Jerry
What I would like to see is the following:
Now (using net ads join) I can see in kerbtray that a host and cifs service ticket are issued with the following form:
host/FQDN at WINDOWSDOMAIN (in which FQDN is the fully qualified DNS name of the UNIX machine
cifs/FQDN at WINDOWSDOMAIN
I would like to see that a host/FQDN at MIT and cifs/FQDN at MIT service ticket is issued by the cross realm since are UNIX principals are gathered in the MIT realm.
What steps need to be performed to obtain this?
Thnx a lot
----- Original Message -----
From: Gerald (Jerry) Carter
To: miguelsanders at telenet.be
Cc: samba-technical at lists.samba.org
Sent: Wednesday, August 08, 2007 6:42 PM
Subject: Re: net ads join <-> cross realm trust
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Miguel,
> At our site we have cross realm trust between AD and UNIX,
> where the user accounts are located in AD and the service
> principals in UNIX. Now it seems that net ads join creates
> computer account in AD along with a host principal (host/FQDN at AD)
> and a cifs service principal (cifs/FQDN at AD). Because of the trust,
> wouldn't it be possible to create those service principals in the
> UNIX realm (where they actually belong).
If you are joining the machine to AD, then the machine SPN
belongs in AD. If you want to put the machine as a principal
in the Unix realm and map it to an account in AD, that is up
to you. But this is entirely different than joining the AD
domain from my perspective.
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGufJjIR7qMdg1EfYRAoqnAJ4jOULg1SJ9MEhRl1ufnU1GjaOQ1wCgniCe
sIHlIBR5xgKnIQl17VG8MuQ=
=V4D4
-----END PGP SIGNATURE-----