[28813] in Kerberos
Recommendations for Mixing Windows and non-Windows Domains?
daemon@ATHENA.MIT.EDU (Henry B. Hotz)
Thu Nov 29 20:07:33 2007
Mime-Version: 1.0 (Apple Message framework v752.3)
Message-Id: <A300553E-7ED5-4ADB-B6FE-2801E8ABD304@jpl.nasa.gov>
To: kerberos <kerberos@mit.edu>
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 29 Nov 2007 17:07:06 -0800
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
If you run a Windows Domain and you also use BIND and MIT (or
Heimdal) for DNS/Kerberos then you must have a strategy for
preventing them from stepping on each other. Can I ask people for
thumbnail's of how you-all do that? What raw services are handled by
which servers? Are there "magic" settings on the clients that make
it work?
Significant services (which may need duplication or conflict
resolution between Unix and AD):
Forward DNS -- I suspect you serve separate DNS domains from BIND
vice AD servers
Reverse DNS -- Which platform gets which IP numbers, i.e. do you mix
or segregate them?
DHCP -- 1 or 2 DHCP services, provided by which? Does DHCP care
about platform?
DynDNS -- How is this integrated with DHCP (plus the above question).
Kerberos -- krb5.conf or DNS SRV?
Cross-realm -- Set up? Server-side referrals implemented (outside
the DC that is)?
Client configuration questions:
advertised DNS servers -- BIND, DC, mix, pre-configured or DHCP
supplied?
cross-realm -- [domain_realm] section or DNS records maintained?
I'm just listing the things that I can think of. Please tell me what
I haven't thought of!
If you want to reply privately, I will try to summarize to the list.
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
