Any way to propagate db

Russ Allbery rra at stanford.edu
Wed Jun 2 14:17:10 EDT 2010


Simo Sorce <ssorce at redhat.com> writes:
> "Wilper, Ross A" <rwilper at stanford.edu> wrote:

>> That is true.. I oversimplified a bit. This would allow you to have a
>> KDC with equivalent principals. You would need a trust relationship and
>> the external principal names set on the AD users as alternate security
>> identities for the synchronized principals to work for Windows logon,
>> etc. I had simply assumed this scenario.

> Not sufficient, you need to provide a PAC for Windows Logons to work
> using principals from the MIT Realm.

Given that we do this routinely at Stanford using cross-realm trust
exactly as Ross describes, I think you've misunderstood something.  I
believe AD adds the PAC for you when you do what Ross says and configure
the external principal names as alternate security identities.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list