0 Replies Latest reply: Feb 17, 2013 1:53 AM by 979011 RSS

    (JRE BUG?) Active directory forest

    979011
      We have few active directory controllers and domains and our system should be able to query one domain using user from other domain.
      We didn't mange to do it in java 1.60_00 because of a bug:
      [Java Bug|http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=F6E8EB086BF9B51A61F4D441EC9DAFBD?noCount=true&externalId=KB33449&sliceId=2&cmd=displayKCPopup&docType=kc&isLoadPublishedVer=&docTypeID=DT_SUPPORTISSUE_1_1&ispopup=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl ]
      Currently we have a problem with the following setup:
      We are trying to connect to QA.DOM using administrator user of D200.D1.W2K8.CORP.ME and we get the following error:
      "Mechanism level: Fail to create credential. (63) - No service creds".

      We can connect to RESOURCE.W2K8.CORP.ME, we can also connect to QA.DOM if we are using D1.W2K8.CORP.ME's administrator.
      After investigating the pcap captures I think the java implementation has a bug regarding transitive trust to domains with different suffix.

      BTW: we tried the same scenario with SMB based package written in C and it works.


      Our active directory setup:

      QA.DOM<----ForestTrust-->D1.W2K8.CORP.ME<-----ForestTrust--->RESOURCE.W2K8.CORP.ME
      ----------------------------------------------^
      -----------------------------------------------|
      -----------------------------------------------|
      -----------------------------------------------|
      -----------------------------------------------^
      --------------------------------------------tree(two way trust)
      ----------------------------------------D200.D1.W2K8.CORP.ME (child of D1.W2K8.CORP.ME).


      And the krb file:
      [libdefaults]
           default_realm = D200.D1.W2K8.CORP.ME
           default_keytab_name = FILE:/usr/local/ctera/portal.keytab
      [realms]
           D200.D1.W2K8.CORP.ME = {
                kdc = D200.D1.W2K8.CORP.ME
           }
           D1.W2K8.CORP.ME = {
                kdc = D1.W2K8.CORP.ME
           }
           RESOURCE.W2K8.CORP.ME = {
                kdc = RESOURCE.W2K8.CORP.ME
           }
           QA.DOM = {
                kdc = QA.DOM
           }
      [domain_realm]
           .d200.d1.w2k8.corp.me = D200.D1.W2K8.CORP.ME
           d200.d1.w2k8.corp.me = D200.D1.W2K8.CORP.ME
           .d1.w2k8.corp.me = D1.W2K8.CORP.ME
           d1.w2k8.corp.me = D1.W2K8.CORP.ME
           .resource.w2k8.corp.me = RESOURCE.W2K8.CORP.ME
           resource.w2k8.corp.me = RESOURCE.W2K8.CORP.ME
           .qa.dom = QA.DOM
           qa.dom = QA.DOM

      Edited by: 976008 on Feb 16, 2013 11:44 PM

      Edited by: 976008 on Feb 16, 2013 11:45 PM

      Edited by: 976008 on Feb 16, 2013 11:53 PM