You could do this with a password change notification DLL on the AD domain
controllers. There are some DLLs around that already do this.
Of course, you can only propagate when a password is changed.
-Ross
-Original Message-
From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu
Ok, thank you for the information. I was hoping there was a way to do
something similar to a kprop from AD to an MIT KDC using some kind of
AD tool. But I also imagined that would not be the case since there
are likely many incompatibilities.
I think I need to read up on the Microsoft Kerberos docu
On Wed, 2 Jun 2010 10:04:25 -0700
Techie wrote:
> Ok, thank you for the information. I was hoping there was a way to do
> something similar to a kprop from AD to an MIT KDC using some kind of
> AD tool. But I also imagined that would not be the case since there
> are likely many incompatibilities
simply assumed
this scenario.
-Ross
-Original Message-
From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of
Simo Sorce
Sent: Wednesday, June 02, 2010 10:26 AM
To: kerberos@mit.edu
Subject: Re: Any way to propagate db
On Wed, 2 Jun 2010 10:04:25 -0700
Techie
On Wed, 2 Jun 2010 10:35:05 -0700
"Wilper, Ross A" wrote:
> That is true.. I oversimplified a bit. This would allow you to have a
> KDC with equivalent principals. You would need a trust relationship
> and the external principal names set on the AD users as alternate
> security identities for the
Simo Sorce writes:
> "Wilper, Ross A" wrote:
>> That is true.. I oversimplified a bit. This would allow you to have a
>> KDC with equivalent principals. You would need a trust relationship and
>> the external principal names set on the AD users as alternate security
>> identities for the synchro
On Wed, Jun 2, 2010 at 11:17 AM, Russ Allbery wrote:
> Simo Sorce writes:
>> "Wilper, Ross A" wrote:
>
>>> That is true.. I oversimplified a bit. This would allow you to have a
>>> KDC with equivalent principals. You would need a trust relationship and
>>> the external principal names set on the
On Wed, 02 Jun 2010 11:17:10 -0700
Russ Allbery wrote:
> Simo Sorce writes:
> > "Wilper, Ross A" wrote:
>
> >> That is true.. I oversimplified a bit. This would allow you to
> >> have a KDC with equivalent principals. You would need a trust
> >> relationship and the external principal names se
Simo Sorce writes:
> Russ Allbery wrote:
>> Given that we do this routinely at Stanford using cross-realm trust
>> exactly as Ross describes, I think you've misunderstood something. I
>> believe AD adds the PAC for you when you do what Ross says and
>> configure the external principal names as
Russ Allbery wrote:
> Simo Sorce writes:
>> Ah sorry, I thought he wanted to use them as completely alternative
>> users. If you do map each MIT principal to an existing Windows user then
>> it does work, although it seem to make sense only as a transition tool
>> to me.
>
> It's the way that we
"Christopher D. Clausen" writes:
> I advocate just using the Active Directory realm. It is much, much
> simpler to troubleshoot when there is no cross-realm invovled,
> especially when different groups operate the different realms.
> Other than some solvable issues of generating keytabs on non-
11 matches
Mail list logo
