We have seen, however, in limited testing and in field implementations, that CApath can express to a MIT kerberos client the inherent domain trusts on the AD side within a Forest. We're planning on doing more testing with it, but the discussion here applied to what we observed.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html On Fri, Apr 17, 2015 at 8:09 AM, Simo Sorce <s...@redhat.com> wrote: > On Fri, 2015-04-17 at 15:52 +0200, Rick van Rein wrote: > > Hello, > > > > MIT krb5 features a "CApath" setting through which an external party can > > help to find a path to realms that are not locally configured / > > crossed-over. Does Windows AD/DC have a similar feature, and how is it > > setup? > > > > For MIT krb5 I believe it's not possible to relay anything unknown > > through CApath (but an option may be the . realm) -- but would this work > > on AD/DC? > > > > With this, crossover based on DNSSEC/DANE could be implemented in a > > component external to the binaries of AD/DC, making the chances of > > acceptance quite a bit higher. > > > > Search for "AD name routing", you will find articles about how AD can do > "routing" among trusted domains/forests, and how to set up "exceptions". > > Afaik it is not nearly as open ended as MIT's CApath, and works only > with established (And 'verified') trusts relationships. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Customer Operations Engineering ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
