Hi again
Just wanted to finish up this topic. Great reading this technet article, the whole thing makes a lot more sense now. Definitely worth mentioning in the documentation.
Also worth mentioning is that depending on Active directory configuration, the distribution of the key between the domain controllers can take several minutes.
So far so good, thanks a lot for your support gents
Cheers
Josh
-----Ursprüngliche Nachricht-----
Von: sssd-devel-bounces@lists.fedorahosted.org [mailto:sssd-devel-bounces@lists.fedorahosted.org] Im Auftrag von John Hodrien
Gesendet: Montag, 28. November 2011 18:02
An: Development of the System Security Services Daemon
Betreff: Re: [SSSD] GSSAPI and Kerberos - understanding question
On Mon, 28 Nov 2011, Ondrej Valousek wrote:
I do not think so - see my post earlier today. I think it actually makes a
sense in terms of improved security. You can tell your KDC which TGS tickets
can be issued for a specified machine.
I good article is here:
http://technet.microsoft.com/en-us/library/cc755804%28WS.10%29.aspx
It wasn't clear to me what security benefit you're describing here. What
*specifically* do you think this improves security wise?
I wasn't clear how you could use this to tell your KDC which TGS tickets can
be issued for a specified machine, given the specified machine's kerberos
credential is allowed to create new service principals.
jh
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel