > > > On 7/30/08, azahur <[EMAIL PROTECTED]> wrote: >> >> One correction, the modification were made to kerberos-example.ldif and >> not server.xml, for it be able to trust windows domains >> >> On 7/30/08, azahur <[EMAIL PROTECTED]> wrote: >>> >>> I am trying to implement cross realm authentication between apacheds and >>> windows 2003 domains >>> >>> Here is the set up. >>> 2 Windows2003 domains with a parent child relationship. >>> 1 apachedDS realm (EXAMPLE.COM <http://example.com/>). >>> I have setup a cross realm trust between the parent domain and >>> EXAMPLE.COM <http://example.com/> by using the windows mmc add new trust >>> wizard. and have added the following in the server.xml on the apacheds side. >>> >>> >>> dn: uid=krbtgtIncomingTrust,ou=users,dc=example,dc=com >>> objectclass: person >>> objectclass: organizationalPerson >>> objectclass: inetOrgPerson >>> objectclass: krb5Principal >>> objectclass: krb5KDCEntry >>> objectclass: top >>> cn: Kerberos Server >>> givenname: Kerberos >>> krb5KeyVersionNumber: 0 >>> krb5principalname: krbtgt/[EMAIL PROTECTED] >>> ou: Directory >>> ou: Users >>> sn: Server >>> uid: krbtgtIncomingTrust >>> userpassword: password >>> >>> >>> dn: uid=krbtgtOutGoingTrust,ou=users,dc=example,dc=com >>> objectclass: person >>> objectclass: organizationalPerson >>> objectclass: inetOrgPerson >>> objectclass: krb5Principal >>> objectclass: krb5KDCEntry >>> objectclass: top >>> cn: Kerberos Server >>> givenname: Kerberos >>> krb5KeyVersionNumber: 0 >>> krb5principalname: krbtgt/[EMAIL PROTECTED] >>> ou: Directory >>> ou: Users >>> sn: Server >>> uid: krbtgtOutGoingTrust >>> userpassword: password >>> >>> and I have modified an XP client also so that it can see the new >>> EXAMPLE.COM <http://example.com/> realm and changed the host file also >>> to tell it were kdc.example.com is.I have also mapped the test user >>> "erodriguiez" of Example.com domain with a user in the >>> PARENT.LOCAL.COM<http://parent.local.com/>domain (windows domain) by going >>> throught the AD Users and Computer MMC. >>> >>> >>> >>> So now in the windows Gina screen I login as erodriguez and select >>> EXAMPLE.COM <http://example.com/> domain and am able to logon to the >>> computer. Then I access the network neighborhood and I can browse through >>> resources provided by PARENT.LOCAL.COM <http://parent.local.com/> but >>> when I try to access resources in the >>> CHILD.PARENT.LOCAL.COM<http://child.parent.local.com/>I get the error >>> >>> *\\Appserver (computer** name in child domain) is not accessible. You >>> might not have permission to user this network resource. Contact the >>> administrator of this server to findout if you have access permissions.* >>> >>> *Logon Failure: The target account name is incorrect.* >>> >>> Why would I unable to access the child domain resources? Does the initial >>> TGT that is issued, is only good for the parent domain and cannot be used >>> other domains even thought transitive two way trust is established between >>> all the domains? >>> >>> >>> >>> >>> >> >> > -- Microsoft gives you Windows, Linux gives you the whole house ...
