Russ Allbery <r...@stanford.edu> wrote: > Simo Sorce <sso...@redhat.com> writes: >> Ah sorry, I thought he wanted to use them as completely alternative >> users. If you do map each MIT principal to an existing Windows user then >> it does work, although it seem to make sense only as a transition tool >> to me. > > It's the way that we have our production realms at Stanford configured and > have for quite some time. For large sites, I'm a big advocate of running > both AD and UNIX KDCs with cross-realm trust and making them > interchangeable from the user perspective. It gives you lots of useful > flexibility in deploying applications.
I advocate just using the Active Directory realm. It is much, much simpler to troubleshoot when there is no cross-realm invovled, especially when different groups operate the different realms. Other than some solvable issues of generating keytabs on non-Windows platforms, I can't think of a reason why someone would want to make more work for themselves with multiple realms. What problem are you trying to solve by setting up a cross-realm trust? <<CDC ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos