Although with Linux you can manually list all the machines in one realm and all the machines in the other and have your clients/kdc try to cope, you can't really do that easily on the Windows side. AD KDCs assume that they control all names in a DNS domain, so they will not cooperate if some of the hosts are in a different realm. I think there is some GPO that allows you to throw in some exceptions, but they are discouraged by Microsoft and expensive to maintain after a handful are in.
Use a sub-domain for at least on of the two realm and avoid yourself a lot of trouble. Simo. On Tue, 2016-12-06 at 09:37 +0100, Andrew Holway wrote: > If you are on linux *I think* this is functionality that sssd does out of > the box although I've never tested it. > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/Configuring_Domains.html > > On 5 December 2016 at 19:15, Nordgren, Bryce L -FS <bnordg...@fs.fed.us> > wrote: > > > The answer is probably going to be "you can't do that", but I figured I'd > > ask anyway. > > > > Parameter #1: I have been allocated a handful of non-routable IP subnets > > on a university network where I am a guest. > > Parameter #2: Associated with the above is a single DNS subdomain. > > Parameter #3: The university retains control over DNS and DHCP. > > Parameter #4: The university set up the correct SRV records so that I can > > operate a KDC on my subdomain. > > > > My question is: Is there any way to operate two KDCs on the same DNS > > subdomain, serving complementary hosts? > > > > Reason #1: I want the "lightest footprint" possible, so as not to annoy > > our hosts. > > Reason #2: I want to take advantage of some of the centralized management > > niceties of AD and FreeIPA for Windows and Linux, respectively. > > Reason #3: I'm not sure I understand how to implement any kind of > > automatic Win/Linux segregation at the network level. > > Reason #4: Aside from the constraints Kerberos may (?) impose, I see no > > compelling reason to corral machines into subdomains by OS. > > > > Thanks for your patience. > > Bryce > > > > > > > > > > This electronic message contains information generated by the USDA solely > > for the intended recipients. Any unauthorized interception of this message > > or the use or disclosure of the information it contains may violate the law > > and subject the violator to civil or criminal penalties. If you believe you > > have received this message in error, please notify the sender and delete > > the email immediately. > > ________________________________________________ > > Kerberos mailing list Kerberos@mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
