On Wed, 02 Jun 2010 11:17:10 -0700 Russ Allbery <r...@stanford.edu> wrote:
> Simo Sorce <sso...@redhat.com> writes: > > "Wilper, Ross A" <rwil...@stanford.edu> wrote: > > >> That is true.. I oversimplified a bit. This would allow you to > >> have a KDC with equivalent principals. You would need a trust > >> relationship and the external principal names set on the AD users > >> as alternate security identities for the synchronized principals > >> to work for Windows logon, etc. I had simply assumed this scenario. > > > Not sufficient, you need to provide a PAC for Windows Logons to work > > using principals from the MIT Realm. > > Given that we do this routinely at Stanford using cross-realm trust > exactly as Ross describes, I think you've misunderstood something. I > believe AD adds the PAC for you when you do what Ross says and > configure the external principal names as alternate security > identities. Ah sorry, I thought he wanted to use them as completely alternative users. If you do map each MIT principal to an existing Windows user then it does work, although it seem to make sense only as a transition tool to me. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
