[36898] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Is there a "CApath" concept in AD/DC?

daemon@ATHENA.MIT.EDU (Rick van Rein)
Fri Apr 17 09:52:35 2015

Message-ID: <55311003.30907@openfortress.nl>
Date: Fri, 17 Apr 2015 15:52:03 +0200
From: Rick van Rein <rick@openfortress.nl>
MIME-Version: 1.0
To: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hello,

MIT krb5 features a "CApath" setting through which an external party can
help to find a path to realms that are not locally configured /
crossed-over.  Does Windows AD/DC have a similar feature, and how is it
setup?

For MIT krb5 I believe it's not possible to relay anything unknown
through CApath (but an option may be the . realm) -- but would this work
on AD/DC?

With this, crossover based on DNSSEC/DANE could be implemented in a
component external to the binaries of AD/DC, making the chances of
acceptance quite a bit higher.

Thanks,
 -Rick
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[36898] in Kerberos

Is there a "CApath" concept in AD/DC?

daemon@ATHENA.MIT.EDU (Rick van Rein)Fri Apr 17 09:52:35 2015

daemon@ATHENA.MIT.EDU (Rick van Rein)
Fri Apr 17 09:52:35 2015