klnasveschuk
New member
I'm trying to add 'altSecurityIdentities: KerberosREALM' to user accounts. I did this on AD using Windows 2003 R2 and it worked fine, until I did a round robin replacement of both AD servers to Windows 2008 R2. I have 2 AD servers. Automated scripts create AD accounts from an upstream source. Users are added using dsadd user .... after which I add 'altSecurityIdentities: KerberosREALM' for cross-realm authentication.
from ldifde.exe
ldifde -i -z -v -f ac.txt
This always fails with these messages when run from command line:
Connecting to "ad01.addomain.example.com"^M
Logging in as current user using SSPI^M
Importing directory from file "ac.txt"^M
Loading entries
1: CN=user2,CN=Users,DC=addomain,DC=example,DC=com
Add error on entry starting on line 1: Referral^M
0 entries modified successfully.^M
The command has completed successfully
Contents of ac.txt:
dn: CN=user2,CN=Users,DC=addomain,DC=example,DC=com
changetype: modify
add: altSecurityIdentities
altSecurityIdentities: Kerberos:user2@LINUX.EXAMPLE.COM
-
I also use a Linux utility 'ldapmodify' with similar failure error from script:
ldapmodify -x -c -h $AD_HOST -f $AD_LDIF -D $AD_ADMIN -w $AD_PW
modifying entry "CN=user2,CN=Users,DC=addomain,DC=example,DC=com"
ldap_modify: Referral (10)
additional info: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points
ref 1: 'addomain.example.com'
referrals:
ldap://addomain.example.com/CN=user2,CN=Users,DC=addomain,DC=example,DC=com
Linux ldif:
DN: CN=user2,CN=Users,DC=addomain,DC=example,DC=com
changetype: modify
add: altSecurityIdentities
altSecurityIdentities: Kerberos:user2@LINUX.EXAMPLE.COM
If anyone has any ideas about the referral problem, please post. This was working nicely on Windows 2003 R2.
from ldifde.exe
ldifde -i -z -v -f ac.txt
This always fails with these messages when run from command line:
Connecting to "ad01.addomain.example.com"^M
Logging in as current user using SSPI^M
Importing directory from file "ac.txt"^M
Loading entries
1: CN=user2,CN=Users,DC=addomain,DC=example,DC=com
Add error on entry starting on line 1: Referral^M
0 entries modified successfully.^M
The command has completed successfully
Contents of ac.txt:
dn: CN=user2,CN=Users,DC=addomain,DC=example,DC=com
changetype: modify
add: altSecurityIdentities
altSecurityIdentities: Kerberos:user2@LINUX.EXAMPLE.COM
-
I also use a Linux utility 'ldapmodify' with similar failure error from script:
ldapmodify -x -c -h $AD_HOST -f $AD_LDIF -D $AD_ADMIN -w $AD_PW
modifying entry "CN=user2,CN=Users,DC=addomain,DC=example,DC=com"
ldap_modify: Referral (10)
additional info: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points
ref 1: 'addomain.example.com'
referrals:
ldap://addomain.example.com/CN=user2,CN=Users,DC=addomain,DC=example,DC=com
Linux ldif:
DN: CN=user2,CN=Users,DC=addomain,DC=example,DC=com
changetype: modify
add: altSecurityIdentities
altSecurityIdentities: Kerberos:user2@LINUX.EXAMPLE.COM
If anyone has any ideas about the referral problem, please post. This was working nicely on Windows 2003 R2.