[36900] in Kerberos
Re: Is there a "CApath" concept in AD/DC?
daemon@ATHENA.MIT.EDU (Todd Grayson)
Fri Apr 17 12:20:39 2015
MIME-Version: 1.0
In-Reply-To: <1429279758.15907.30.camel@willson.usersys.redhat.com>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Fri, 17 Apr 2015 10:19:53 -0600
Message-ID: <CALNT6MUXtXfbYgOq6Jsg2jH4qUb+52rvURL+w8KSdMvpA+eY7w@mail.gmail.com>
To: Simo Sorce <simo@redhat.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
We have seen, however, in limited testing and in field implementations,
that CApath can express to a MIT kerberos client the inherent domain trusts
on the AD side within a Forest. We're planning on doing more testing with
it, but the discussion here applied to what we observed.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html
On Fri, Apr 17, 2015 at 8:09 AM, Simo Sorce <simo@redhat.com> wrote:
> On Fri, 2015-04-17 at 15:52 +0200, Rick van Rein wrote:
> > Hello,
> >
> > MIT krb5 features a "CApath" setting through which an external party can
> > help to find a path to realms that are not locally configured /
> > crossed-over. Does Windows AD/DC have a similar feature, and how is it
> > setup?
> >
> > For MIT krb5 I believe it's not possible to relay anything unknown
> > through CApath (but an option may be the . realm) -- but would this work
> > on AD/DC?
> >
> > With this, crossover based on DNSSEC/DANE could be implemented in a
> > component external to the binaries of AD/DC, making the chances of
> > acceptance quite a bit higher.
> >
>
> Search for "AD name routing", you will find articles about how AD can do
> "routing" among trusted domains/forests, and how to set up "exceptions".
>
> Afaik it is not nearly as open ended as MIT's CApath, and works only
> with established (And 'verified') trusts relationships.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
