On Thu, 2004-03-18 at 07:52, Andreas wrote: > On Wed, Mar 17, 2004 at 09:29:39PM +0100, Johan Danielsson wrote: > > Andreas <andreas@conectiva.com.br> writes: > > > > > Would it make sense to replicate a heimdal kerberos database to, > > > say, 300 remote sites interconnected with a WAN link? > > > > I can't see any immediate reason to do this. What are you trying to > > accomplish? > > These remote sites need to be able to authenticate everyone, including people > from the other sites. I guess establishing cross-realm authentication in this > scenario would be too much, so I figured having only a single realm and using > replication. Or perhaps some trick with the ldap backend? You can replicate these things with LDAP, yes. The problem is that changes on the remote LDAP servers will not be allowed, given Heimdal's current LDAP authentication modal. I *think* the kerberos solution to this is to only run kpasswdd/kadmind on the central server. Otherwise, it is quite possible to force the remote site to rebind to the central LDAP server for updates, like Samba does, but the code doesn't allow this at present. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
This is a digitally signed message part