Any way to propagate db

[Russ Allbery]

Simo Sorce <ssorce at redhat.com> writes:
> Russ Allbery <rra at stanford.edu> wrote:

>> Given that we do this routinely at Stanford using cross-realm trust
>> exactly as Ross describes, I think you've misunderstood something.  I
>> believe AD adds the PAC for you when you do what Ross says and
>> configure the external principal names as alternate security
>> identities.

> Ah sorry, I thought he wanted to use them as completely alternative
> users. If you do map each MIT principal to an existing Windows user then
> it does work, although it seem to make sense only as a transition tool
> to me.

It's the way that we have our production realms at Stanford configured and
have for quite some time.  For large sites, I'm a big advocate of running
both AD and UNIX KDCs with cross-realm trust and making them
interchangeable from the user perspective.  It gives you lots of useful
flexibility in deploying applications.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>