Simo Sorce <[email protected]> writes: > Russ Allbery <[email protected]> wrote:
>> Given that we do this routinely at Stanford using cross-realm trust >> exactly as Ross describes, I think you've misunderstood something. I >> believe AD adds the PAC for you when you do what Ross says and >> configure the external principal names as alternate security >> identities. > Ah sorry, I thought he wanted to use them as completely alternative > users. If you do map each MIT principal to an existing Windows user then > it does work, although it seem to make sense only as a transition tool > to me. It's the way that we have our production realms at Stanford configured and have for quite some time. For large sites, I'm a big advocate of running both AD and UNIX KDCs with cross-realm trust and making them interchangeable from the user perspective. It gives you lots of useful flexibility in deploying applications. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
