Any way to propagate db
Techie
techchavez at gmail.com
Wed Jun 2 14:44:14 EDT 2010
On Wed, Jun 2, 2010 at 11:17 AM, Russ Allbery <rra at stanford.edu> wrote:
> Simo Sorce <ssorce at redhat.com> writes:
>> "Wilper, Ross A" <rwilper at stanford.edu> wrote:
>
>>> That is true.. I oversimplified a bit. This would allow you to have a
>>> KDC with equivalent principals. You would need a trust relationship and
>>> the external principal names set on the AD users as alternate security
>>> identities for the synchronized principals to work for Windows logon,
>>> etc. I had simply assumed this scenario.
>
>> Not sufficient, you need to provide a PAC for Windows Logons to work
>> using principals from the MIT Realm.
>
> Given that we do this routinely at Stanford using cross-realm trust
> exactly as Ross describes, I think you've misunderstood something. I
> believe AD adds the PAC for you when you do what Ross says and configure
> the external principal names as alternate security identities.
.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
Ok now we are rolling. So let me as you guys this.
With FreeIPA can I use an existing Active Directory KRB Realm and DNS
environment instead of setting up my own. If so i would like to do
that if possible.
I mean ideally I would like to use an MIT KRB environment but with the
accounts in AD it seems like it's not an option
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list