On Thu, 12 Jan 2006, Douglas E. Engert wrote: > > > University of Bergen is setting up a unix/linux Kerberos realm to > > > handle > > > logons on our unix/linux clients and servers (about 1500). Our > > > problem > > > is that all 30.000 users needs principals on the KDC, > > Why duplicate the user? > > You could do cross realm between the AD realm and the Kerberos realm. > so you only need the hosts principals registered in the MIT based kerberos > realm. Let the users stay in AD. This is what we have done for years. > > Another approach is to add the unix host principals to AD, so you > don't have to setup any new realms. We are starting to migrate the > host principlas to AD.
Several reasons why we're keeping things separate. One is that we have separate student and staff AD realms. This is fine in a world of single-user OSes, but we want both students and staff to be able to log in to the same unix/linux machine and be active at the same time. Second is that all our users will be accessing their home directories with Kerberos authentication - Samba for now, AFS or NFSv4 at some later time. That means our unix/linux infrastructure will be very dependent on Kerberos functioning, and we don't trust Microsoft to not break standards in new and interesting ways at some later time. Cross-realm trust should continue working, I expect that at some point in time unix client binding to AD Kerberos will break in some non-intuitive way. Thanks to all who responded, I'll see what I can drag out of AD. -BT -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 Support: http://bs.uib.no Contact: [EMAIL PROTECTED] Direct: [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
