On Wed, Jun 2, 2010 at 11:17 AM, Russ Allbery <[email protected]> wrote: > Simo Sorce <[email protected]> writes: >> "Wilper, Ross A" <[email protected]> wrote: > >>> That is true.. I oversimplified a bit. This would allow you to have a >>> KDC with equivalent principals. You would need a trust relationship and >>> the external principal names set on the AD users as alternate security >>> identities for the synchronized principals to work for Windows logon, >>> etc. I had simply assumed this scenario. > >> Not sufficient, you need to provide a PAC for Windows Logons to work >> using principals from the MIT Realm. > > Given that we do this routinely at Stanford using cross-realm trust > exactly as Ross describes, I think you've misunderstood something. I > believe AD adds the PAC for you when you do what Ross says and configure > the external principal names as alternate security identities. . > > -- > Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> Ok now we are rolling. So let me as you guys this. With FreeIPA can I use an existing Active Directory KRB Realm and DNS environment instead of setting up my own. If so i would like to do that if possible. I mean ideally I would like to use an MIT KRB environment but with the accounts in AD it seems like it's not an option > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos >
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
