kinit to a kdc having a cross-realm trust

Timo Veith tv at
Fri Nov 12 13:39:00 EST 2004

Hello kerberos subscribers,

the following question bothers a colleague of mine and me. We had a 
little argument about this because we need to setup something like it at 
work (Windows and MIT).

Is it possible to have a user who is defined in realm ONE.NET do a kinit 
against the KDC of realm TWO.NET where he isn't defined but the two KDCs 
having set up a cross-realm trust between them?

If I try this in a test setup, the KDC of realm TWO.NET says

kinit(v5): Client not found in Kerberos database while getting initial 

As far as I understood the cross-realm mechanism, the questioned thing 
isn't possible, because the user of realm ONE.NET has to have a tgt of 
his own realm first. Only then he can get the krbtgt for realm TWO.COM.

Little question aside: Does the user get the krbtgt for the other realm 
from his own KDC (ONE.NET) or does he get it from the foreign KDC 
(TWO.NET)? I would say from his own, but I am not sure.

However, maybe there is some krb5.conf setting (or somewhere else) that 
tells the KDC of realm TWO.NET to ask the KDC of realm ONE.NET for the 

TIA and kind regards,


More information about the Kerberos mailing list