Any way to propagate db
Simo Sorce
ssorce at redhat.com
Wed Jun 2 14:54:00 EDT 2010
On Wed, 02 Jun 2010 11:17:10 -0700
Russ Allbery <rra at stanford.edu> wrote:
> Simo Sorce <ssorce at redhat.com> writes:
> > "Wilper, Ross A" <rwilper at stanford.edu> wrote:
>
> >> That is true.. I oversimplified a bit. This would allow you to
> >> have a KDC with equivalent principals. You would need a trust
> >> relationship and the external principal names set on the AD users
> >> as alternate security identities for the synchronized principals
> >> to work for Windows logon, etc. I had simply assumed this scenario.
>
> > Not sufficient, you need to provide a PAC for Windows Logons to work
> > using principals from the MIT Realm.
>
> Given that we do this routinely at Stanford using cross-realm trust
> exactly as Ross describes, I think you've misunderstood something. I
> believe AD adds the PAC for you when you do what Ross says and
> configure the external principal names as alternate security
> identities.
Ah sorry, I thought he wanted to use them as completely alternative
users. If you do map each MIT principal to an existing Windows user
then it does work, although it seem to make sense only as a transition
tool to me.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list