Hi again
Just wanted to finish up this topic. Great reading this technet article, the whole thing makes a lot more sense now. Definitely worth mentioning in the documentation.
Also worth mentioning is that depending on Active directory configuration, the distribution of the key between the domain controllers can take several minutes.
So far so good, thanks a lot for your support gents Cheers Josh
-----Ursprüngliche Nachricht----- Von: sssd-devel-bounces@lists.fedorahosted.org [mailto:sssd-devel-bounces@lists.fedorahosted.org] Im Auftrag von John Hodrien Gesendet: Montag, 28. November 2011 18:02 An: Development of the System Security Services Daemon Betreff: Re: [SSSD] GSSAPI and Kerberos - understanding question
On Mon, 28 Nov 2011, Ondrej Valousek wrote:
I do not think so - see my post earlier today. I think it actually makes a sense in terms of improved security. You can tell your KDC which TGS tickets can be issued for a specified machine. I good article is here: http://technet.microsoft.com/en-us/library/cc755804%28WS.10%29.aspx
It wasn't clear to me what security benefit you're describing here. What *specifically* do you think this improves security wise?
I wasn't clear how you could use this to tell your KDC which TGS tickets can be issued for a specified machine, given the specified machine's kerberos credential is allowed to create new service principals.
jh _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel