Openldap and Active Directory Trust Relationship

[Guest]

Hi !
I have a Mac os X server 10.3.6 with openldap set up already with user
accounts,
and a kerberos REALM associated wich is the server complete name in Uppercase
under "mydomain.pt".
I have also a Win2k3 Server enterprise edition with user accounts for wich
I've created the "win.mydomain.pt".
What I want to do, is use both domains to authenticate users from XP pro
workstations
through a Trust Relationship between windows domain and kerberos realm
like the reference to trust relationships i
http://www.microsoft.com/TECHNET/prodtechnol/windows2000serv/howto/kerbstep.mspx#ECAA

What I did:

1 - windows (dc) - ksetup /addkdc MAC.MYDOMAIN.PT mac.mydomain.pt
2 - windows (dc) - create the trust (I've tried all kinds of trust,
bidirectional, etc)

3 - windows (workstations) - ksetup /addkdc MAC.MYDOMAIN.PT mac.mydomain.pt
and a new domain (kerberos type) appears on the login window

4 - Open Directory (kdc)
addprinc krbtgt/[email protected]
addprinc krbtgt/[email protected]
I've used the same passwords on the last 2 commands and on the trust
to avoid problems.

Supposely windows should trust mac os x server kdc to authenticate users, and
both mac and win server have user accounts.

Unfortunally this isn't working
I've also noted that in certain documentation, it's necessary to create
user mappings from the windows domain to the kerberos domain, wich is
something
that I don't want, because this envolves account duplication, and I want to
use
or one server or another to authenticate.
Is this possible ? If so, what am I doing wrong in my procedure ?
Thank you very much
Best regards

David

 

[Ace Fekay [MVP]]

In

Hi !
I have a Mac os X server 10.3.6 with openldap set up already with user
accounts,
and a kerberos REALM associated wich is the server complete name in
Uppercase under "mydomain.pt".
I have also a Win2k3 Server enterprise edition with user accounts for
wich I've created the "win.mydomain.pt".
What I want to do, is use both domains to authenticate users from XP
pro workstations
through a Trust Relationship between windows domain and kerberos realm
like the reference to trust relationships in
http://www.microsoft.com/TECHNET/prodtechnol/windows2000serv/howto/kerbstep.mspx#ECAA

What I did:

1 - windows (dc) - ksetup /addkdc MAC.MYDOMAIN.PT mac.mydomain.pt
2 - windows (dc) - create the trust (I've tried all kinds of trust,
bidirectional, etc)

3 - windows (workstations) - ksetup /addkdc MAC.MYDOMAIN.PT
mac.mydomain.pt and a new domain (kerberos type) appears on the login
window

4 - Open Directory (kdc)
addprinc krbtgt/[email protected]
addprinc krbtgt/[email protected]
I've used the same passwords on the last 2 commands and on the trust
to avoid problems.

Supposely windows should trust mac os x server kdc to authenticate
users, and both mac and win server have user accounts.

Unfortunally this isn't working
I've also noted that in certain documentation, it's necessary to
create
user mappings from the windows domain to the kerberos domain, wich is
something
that I don't want, because this envolves account duplication, and I
want to use
or one server or another to authenticate.
Is this possible ? If so, what am I doing wrong in my procedure ?
Thank you very much
Best regards

David

I just worked on a similar issue for a client. You'll have to create a new
Schema attribute. We called it "UniqueID". I have four pdfs I can email you
that discusses it and shows you how to create it.

Also, once you've created the attribute, you'll want to extend the ADUC
interface to include the new attribute so you can adjust, add or change it,
by using this link:

Extending the User Interface for Directory Objects:
http://msdn.microsoft.com/library/d..._the_user_interface_for_directory_objects.asp

I used LDFIDE to export the user accounts with a filter to just export that
attribute, modified the file so it will modify the new attribute, manually
made up a UniqueID for each user (starting at "1100", then '1101", "1102",
etc), and imported it back into AD.

Email me if you want those PDFs. Replace my email address with my *actual*
firstnamelastname (no spaces underscores or anything) @ hotmail.com.


--
Regards,
Ace

G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Guest]

Hi !
thanks for the reply.
I've sent an e-mail to your address, although I don't know how to check
someone's
real e-mail. So I hope it gets there.

What is strange is that I found lo't os documentation, but no one said
nothin~g
about extendind windows attributes, besides defining user maps !
well, let's see!
thanks !
David

 

[Ace Fekay [MVP]]

In

Hi !
thanks for the reply.
I've sent an e-mail to your address, although I don't know how to
check someone's
real e-mail. So I hope it gets there.

What is strange is that I found lo't os documentation, but no one said
nothin~g
about extendind windows attributes, besides defining user maps !
well, let's see!
thanks !
David

Replied privately...

No problem, David. I hope we can both come to a resolve on this one.


Ace