Recommendations for Mixing Windows and non-Windows Domains? - Kerberos

This is a discussion on Recommendations for Mixing Windows and non-Windows Domains? - Kerberos ; If you run a Windows Domain and you also use BIND and MIT (or Heimdal) for DNS/Kerberos then you must have a strategy for preventing them from stepping on each other. Can I ask people for thumbnail's of how you-all ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Recommendations for Mixing Windows and non-Windows Domains?

  1. Recommendations for Mixing Windows and non-Windows Domains?

    If you run a Windows Domain and you also use BIND and MIT (or
    Heimdal) for DNS/Kerberos then you must have a strategy for
    preventing them from stepping on each other. Can I ask people for
    thumbnail's of how you-all do that? What raw services are handled by
    which servers? Are there "magic" settings on the clients that make
    it work?

    Significant services (which may need duplication or conflict
    resolution between Unix and AD):

    Forward DNS -- I suspect you serve separate DNS domains from BIND
    vice AD servers
    Reverse DNS -- Which platform gets which IP numbers, i.e. do you mix
    or segregate them?
    DHCP -- 1 or 2 DHCP services, provided by which? Does DHCP care
    about platform?
    DynDNS -- How is this integrated with DHCP (plus the above question).
    Kerberos -- krb5.conf or DNS SRV?
    Cross-realm -- Set up? Server-side referrals implemented (outside
    the DC that is)?

    Client configuration questions:

    advertised DNS servers -- BIND, DC, mix, pre-configured or DHCP
    supplied?
    cross-realm -- [domain_realm] section or DNS records maintained?

    I'm just listing the things that I can think of. Please tell me what
    I haven't thought of!

    If you want to reply privately, I will try to summarize to the list.
    ------------------------------------------------------------------------
    The opinions expressed in this message are mine,
    not those of Caltech, JPL, NASA, or the US Government.
    Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

  2. Re: Recommendations for Mixing Windows and non-Windows Domains?

    In article ,
    Henry B. Hotz wrote:
    >Significant services (which may need duplication or conflict
    >resolution between Unix and AD):


    In general, we (MIT CSAIL) pretty much ignore Windows DNS. The DCs
    run it, because AD requires it, but we don't consider it
    authoritative. All users have Kerberos principals in the
    CSAIL.MIT.EDU realm, which has one-way cross-realm (because of the DES
    issue) into the AD realm. User accounts in AD have completely random
    passwords and are created to grant username@CSAIL.MIT.EDU (and
    sometimes username@ATHENA.MIT.EDU if the user needs it for business
    reasons) login access to the AD account. We distribute a .reg file
    for workstation users to run prior to joining the domain which creates
    the right registry entries for users to log in directly to the
    CSAIL.MIT.EDU realm, and domain member workstations handle this
    correctly. No services that matter to non-Windows machines run on
    Windows, so their service principals are in the CSAIL.MIT.EDU realm.

    >Forward DNS -- I suspect you serve separate DNS domains from BIND
    >vice AD servers


    Correct. The real DNS (driven from our WebDNS application and its
    database) is authoritative. Windows DNS is just there to make Windows
    happy.

    >Reverse DNS -- Which platform gets which IP numbers, i.e. do you mix
    >or segregate them?


    IP addresses are assigned first-fit per subnet. Subnets are a
    combination of geographically- and function-based assignment.

    >DHCP -- 1 or 2 DHCP services, provided by which? Does DHCP care
    >about platform?


    We don't use Windows DHCP.

    >DynDNS -- How is this integrated with DHCP (plus the above question).


    We don't support dynamic DNS at all, and tell all Windows users to
    uncheck that option in their settings. (I don't know if the AD group
    policy enforces this.)

    >Kerberos -- krb5.conf or DNS SRV?


    We support both. Windows machines are using the registry, of course.
    (We do distribute a custom krb5.conf with our customized package of
    KfW/NIM.)

    >advertised DNS servers -- BIND, DC, mix, pre-configured or DHCP
    >supplied?


    We want people to use our name servers, but I have no idea whether AD
    member workstations actually do. (The NS records are set up
    appropriately so AD names can be looked up.) Non-AD-member Windows
    machines definitely do. We tell all users to use DHCP.

    >cross-realm -- [domain_realm] section or DNS records maintained?


    Again, we do both (for the limited selection of realms we support
    cross-realm with -- this is really only necessary for the
    ATHENA.MIT.EDU realm).

    -GAWollman
    --
    Garrett A. Wollman | The real tragedy of human existence is not that we are
    wollman@csail.mit.edu| nasty by nature, but that a cruel structural asymmetry
    Opinions not those | grants to rare events of meanness such power to shape
    of MIT or CSAIL. | our history. - S.J. Gould, Ten Thousand Acts of Kindness

+ Reply to Thread