Any way to propagate db
Russ Allbery
rra at stanford.edu
Wed Jun 2 14:17:10 EDT 2010
Simo Sorce <ssorce at redhat.com> writes:
> "Wilper, Ross A" <rwilper at stanford.edu> wrote:
>> That is true.. I oversimplified a bit. This would allow you to have a
>> KDC with equivalent principals. You would need a trust relationship and
>> the external principal names set on the AD users as alternate security
>> identities for the synchronized principals to work for Windows logon,
>> etc. I had simply assumed this scenario.
> Not sufficient, you need to provide a PAC for Windows Logons to work
> using principals from the MIT Realm.
Given that we do this routinely at Stanford using cross-realm trust
exactly as Ross describes, I think you've misunderstood something. I
believe AD adds the PAC for you when you do what Ross says and configure
the external principal names as alternate security identities.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list