Welcome to Adobe GoLive 6

Configuring Cross-Realm Authentication between Mac OS X Server's Open Directory and Active Directory.

1) On Domain Controller: run ksetup command to inform Active Directory of the new realm.

2) On Domain Controller: Use Active Directory Domains and Trusts to set up the trust. Find your domain in the initial MMC interface. Right click on it and choose properties. In the resulting window, click on Trusts.

Click on the Add button in the "Domains trusted by this domain" section. When prompted, enter the name of the Open Directory Realm. In a default configuration, the realm is the fully qualified domain name of the Open Directory Master. In keeping with Kerberos convention, it is capitalized. Be sure to note the password you enter for the new trust- you'll need it when you add the cross-realm keys to the Open Directory KDC.

...Windows will try to access the realm like it's a native Active Directory domain.When it is not able to, it will alert you:

...Click OK/

3) Now, on the Open Directory Master, use kadmin to set up the other side of the trust.

There are two commands there:


		sudo kadmin.local -q "add_principal -e des-cbc-crc:normal -pw apple krbtgt/ADS.EXAMPLE.COM@XSERVER.EXAMPLE.COM"

and ...


		sudo kadmin.local -q "add_principal -e des-cbc-crc:normal -pw apple krbtgt/XSERVER.EXAMPLE.COM@ADS.EXAMPLE.COM"

...use the pw flag to specify the password set up in 2), above. Note the use of DES encryption types. This is currently required. Although Active Directory and MIT Kerberos (now) share a higher quality RC4 encryption type, Active Directory tools assume DES when working with a Unix realm.

4) On domain controller: Use Active Directory Users and Computers. From the view menu, choose "Advanced Features"

...Now right-click on a user you'd like to enable cross-realm authentication for. Choose Name Mappings. In the resulting window, choose the "Kerberos Names" tab, and click the "Add" button. In the resulting dialog, add the principal that the user will use to access the Open Directory realm. Your organization should probably develop a standardized way to associate AD principals with Open Directory principals. This will ease management. In my case, I match the unqualified userPrincipalNames- mbartosh@ ADS.4A<-MEDIA.COM maps to mbartosh@GS.4AM-MEDIA.COM .

5) Finally, on each client that's going to access the cross-realm infrastructure, run ksetup, alerting them to the new realm.

...reboot. Clients should choose the Open Directory realm at the Windows login screen, and log in with their Open Directory password. The tgt from the Open Directory Realm will allow them to access resources in the Active Directory domain.

Note- in anyhting but the smallest organizations, steps 4 and 5 should be scripted.