[32402] in Kerberos
Re: Any way to propagate db
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Jun 2 15:00:52 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <20100602145400.27a9acd8@willson.li.ssimo.org> (Simo Sorce's
message of "Wed, 2 Jun 2010 14:54:00 -0400")
Date: Wed, 02 Jun 2010 12:00:47 -0700
Message-ID: <871vcp6yzk.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Simo Sorce <ssorce@redhat.com> writes:
> Russ Allbery <rra@stanford.edu> wrote:
>> Given that we do this routinely at Stanford using cross-realm trust
>> exactly as Ross describes, I think you've misunderstood something. I
>> believe AD adds the PAC for you when you do what Ross says and
>> configure the external principal names as alternate security
>> identities.
> Ah sorry, I thought he wanted to use them as completely alternative
> users. If you do map each MIT principal to an existing Windows user then
> it does work, although it seem to make sense only as a transition tool
> to me.
It's the way that we have our production realms at Stanford configured and
have for quite some time. For large sites, I'm a big advocate of running
both AD and UNIX KDCs with cross-realm trust and making them
interchangeable from the user perspective. It gives you lots of useful
flexibility in deploying applications.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
