> That is not the way it works. The user would login with > [EMAIL PROTECTED] and get a ticket, > krbtgt/[EMAIL PROTECTED] This is done from the > Kerberos realm. Then when the user needed to access a Windows > resource, such > as the local workstation during login, A cross realm ticket > would be obtained, > bu the client gto the Kerberos realm, krbtgt/[EMAIL PROTECTED] > This would be used to get the ticket for the server, > host/[EMAIL PROTECTED] > from the AD realm. If the account mappings where setup in AD as per > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.as p > "Creating Account Mappings" this last service ticket woul have the Microsoft PAC data in it. > > With cross realm the two AD/KDC never comunicate directly. The client > gets cross realms tickets from one to use with the other. > > We do just the opposite. We have our user's registered in Windows AD, and they authenticate to Windows then get > > cross realm for Unix services > that are registered in the MIT realm.
I think that's one of the ways you can do it, but that setup isn't considered "pass-through authentication," which is what we are going for. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
