Kerberos "overlay" in mixed OS environment

Simo Sorce simo at redhat.com
Tue Dec 6 05:25:47 EST 2016


Although with Linux you can manually list all the machines in one realm
and all the machines in the other and have your clients/kdc try to cope,
you can't really do that easily on the Windows side. AD KDCs assume that
they control all names in a DNS domain, so they will not cooperate if
some of the hosts are in a different realm. I think there is some GPO
that allows you to throw in some exceptions, but they are discouraged by
Microsoft and expensive to maintain after a handful are in.

Use a sub-domain for at least on of the two realm and avoid yourself a
lot of trouble.

Simo.

On Tue, 2016-12-06 at 09:37 +0100, Andrew Holway wrote:
> If you are on linux *I think* this is functionality that sssd does out of
> the box although I've never tested it.
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/Configuring_Domains.html
> 
> On 5 December 2016 at 19:15, Nordgren, Bryce L -FS <bnordgren at fs.fed.us>
> wrote:
> 
> > The answer is probably going to be "you can't do that", but I figured I'd
> > ask anyway.
> >
> > Parameter #1: I have been allocated a handful of non-routable IP subnets
> > on a university network where I am a guest.
> > Parameter #2: Associated with the above is a single DNS subdomain.
> > Parameter #3: The university retains control over DNS and DHCP.
> > Parameter #4: The university set up the correct SRV records so that I can
> > operate a KDC on my subdomain.
> >
> > My question is: Is there any way to operate two KDCs on the same DNS
> > subdomain, serving complementary hosts?
> >
> > Reason #1: I want the "lightest footprint" possible, so as not to annoy
> > our hosts.
> > Reason #2: I want to take advantage of some of the centralized management
> > niceties of AD and FreeIPA for Windows and Linux, respectively.
> > Reason #3: I'm not sure I understand how to implement any kind of
> > automatic Win/Linux segregation at the network level.
> > Reason #4: Aside from the constraints Kerberos may (?) impose, I see no
> > compelling reason to corral machines into subdomains by OS.
> >
> > Thanks for your patience.
> > Bryce
> >
> >
> >
> >
> > This electronic message contains information generated by the USDA solely
> > for the intended recipients. Any unauthorized interception of this message
> > or the use or disclosure of the information it contains may violate the law
> > and subject the violator to civil or criminal penalties. If you believe you
> > have received this message in error, please notify the sender and delete
> > the email immediately.
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


-- 
Simo Sorce * Red Hat, Inc * New York



More information about the Kerberos mailing list