On Wed, 2 Jun 2010 10:35:05 -0700 "Wilper, Ross A" <[email protected]> wrote:
> That is true.. I oversimplified a bit. This would allow you to have a > KDC with equivalent principals. You would need a trust relationship > and the external principal names set on the AD users as alternate > security identities for the synchronized principals to work for > Windows logon, etc. I had simply assumed this scenario. Not sufficient, you need to provide a PAC for Windows Logons to work using principals from the MIT Realm. We are working to provide something like this in the FreeIPA project, but it will take some time before we have anything that can even be tested (and it uses samba components). Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
