[38797] in Kerberos
Re: Kerberos Database Sync with Sub-Domains
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Tue Jul 14 09:37:40 2020
MIME-Version: 1.0
In-Reply-To: <MN2PR15MB307126BA462A1DCB1F65B055B9610@MN2PR15MB3071.namprd15.prod.outlook.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Jul 2020 15:34:59 +0200
Message-ID: <CAC-fF8R9BSmW8MokUxt3ybGB0ANG9iUNQarbf17jTx4y3TJzRA@mail.gmail.com>
To: Jonathan Towles <jjtowles@synterex.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Jul 14, 2020 at 3:22 PM Jonathan Towles <jjtowles@synterex.com> wrote:
>
> So by using enterprise principal names, you can essentially point it at the parent domain KDC, and it can get a ticket for even users in the sub-domains?
Client-referrals are used to locate the realm, see details in RFC 6806.
> That's only something that can be done in the GSS config right? You can't do it in the KRB5.conf file?
For kinit, you just need to pass the '-E' flag, no conf involved.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
