[32403] in Kerberos
Re: Any way to propagate db
daemon@ATHENA.MIT.EDU (Christopher D. Clausen)
Wed Jun 2 15:22:35 2010
Message-ID: <AD7935D969544C51935F4054AE7A8C14@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: <kerberos@mit.edu>
Date: Wed, 2 Jun 2010 14:22:00 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery <rra@stanford.edu> wrote:
> Simo Sorce <ssorce@redhat.com> writes:
>> Ah sorry, I thought he wanted to use them as completely alternative
>> users. If you do map each MIT principal to an existing Windows user then
>> it does work, although it seem to make sense only as a transition tool
>> to me.
>
> It's the way that we have our production realms at Stanford configured and
> have for quite some time. For large sites, I'm a big advocate of running
> both AD and UNIX KDCs with cross-realm trust and making them
> interchangeable from the user perspective. It gives you lots of useful
> flexibility in deploying applications.
I advocate just using the Active Directory realm. It is much, much simpler
to troubleshoot when there is no cross-realm invovled, especially when
different groups operate the different realms.
Other than some solvable issues of generating keytabs on non-Windows
platforms, I can't think of a reason why someone would want to make more
work for themselves with multiple realms.
What problem are you trying to solve by setting up a cross-realm trust?
<<CDC
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
