That is true.. I oversimplified a bit. This would allow you to have a KDC with equivalent principals. You would need a trust relationship and the external principal names set on the AD users as alternate security identities for the synchronized principals to work for Windows logon, etc. I had simply assumed this scenario.
-Ross -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Simo Sorce Sent: Wednesday, June 02, 2010 10:26 AM To: [email protected] Subject: Re: Any way to propagate db On Wed, 2 Jun 2010 10:04:25 -0700 Techie <[email protected]> wrote: > Ok, thank you for the information. I was hoping there was a way to do > something similar to a kprop from AD to an MIT KDC using some kind of > AD tool. But I also imagined that would not be the case since there > are likely many incompatibilities. > I think I need to read up on the Microsoft Kerberos documentation. Note that merely propagating passwords does not give you a KDC that is able to release tickets that are valid in the AD realm. The only code currently able to extract that info reliably lives in the development version of samba called samba4 and implements a full Windows DC with native replication. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
