[32397] in Kerberos
RE: Any way to propagate db
daemon@ATHENA.MIT.EDU (Wilper, Ross A)
Wed Jun 2 13:35:14 2010
From: "Wilper, Ross A" <rwilper@stanford.edu>
To: Simo Sorce <ssorce@redhat.com>, "kerberos@mit.edu" <kerberos@mit.edu>
Date: Wed, 2 Jun 2010 10:35:05 -0700
Message-ID: <C6BF43271ABC924B9A7057FAD2B4953F06BDA045DB@ITS-ExchMB02.stanford.edu>
In-Reply-To: <20100602132547.56dde659@willson.li.ssimo.org>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
That is true.. I oversimplified a bit. This would allow you to have a KDC with equivalent principals. You would need a trust relationship and the external principal names set on the AD users as alternate security identities for the synchronized principals to work for Windows logon, etc. I had simply assumed this scenario.
-Ross
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Simo Sorce
Sent: Wednesday, June 02, 2010 10:26 AM
To: kerberos@mit.edu
Subject: Re: Any way to propagate db
On Wed, 2 Jun 2010 10:04:25 -0700
Techie <techchavez@gmail.com> wrote:
> Ok, thank you for the information. I was hoping there was a way to do
> something similar to a kprop from AD to an MIT KDC using some kind of
> AD tool. But I also imagined that would not be the case since there
> are likely many incompatibilities.
> I think I need to read up on the Microsoft Kerberos documentation.
Note that merely propagating passwords does not give you a KDC that is
able to release tickets that are valid in the AD realm.
The only code currently able to extract that info reliably lives in the
development version of samba called samba4 and implements a full
Windows DC with native replication.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
