klnasveschuk Posted May 19, 2010 Posted May 19, 2010 I'm trying to add 'altSecurityIdentities: Kerberos:@REALM' to user accounts. I did this on AD using Windows 2003 R2 and it worked fine, until I did a round robin replacement of both AD servers to Windows 2008 R2. I have 2 AD servers. Automated scripts create AD accounts from an upstream source. Users are added using dsadd user .... after which I add 'altSecurityIdentities: Kerberos:@REALM' for cross-realm authentication. from ldifde.exe ldifde -i -z -v -f ac.txt This always fails with these messages when run from command line: Connecting to "ad01.addomain.example.com"^M Logging in as current user using SSPI^M Importing directory from file "ac.txt"^M Loading entries 1: CN=user2,CN=Users,DC=addomain,DC=example,DC=com Add error on entry starting on line 1: Referral^M 0 entries modified successfully.^M The command has completed successfully Contents of ac.txt: dn: CN=user2,CN=Users,DC=addomain,DC=example,DC=com changetype: modify add: altSecurityIdentities altSecurityIdentities: Kerberos:user2@LINUX.EXAMPLE.COM - I also use a Linux utility 'ldapmodify' with similar failure error from script: ldapmodify -x -c -h $AD_HOST -f $AD_LDIF -D $AD_ADMIN -w $AD_PW modifying entry "CN=user2,CN=Users,DC=addomain,DC=example,DC=com" ldap_modify: Referral (10) additional info: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points ref 1: 'addomain.example.com' referrals: ldap://addomain.example.com/CN=user2,CN=Users,DC=addomain,DC=example,DC=com Linux ldif: DN: CN=user2,CN=Users,DC=addomain,DC=example,DC=com changetype: modify add: altSecurityIdentities altSecurityIdentities: Kerberos:user2@LINUX.EXAMPLE.COM If anyone has any ideas about the referral problem, please post. This was working nicely on Windows 2003 R2. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.