[Freeipa-devel] Planning for v2: How to deal with kerberos trusts?

[Simo Sorce]

On Sun, 2008-03-30 at 21:26 -0400, Dmitri Pal wrote:
> Great questions but I agree that they are a bit technical.
> The last one, however, is the question about use cases.
> I think that is where we should start.
> I might be wrong but user traveling with his laptop from realm a to 
> realm b is probably the biggest case.
> Any other major ones?

I am not actually interested much in the mobility problem, given
kerberos trusts are an all or nothing thing (all services of realm-a
will trust all users of realm-b), it is highly unlikely a trust is
created just for a "visiting" laptop.

I am more interested in the cases where someone one to actually trust
another Realm in its entirety.
Possible use cases are merger between 2 companies or 2 divisions each
one with their own IPA realm. Some cases may be about resource
separation (like segregation of machines in a DMZ and use of a 1 way
trust to let users use the resources), although I am not convinced this
is a really good idea to support.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York