Results 1 to 3 of 3

Thread: Cross-forest user administration

Threaded View

  1. #1

    Cross-forest user administration

    I have created a cross-forest trust between DSfW domain and MSAD domain. In both domains, I have added one user (call him CrossAdmin) as member of Builtin\Administrators group.

    I can log in to DSfW domain as CrossAdmin and successfully administer users in MSAD domain using "Active Directory Users and Computers"). But the reverse doesn't work. If I log in to MSAD domain as CrossAdmin and in "Active Directory Users and Computers" try to switch to the DSfW domain, I get an error message:

    "The domain dsfwdomain.oursite could not be found because: Access is denied".

    At the same time, the following is logged to /var/log/messages on the DSfW server:

    krb5kdc: [KDC] Regenerating authorization data for cross-realm client CrossAdmin@MSAD.OURSITE
    krb5kdc: [KDC] Failed to locate PAC principal data buffer
    krb5kdc: [KDC] PAC lacks principal name authenticator
    krb5kdc: [KDC] Ticket for client CrossAdmin@MSAD.OURSITE is not bound to PAC

    Is this a restriction by design, or can it be made to work somehow?
    Last edited by vatson; 23-Mar-2015 at 12:54 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts