Re: Openldap and Active Directory Trust Relationship

From: david carvalho (davidcarvalho_at_discussions.microsoft.com)
Date: 11/30/04 

Date: Tue, 30 Nov 2004 07:53:08 -0800

Hi !
thanks for the reply.
I've sent an e-mail to your address, although I don't know how to check
someone's
real e-mail. So I hope it gets there.

What is strange is that I found lo't os documentation, but no one said
nothin~g
about extendind windows attributes, besides defining user maps !
well, let's see!
thanks !
David

"Ace Fekay [MVP]" wrote:

> In news:657964BE-BBA4-4964-83F5-AB072F4EC925@microsoft.com,
> david carvalho <davidcarvalho@discussions.microsoft.com> made a post then I
> commented below
> > Hi !
> > I have a Mac os X server 10.3.6 with openldap set up already with user
> > accounts,
> > and a kerberos REALM associated wich is the server complete name in
> > Uppercase under "mydomain.pt".
> > I have also a Win2k3 Server enterprise edition with user accounts for
> > wich I've created the "win.mydomain.pt".
> > What I want to do, is use both domains to authenticate users from XP
> > pro workstations
> > through a Trust Relationship between windows domain and kerberos realm
> > like the reference to trust relationships in
> > http://www.microsoft.com/TECHNET/prodtechnol/windows2000serv/howto/kerbstep.mspx#ECAA
> >
> > What I did:
> >
> > 1 - windows (dc) - ksetup /addkdc MAC.MYDOMAIN.PT mac.mydomain.pt
> > 2 - windows (dc) - create the trust (I've tried all kinds of trust,
> > bidirectional, etc)
> >
> > 3 - windows (workstations) - ksetup /addkdc MAC.MYDOMAIN.PT
> > mac.mydomain.pt and a new domain (kerberos type) appears on the login
> > window
> >
> > 4 - Open Directory (kdc)
> > addprinc krbtgt/WIN.MEUDOMINIO.PT@MAC.MEUDOMINIO.PT
> > addprinc krbtgt/MAC.MEUDOMINIO.PT@WIN.MEUDOMINIO.PT
> > I've used the same passwords on the last 2 commands and on the trust
> > to avoid problems.
> >
> > Supposely windows should trust mac os x server kdc to authenticate
> > users, and both mac and win server have user accounts.
> >
> > Unfortunally this isn't working
> > I've also noted that in certain documentation, it's necessary to
> > create
> > user mappings from the windows domain to the kerberos domain, wich is
> > something
> > that I don't want, because this envolves account duplication, and I
> > want to use
> > or one server or another to authenticate.
> > Is this possible ? If so, what am I doing wrong in my procedure ?
> > Thank you very much
> > Best regards
> >
> > David
>
> I just worked on a similar issue for a client. You'll have to create a new
> Schema attribute. We called it "UniqueID". I have four pdfs I can email you
> that discusses it and shows you how to create it.
>
> Also, once you've created the attribute, you'll want to extend the ADUC
> interface to include the new attribute so you can adjust, add or change it,
> by using this link:
>
> Extending the User Interface for Directory Objects:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/extending_the_user_interface_for_directory_objects.asp
>
> I used LDFIDE to export the user accounts with a filter to just export that
> attribute, modified the file so it will modify the new attribute, manually
> made up a UniqueID for each user (starting at "1100", then '1101", "1102",
> etc), and imported it back into AD.
>
> Email me if you want those PDFs. Replace my email address with my *actual*
> firstnamelastname (no spaces underscores or anything) @ hotmail.com.
>
>
> --
> Regards,
> Ace
>
> G O E A G L E S !!!
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>

Relevant Pages

  • RE: NT to 2003 wierdness
    ... The following errors may occur in Windows NT when connecting to a Windows ... Server Manager: ... those user accounts in the servers group. ... NT will use the secure channel account password against to authenticate ...
    (microsoft.public.windows.server.migration)
  • Re: Migration from NT 4.0
    ... >> doing this retaing all user accounts, sids, etc. ... >Promote the server to PDC. ... >Upgrade the new PDC with Windows 2003. ...
    (microsoft.public.windows.server.general)
  • Re: Exchange 5.5 to 2003 migration questions
    ... How did you migrate the user accounts to Windows 200X? ... an Exchange Advanced tab. ... When you move the mailboxes to the new E2K3 server what NT account are they ...
    (microsoft.public.exchange.admin)
  • Re: Joining multiple domains
    ... >server and a LAN W2K server and want to access them both ... >>having its own Windows network domain (Win2000 Server, ... >>there a way to set up Windows XP Pro to have multiple ... >>separate user accounts however when I try to create a new ...
    (microsoft.public.windowsxp.network_web)
  • Re: impersonation
    ... > Assume a windows domain, and a .NET windows application connecting to a SQL ... > Server 2000 server on the domain. ... You could use a WebService to do the database stuff. ...
    (microsoft.public.dotnet.framework.windowsforms)