Any way to propagate db

Simo Sorce ssorce at redhat.com
Wed Jun 2 13:58:43 EDT 2010


On Wed, 2 Jun 2010 10:35:05 -0700
"Wilper, Ross A" <rwilper at stanford.edu> wrote:

> That is true.. I oversimplified a bit. This would allow you to have a
> KDC with equivalent principals. You would need a trust relationship
> and the external principal names set on the AD users as alternate
> security identities for the synchronized principals to work for
> Windows logon, etc. I had simply assumed this scenario.

Not sufficient, you need to provide a PAC for Windows Logons to work
using principals from the MIT Realm. We are working to provide
something like this in the FreeIPA project, but it will take some time
before we have anything that can even be tested (and it uses samba
components).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the Kerberos mailing list