Simo Sorce <sso...@redhat.com> writes: > Russ Allbery <r...@stanford.edu> wrote:
>> Given that we do this routinely at Stanford using cross-realm trust >> exactly as Ross describes, I think you've misunderstood something. I >> believe AD adds the PAC for you when you do what Ross says and >> configure the external principal names as alternate security >> identities. > Ah sorry, I thought he wanted to use them as completely alternative > users. If you do map each MIT principal to an existing Windows user then > it does work, although it seem to make sense only as a transition tool > to me. It's the way that we have our production realms at Stanford configured and have for quite some time. For large sites, I'm a big advocate of running both AD and UNIX KDCs with cross-realm trust and making them interchangeable from the user perspective. It gives you lots of useful flexibility in deploying applications. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos