[37806] in Kerberos
Re: Kerberos "overlay" in mixed OS environment
daemon@ATHENA.MIT.EDU (Andrew Holway)
Tue Dec 6 03:37:30 2016
MIME-Version: 1.0
In-Reply-To: <39b71b988c8d48ebb822e681c74b5a0d@CY1PR0201MB005.001f.mgd2.msft.net>
From: Andrew Holway <andrew.holway@gmail.com>
Date: Tue, 6 Dec 2016 09:37:16 +0100
Message-ID: <CAEiui-sV95Ds4O44OwjXN4qDdiLFRz0pEtq0-GQUtQvTdMKr8w@mail.gmail.com>
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
If you are on linux *I think* this is functionality that sssd does out of
the box although I've never tested it.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/Configuring_Domains.html
On 5 December 2016 at 19:15, Nordgren, Bryce L -FS <bnordgren@fs.fed.us>
wrote:
> The answer is probably going to be "you can't do that", but I figured I'd
> ask anyway.
>
> Parameter #1: I have been allocated a handful of non-routable IP subnets
> on a university network where I am a guest.
> Parameter #2: Associated with the above is a single DNS subdomain.
> Parameter #3: The university retains control over DNS and DHCP.
> Parameter #4: The university set up the correct SRV records so that I can
> operate a KDC on my subdomain.
>
> My question is: Is there any way to operate two KDCs on the same DNS
> subdomain, serving complementary hosts?
>
> Reason #1: I want the "lightest footprint" possible, so as not to annoy
> our hosts.
> Reason #2: I want to take advantage of some of the centralized management
> niceties of AD and FreeIPA for Windows and Linux, respectively.
> Reason #3: I'm not sure I understand how to implement any kind of
> automatic Win/Linux segregation at the network level.
> Reason #4: Aside from the constraints Kerberos may (?) impose, I see no
> compelling reason to corral machines into subdomains by OS.
>
> Thanks for your patience.
> Bryce
>
>
>
>
> This electronic message contains information generated by the USDA solely
> for the intended recipients. Any unauthorized interception of this message
> or the use or disclosure of the information it contains may violate the law
> and subject the violator to civil or criminal penalties. If you believe you
> have received this message in error, please notify the sender and delete
> the email immediately.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
