Can an MIT Kerberos be configured to trust AD while still having its own realm and resources?

Question

Can Kerberos be setup in a *nix environment such that authentication happens against an LDAP store other than AD but still trust the AD domain? Use case is that we have AD in use, there's no Kerberos for *nix, we don't want to register *nix hosts and services in AD but allow sign on for users authenticated by AD into hosts and services local to *nix. There is a separate LDAP store where all of the users registered in AD are also registered in addition to a number of users not in AD, the passwords are synchronized but we don't want to touch the AD infrastructure.

Thanks.

What is the need for a separate realm if you have no users there? — Jim B, Jun 11 '17 at 19:54

score 0 · Answer 1 · answered Jun 12 '17 at 17:24

Historically users have been maintained in two locations. Human users are present in AD and synced (including password) to another LDAP store. That store also has non human IDs as well as non-employee human IDs which are not synced back to AD. Therefore I want it so that if you authenticated against AD, I would allow you seamless login to your Linux hosts but AD wouldn't know about those Linux hosts or services.

Can an MIT Kerberos be configured to trust AD while still having its own realm and resources?

1 Answers1