[32399] in Kerberos
Re: Any way to propagate db
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Jun 2 14:17:15 2010
From: Russ Allbery <rra@stanford.edu>
To: "kerberos\@mit.edu" <kerberos@mit.edu>
In-Reply-To: <20100602135843.7abc3e34@willson.li.ssimo.org> (Simo Sorce's
message of "Wed, 2 Jun 2010 13:58:43 -0400")
Date: Wed, 02 Jun 2010 11:17:10 -0700
Message-ID: <8739x58fkp.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Simo Sorce <ssorce@redhat.com> writes:
> "Wilper, Ross A" <rwilper@stanford.edu> wrote:
>> That is true.. I oversimplified a bit. This would allow you to have a
>> KDC with equivalent principals. You would need a trust relationship and
>> the external principal names set on the AD users as alternate security
>> identities for the synchronized principals to work for Windows logon,
>> etc. I had simply assumed this scenario.
> Not sufficient, you need to provide a PAC for Windows Logons to work
> using principals from the MIT Realm.
Given that we do this routinely at Stanford using cross-realm trust
exactly as Ross describes, I think you've misunderstood something. I
believe AD adds the PAC for you when you do what Ross says and configure
the external principal names as alternate security identities.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
