Importing data?

[Bjorn Tore Sund]

On Thu, 12 Jan 2006, Douglas E. Engert wrote:

> > > University of Bergen is setting up a unix/linux Kerberos realm to
> > > handle
> > > logons on our unix/linux clients and servers (about 1500).  Our
> > > problem
> > > is that all 30.000 users needs principals on the KDC, 
> 
> Why duplicate the user?
> 
> You could do cross realm between the AD realm and the Kerberos realm.
> so you only need the hosts principals registered in the MIT based kerberos
> realm. Let the users stay in AD. This is what we have done for years.
> 
> Another approach is to add the unix host principals to AD, so you
> don't have to setup any new realms. We are starting to migrate the
> host principlas to AD.

Several reasons why we're keeping things separate.  One is that we
have separate student and staff AD realms.  This is fine in a world
of single-user OSes, but we want both students and staff to be able
to log in to the same unix/linux machine and be active at the same
time.

Second is that all our users will be accessing their home directories
with Kerberos authentication - Samba for now, AFS or NFSv4 at some 
later time.  That means our unix/linux infrastructure will be very
dependent on Kerberos functioning, and we don't trust Microsoft to
not break standards in new and interesting ways at some later time.
Cross-realm trust should continue working, I expect that at some 
point in time unix client binding to AD Kerberos will break in some
non-intuitive way.

Thanks to all who responded, I'll see what I can drag out of AD.

-BT
-- 
Bjørn Tore Sund           Phone:  (+47) 555-84894    Stupidity is like a
System administrator      Fax:    (+47) 555-89672    fractal; universal and
Math. Department          Mobile: (+47) 918 68075    infinitely repetitive.
University of Bergen      VIP:    81724
Support: http://bs.uib.no Contact: teknisk at mi.uib.no Direct: bjornts at mi.uib.no