[32401] in Kerberos
Re: Any way to propagate db
daemon@ATHENA.MIT.EDU (Simo Sorce)
Wed Jun 2 14:54:07 2010
Date: Wed, 2 Jun 2010 14:54:00 -0400
From: Simo Sorce <ssorce@redhat.com>
To: kerberos@mit.edu
Message-ID: <20100602145400.27a9acd8@willson.li.ssimo.org>
In-Reply-To: <8739x58fkp.fsf@windlord.stanford.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 02 Jun 2010 11:17:10 -0700
Russ Allbery <rra@stanford.edu> wrote:
> Simo Sorce <ssorce@redhat.com> writes:
> > "Wilper, Ross A" <rwilper@stanford.edu> wrote:
>
> >> That is true.. I oversimplified a bit. This would allow you to
> >> have a KDC with equivalent principals. You would need a trust
> >> relationship and the external principal names set on the AD users
> >> as alternate security identities for the synchronized principals
> >> to work for Windows logon, etc. I had simply assumed this scenario.
>
> > Not sufficient, you need to provide a PAC for Windows Logons to work
> > using principals from the MIT Realm.
>
> Given that we do this routinely at Stanford using cross-realm trust
> exactly as Ross describes, I think you've misunderstood something. I
> believe AD adds the PAC for you when you do what Ross says and
> configure the external principal names as alternate security
> identities.
Ah sorry, I thought he wanted to use them as completely alternative
users. If you do map each MIT principal to an existing Windows user
then it does work, although it seem to make sense only as a transition
tool to me.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
