Re: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??

Tue, 23 Mar 2004 08:33:48 -0800

Hmmm,

sorry no experience with heimdal...

did you follow the steps in the following article? They are designed for an mit realm, but if you consult your heimdal documentation you should be able to find equivalent commands.

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

looks like you configured AD to trust the kerberos realm, but not the kerberos realm to trust AD. You will need to configure what are called cross-realm principals for this.

example command for an MIT realm.

%<x-tad-bigger> Kadmin –q “ank –pw password krbtgt/[EMAIL PROTECTED]
</x-tad-bigger>%<x-tad-bigger> Kadmin –q “ank –pw password krbtgt/[EMAIL PROTECTED]</x-tad-bigger>

Also if your clients are going to authenticate directly to your kerberos realm then you may have to create a host principal (kerberos equivalent to a computer account) in your kerberos realm for each client that you are directly authenticating.



Brent Westmoreland

On Mar 23, 2004, at 5:11 AM, Lara Adianto wrote:

Thank you Robbie, but I still can't get it to work :-(
When a win2k client tries to log in using my linux
kerberos realm, it fails with error message:
The system could not log you on. Make sure that the
username and password are correct. Letters in the
password must be typed in the correct case...bla bla
bla

So...I'm wondering if I have missed some steps.
Let's say that I use the following values:
Windows realm: EXAMPLE.COM
Linux realm: EXAMPLE1.COM
username: lara

These are the steps that I followed:
1. Create an External trust for EXAMPLE.COM
- On Active Directory Domains and Trusts, for domain
EXAMPLE.COM, I added EXAMPLE1.COM to 'Domains trusted
by this domain'
2. Create Account Mapping
- On Active Directory Users and Computers, for user
lara, I created the name mapping to kerberos realm:
[EMAIL PROTECTED]
3. Configure client to log in using linux kerberos
realm
- On client machine: ksetup \addkdc EXAMPLE1.COM
kerberos.example1.com

That's it..

Do I miss something here ? like resolving DNS ? any
case-sensitive issue ?

I also notice that when I check the ksetup on my
client:
C:> ksetup
default realm = example.com
EXAMPLE1.COM:
kdc = kerberos.example1.com
Failed to create Kerberos key: 5

Is this normal ?

O ya, btw my linux KDC is Heimdal and not MIT
Kerberos, I hope this won't be an issue...

Fiuhh...This is not as simple as I thought...
Anybody has got this work before ?

-lara-

--- Robbie Foust <[EMAIL PROTECTED]> wrote:
Hi Lara,

I think what you are looking for is this... In AD
Users & Computers,
click on "View" at the top and turn on "Advanced
Features." Then, right
click on the user account and click on "Name
Mappings..." Then click on
the "Kerberos Names" tab and add the principal name
there (such as
[EMAIL PROTECTED]).

Hope this helps!

- Robbie

Robbie Foust, IT Analyst
Systems and Core Services
Duke University




Lara Adianto wrote:

Thanks for all the replies guys..(I love this
mailing
list) :-)

After spending sometimes understanding the kerberos
concept in windows, I believe that to achieve my
goal,
I need to create a two way trust relationship
between
the windows 2000 domain and my kerberos realm on
linux
machine (just like what Robbie has suggested)

The following is an excerpt from windows 2000
Kerberos
Interoperability white paper (page 15):

Two-Way Trust
...
Goals
The analysts authenticate to the Kerberos realm and
can then access both UNIX-based resources and
Windows
2000-based applications and services.

* Kerberos Clients: Windows 2000 Professional
* Kerberos KDC: UNIX-based Kerberos V5 KDC
* Target Resource: Windows Application, File
and
Print Services

Implementation
This scenario builds on the client configuration
and
one-way trust implementations. First, the Windows
2000-based clients will be configured to logon to
the
Kerberos realm as discussed earlier. Secondly, a
one-way trust relationship must be set up between
the
Windows 2000 domain and the Kerberos realm (the
Windows domain trusts the Kerberos realm as an
account
domain). Finally, each Kerberos principal in the
realm
must have a corresponding Windows 2000 account.
Each
corresponding account (proxy account) in Windows
2000
must have the AltSecurityId property populated with
the Kerberos principal name including the realm,
for
example, [EMAIL PROTECTED]

....

Currently, I'm in the middle of trying to implement
the above hints. I have added the external trust in
my
win2k domain. I have configured the client to
authenticate to my linux's kerberos realm using
ksetup
(thanks Robbie)...

BUT....I'm stucked with the account mapping. I've
already got win2k account for my kerberos principal
in
linux. Then the hint says that the mapping is
contained in the AltSecurityId property of each
win2k
user.

The problem is that I don't know how to set this
AltSecurityId. I can't find it in the Active
Directory
Users and Computer.

Where can I set the AltSecurityId to my linux
kerberos
realm ? (This might be a dummy question, but I've
tried to seek help on the net, but couldn't find
anything)

Thanks a bunch,
Lara

--- Robbie Foust <[EMAIL PROTECTED]> wrote:


You actually don't configure AD, what you need to
do
is run ksetup.exe
on the workstations (must be 2000 or XP) and add
the
kerberos realm &
kerberos servers. (ksetup is part of the support
tools). For example:

C:\> ksetup /addkdc MIT.KERBREALM.COM
kserver.kerb.com

and then when the user logs in, they must select
that realm from the
drop down list.

Also, the user account in AD needs to have the
kerberos name mapping
added so AD will know how to match up the
accounts.
The name mapping
would be something like "[EMAIL PROTECTED]".

So basically, the password stored in AD is
ignored.
Let me know if this
helps, or if this isn't what you're trying to do
at
all. :-)

Robbie Foust, IT Analyst
Systems and Core Services
Duke University




Lara Adianto wrote:


Hi guys,

As what the subject title said: can Microsoft


Active Directory be


configured to authenticate to an external ldap


server (openLDAP in my


case) ?

To make things clearer, this is the objective
that
I want to achieve:


I want authentication of Microsoft Active


Directory's clients to be


done by OpenLDAP server on Linux. So, when a


client of Microsoft Active


Directory authenticates itself to MS AD, MS AD


will ask openLDAP for


authentication service. openLDAP will return


return reject or allow to



=== message truncated ===


=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit

- Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to