On Wed, 2016-12-07 at 17:17 +, Nordgren, Bryce L -FS wrote:
> > Use a sub-domain for at least on of the two realm and avoid yourself
> a lot of trouble.
>
>
> Ah. I don't control the network. And it sounds to me like what you're
> saying is that there's more than "trouble". Windows is complet
> Use a sub-domain for at least on of the two realm and avoid yourself a lot of
> trouble.
Ah. I don't control the network. And it sounds to me like what you're saying is
that there's more than "trouble". Windows is completely unsupportable in this
environment because it can't adapt, and I can
Hi Brice,
What you plan works if one ofe the REALMs is a non Windows/AD Realm.
For AD at least the DCs (aka Kerberos Servers) need to have the DNS fqdn
match to the REALM they serve.
dc1.mydomain.com should server the krb realm MYDOMAIN.COM and the ldap
namespace dc=mydomain,dc=de.
The (Windows)
Although with Linux you can manually list all the machines in one realm
and all the machines in the other and have your clients/kdc try to cope,
you can't really do that easily on the Windows side. AD KDCs assume that
they control all names in a DNS domain, so they will not cooperate if
some of the
If you are on linux *I think* this is functionality that sssd does out of
the box although I've never tested it.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/Configuring_Domains.html
On 5 December 2016 at 19:15, Nordgren, Bryce L -FS
wrote:
> The
You shape the world view (REALM, dns domain to realm mapping,
default_realm) in your krb5.conf on your systems participating. You dont
need to have DNS srv records for everything you are doing (but they
help/can be a hinderance -e.g. performance)
Your one rule is you must use unique namespaces fo
