Sign in with
Sign up | Sign in
Your question

Openldap and Active Directory Trust Relationship

Last response: in Windows 2000/NT
Share
Anonymous
November 23, 2004 11:49:04 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi !
I have a Mac os X server 10.3.6 with openldap set up already with user
accounts,
and a kerberos REALM associated wich is the server complete name in Uppercase
under "mydomain.pt".
I have also a Win2k3 Server enterprise edition with user accounts for wich
I've created the "win.mydomain.pt".
What I want to do, is use both domains to authenticate users from XP pro
workstations
through a Trust Relationship between windows domain and kerberos realm
like the reference to trust relationships in
http://www.microsoft.com/TECHNET/prodtechnol/windows200...

What I did:

1 - windows (dc) - ksetup /addkdc MAC.MYDOMAIN.PT mac.mydomain.pt
2 - windows (dc) - create the trust (I've tried all kinds of trust,
bidirectional, etc)

3 - windows (workstations) - ksetup /addkdc MAC.MYDOMAIN.PT mac.mydomain.pt
and a new domain (kerberos type) appears on the login window

4 - Open Directory (kdc)
addprinc krbtgt/WIN.MEUDOMINIO.PT@MAC.MEUDOMINIO.PT
addprinc krbtgt/MAC.MEUDOMINIO.PT@WIN.MEUDOMINIO.PT
I've used the same passwords on the last 2 commands and on the trust
to avoid problems.

Supposely windows should trust mac os x server kdc to authenticate users, and
both mac and win server have user accounts.

Unfortunally this isn't working
I've also noted that in certain documentation, it's necessary to create
user mappings from the windows domain to the kerberos domain, wich is
something
that I don't want, because this envolves account duplication, and I want to
use
or one server or another to authenticate.
Is this possible ? If so, what am I doing wrong in my procedure ?
Thank you very much
Best regards

David
Anonymous
November 26, 2004 5:53:26 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:657964BE-BBA4-4964-83F5-AB072F4EC925@microsoft.com,
david carvalho <davidcarvalho@discussions.microsoft.com> made a post then I
commented below
> Hi !
> I have a Mac os X server 10.3.6 with openldap set up already with user
> accounts,
> and a kerberos REALM associated wich is the server complete name in
> Uppercase under "mydomain.pt".
> I have also a Win2k3 Server enterprise edition with user accounts for
> wich I've created the "win.mydomain.pt".
> What I want to do, is use both domains to authenticate users from XP
> pro workstations
> through a Trust Relationship between windows domain and kerberos realm
> like the reference to trust relationships in
> http://www.microsoft.com/TECHNET/prodtechnol/windows200...
>
> What I did:
>
> 1 - windows (dc) - ksetup /addkdc MAC.MYDOMAIN.PT mac.mydomain.pt
> 2 - windows (dc) - create the trust (I've tried all kinds of trust,
> bidirectional, etc)
>
> 3 - windows (workstations) - ksetup /addkdc MAC.MYDOMAIN.PT
> mac.mydomain.pt and a new domain (kerberos type) appears on the login
> window
>
> 4 - Open Directory (kdc)
> addprinc krbtgt/WIN.MEUDOMINIO.PT@MAC.MEUDOMINIO.PT
> addprinc krbtgt/MAC.MEUDOMINIO.PT@WIN.MEUDOMINIO.PT
> I've used the same passwords on the last 2 commands and on the trust
> to avoid problems.
>
> Supposely windows should trust mac os x server kdc to authenticate
> users, and both mac and win server have user accounts.
>
> Unfortunally this isn't working
> I've also noted that in certain documentation, it's necessary to
> create
> user mappings from the windows domain to the kerberos domain, wich is
> something
> that I don't want, because this envolves account duplication, and I
> want to use
> or one server or another to authenticate.
> Is this possible ? If so, what am I doing wrong in my procedure ?
> Thank you very much
> Best regards
>
> David

I just worked on a similar issue for a client. You'll have to create a new
Schema attribute. We called it "UniqueID". I have four pdfs I can email you
that discusses it and shows you how to create it.

Also, once you've created the attribute, you'll want to extend the ADUC
interface to include the new attribute so you can adjust, add or change it,
by using this link:

Extending the User Interface for Directory Objects:
http://msdn.microsoft.com/library/default.asp?url=/libr...

I used LDFIDE to export the user accounts with a filter to just export that
attribute, modified the file so it will modify the new attribute, manually
made up a UniqueID for each user (starting at "1100", then '1101", "1102",
etc), and imported it back into AD.

Email me if you want those PDFs. Replace my email address with my *actual*
firstnamelastname (no spaces underscores or anything) @ hotmail.com.


--
Regards,
Ace

G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Anonymous
November 30, 2004 10:53:08 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi !
thanks for the reply.
I've sent an e-mail to your address, although I don't know how to check
someone's
real e-mail. So I hope it gets there.

What is strange is that I found lo't os documentation, but no one said
nothin~g
about extendind windows attributes, besides defining user maps !
well, let's see!
thanks !
David

"Ace Fekay [MVP]" wrote:

> In news:657964BE-BBA4-4964-83F5-AB072F4EC925@microsoft.com,
> david carvalho <davidcarvalho@discussions.microsoft.com> made a post then I
> commented below
> > Hi !
> > I have a Mac os X server 10.3.6 with openldap set up already with user
> > accounts,
> > and a kerberos REALM associated wich is the server complete name in
> > Uppercase under "mydomain.pt".
> > I have also a Win2k3 Server enterprise edition with user accounts for
> > wich I've created the "win.mydomain.pt".
> > What I want to do, is use both domains to authenticate users from XP
> > pro workstations
> > through a Trust Relationship between windows domain and kerberos realm
> > like the reference to trust relationships in
> > http://www.microsoft.com/TECHNET/prodtechnol/windows200...
> >
> > What I did:
> >
> > 1 - windows (dc) - ksetup /addkdc MAC.MYDOMAIN.PT mac.mydomain.pt
> > 2 - windows (dc) - create the trust (I've tried all kinds of trust,
> > bidirectional, etc)
> >
> > 3 - windows (workstations) - ksetup /addkdc MAC.MYDOMAIN.PT
> > mac.mydomain.pt and a new domain (kerberos type) appears on the login
> > window
> >
> > 4 - Open Directory (kdc)
> > addprinc krbtgt/WIN.MEUDOMINIO.PT@MAC.MEUDOMINIO.PT
> > addprinc krbtgt/MAC.MEUDOMINIO.PT@WIN.MEUDOMINIO.PT
> > I've used the same passwords on the last 2 commands and on the trust
> > to avoid problems.
> >
> > Supposely windows should trust mac os x server kdc to authenticate
> > users, and both mac and win server have user accounts.
> >
> > Unfortunally this isn't working
> > I've also noted that in certain documentation, it's necessary to
> > create
> > user mappings from the windows domain to the kerberos domain, wich is
> > something
> > that I don't want, because this envolves account duplication, and I
> > want to use
> > or one server or another to authenticate.
> > Is this possible ? If so, what am I doing wrong in my procedure ?
> > Thank you very much
> > Best regards
> >
> > David
>
> I just worked on a similar issue for a client. You'll have to create a new
> Schema attribute. We called it "UniqueID". I have four pdfs I can email you
> that discusses it and shows you how to create it.
>
> Also, once you've created the attribute, you'll want to extend the ADUC
> interface to include the new attribute so you can adjust, add or change it,
> by using this link:
>
> Extending the User Interface for Directory Objects:
> http://msdn.microsoft.com/library/default.asp?url=/libr...
>
> I used LDFIDE to export the user accounts with a filter to just export that
> attribute, modified the file so it will modify the new attribute, manually
> made up a UniqueID for each user (starting at "1100", then '1101", "1102",
> etc), and imported it back into AD.
>
> Email me if you want those PDFs. Replace my email address with my *actual*
> firstnamelastname (no spaces underscores or anything) @ hotmail.com.
>
>
> --
> Regards,
> Ace
>
> G O E A G L E S !!!
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>
Anonymous
December 6, 2004 10:08:45 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:AC33A652-0BD3-4F43-B9EF-024542430820@microsoft.com,
david carvalho <davidcarvalho@discussions.microsoft.com> made a post then I
commented below
> Hi !
> thanks for the reply.
> I've sent an e-mail to your address, although I don't know how to
> check someone's
> real e-mail. So I hope it gets there.
>
> What is strange is that I found lo't os documentation, but no one said
> nothin~g
> about extendind windows attributes, besides defining user maps !
> well, let's see!
> thanks !
> David
>

Replied privately...

No problem, David. I hope we can both come to a resolve on this one.
:-)

Ace
!