[36899] in Kerberos
Re: Is there a "CApath" concept in AD/DC?
daemon@ATHENA.MIT.EDU (Simo Sorce)
Fri Apr 17 10:09:37 2015
Message-ID: <1429279758.15907.30.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Rick van Rein <rick@openfortress.nl>
Date: Fri, 17 Apr 2015 10:09:18 -0400
In-Reply-To: <55311003.30907@openfortress.nl>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 2015-04-17 at 15:52 +0200, Rick van Rein wrote:
> Hello,
>
> MIT krb5 features a "CApath" setting through which an external party can
> help to find a path to realms that are not locally configured /
> crossed-over. Does Windows AD/DC have a similar feature, and how is it
> setup?
>
> For MIT krb5 I believe it's not possible to relay anything unknown
> through CApath (but an option may be the . realm) -- but would this work
> on AD/DC?
>
> With this, crossover based on DNSSEC/DANE could be implemented in a
> component external to the binaries of AD/DC, making the chances of
> acceptance quite a bit higher.
>
Search for "AD name routing", you will find articles about how AD can do
"routing" among trusted domains/forests, and how to set up "exceptions".
Afaik it is not nearly as open ended as MIT's CApath, and works only
with established (And 'verified') trusts relationships.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
