kinit to a kdc having a cross-realm trust

Douglas E. Engert deengert at
Fri Nov 12 13:57:33 EST 2004

Timo Veith wrote:

> Hello kerberos subscribers,
> the following question bothers a colleague of mine and me. We had a 
> little argument about this because we need to setup something like it at 
> work (Windows and MIT).
> Is it possible to have a user who is defined in realm ONE.NET do a kinit 
> against the KDC of realm TWO.NET where he isn't defined but the two KDCs 
> having set up a cross-realm trust between them?

It does not work like that.  The user authenticates in his own realm and
gets a TGT. When he want to use a server that is the other realm, the libs
use the user's TGT to get a cross realm TGT that is then used to get a
service ticket from the other realm.

> If I try this in a test setup, the KDC of realm TWO.NET says
> kinit(v5): Client not found in Kerberos database while getting initial 
> credentials

> As far as I understood the cross-realm mechanism, the questioned thing 
> isn't possible, because the user of realm ONE.NET has to have a tgt of 
> his own realm first. Only then he can get the krbtgt for realm TWO.COM.


> Little question aside: Does the user get the krbtgt for the other realm 
> from his own KDC (ONE.NET) or does he get it from the foreign KDC 
> (TWO.NET)? I would say from his own, but I am not sure.


> However, maybe there is some krb5.conf setting (or somewhere else) that 
> tells the KDC of realm TWO.NET to ask the KDC of realm ONE.NET for the 
> credentials?
> TIA and kind regards,

Also keep in mind that Kerberos does authentication. Windows uses Kerberos
and add authorization data (PAC) to the Kerberos tickets. This has group
and user information as defined by the user's realm. So if you are doing
cross realm between a Windows domain and a Kerberos realm, Windows servers
expect the PAC, unix servers don't. But there are ways around this a
PAC can be added.

Default principal: doug at ANL.GOV

Valid starting     Expires            Service principal
11/12/04 08:59:53  11/12/04 18:45:45  krbtgt/ANL.GOV at ANL.GOV  (original TGT)
11/12/04 08:59:53  11/12/04 18:45:45  krbtgt/KRB5.ANL.GOV at ANL.GOV (cross realm TGT)
11/12/04 12:50:31  11/12/04 18:45:45  host/ at KRB5.ANL.GOV (service ticket)

> Timo
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list