Re: Recommendations for Mixing Windows and non-Windows Domains?

To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

Subject: Re: Recommendations for Mixing Windows and non-Windows Domains?

From: "C.J. Adams-Collier" <cjcollier@gmail.com>

Date: Thu, 29 Nov 2007 20:05:01 -0800

Cc: krbdev@mit.edu, kerberos-discuss@opensolaris.org

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=4P4PIdHgaOUwfEeyhZcTn764bXyxP3+6OqWw9edMC7g=; b=dMGPAqu4GWHLiXp1APWGo8A+CUO6kfDQxxxVHxKd2B0UhNihPXduehviRWthWrefbTZMuidjzHJEzNCgiVukqjKHvu6RkSzyaF52NnFZpPlH2ZNVzB4UPl+Rw4FhuLtnvr4OPT6PhvKWzsLZvGB38GI96nMfBjFFBNkI0L+1Nwc=

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=PX6bNORVm1b6l5VPPAmrayhwDNUn00jVXpx/zQ5w7gbZpPcdZYp0EM5F/KBFUJFrBJhdwcJvzEHivzIIR9xmp4y6MAaHbFR28/bjmRTcuHY2KztZB85OOIf1Q/yDKkdji+gruTq8T8tmYM6WmAIrij6mOOJTXPQFoWG3W4VPU04=

In-Reply-To: <C4E38AA4-CA3E-4464-A041-F8AAF0E46522@jpl.nasa.gov>

List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>

List-Help: <mailto:sympa@sics.se?subject=help>

List-Id: <heimdal-discuss.sics.se>

List-Owner: <mailto:heimdal-discuss-request@sics.se>

List-Post: <mailto:heimdal-discuss@sics.se>

List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>

List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>

References: <C4E38AA4-CA3E-4464-A041-F8AAF0E46522@jpl.nasa.gov>

Reply-To: heimdal-discuss@sics.se, "C.J. Adams-Collier" <cjcollier@gmail.com>

On Nov 29, 2007 5:21 PM, Henry B. Hotz <hotz@jpl.nasa.gov> wrote:

I hope the duplication does not offend anyone. I just posted the
following on the kerberos@mit.edu list, but I suspect that many of
you may not actively follow that list.

I would appreciate any data or recommendations you can provide, but
please either respond on that list or directly to me.

Begin forwarded message:
> From: "Henry B. Hotz" < hotz@jpl.nasa.gov>
> Date: November 29, 2007 5:07:06 PM PST
> To: kerberos <kerberos@mit.edu>
> Subject: Recommendations for Mixing Windows and non-Windows Domains?
>
> If you run a Windows Domain and you also use BIND and MIT (or
> Heimdal) for DNS/Kerberos then you must have a strategy for
> preventing them from stepping on each other. Can I ask people for
> thumbnail's of how you-all do that? What raw services are handled
> by which servers? Are there "magic" settings on the clients that
> make it work?
>
> Significant services (which may need duplication or conflict
> resolution between Unix and AD):
>
> Forward DNS -- I suspect you serve separate DNS domains from BIND
> vice AD servers
> Reverse DNS -- Which platform gets which IP numbers, i.e. do you
> mix or segregate them?
> DHCP -- 1 or 2 DHCP services, provided by which? Does DHCP care
> about platform?
> DynDNS -- How is this integrated with DHCP (plus the above question).
> Kerberos -- krb5.conf or DNS SRV?
> Cross-realm -- Set up? Server-side referrals implemented (outside
> the DC that is)?
>
> Client configuration questions:
>
> advertised DNS servers -- BIND, DC, mix, pre-configured or DHCP
> supplied?
> cross-realm -- [domain_realm] section or DNS records maintained?
>
> I'm just listing the things that I can think of. Please tell me
> what I haven't thought of!
>
> If you want to reply privately, I will try to summarize to the list.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu