krb5 vs Windows trust relationships in AD on FC4

[Garth T Kidd]

G'day. I'm trying to get Apache on Linux 2.6.11-1.1369_FC4smp
authenticating against Windows Server 2003 based Active Directory
infrastructure with trust relationships, and can't quite get it to
work. I've spent a few hours searching the 'net, but so far to no
great avail.

I have two AD domains in separate forests: let's call them lab.au and
users.com. I'm in complete control of lab.au, but not users.com.
lab.au trusts users.com so that our users can log into my lab
infrastructure with their own credentials, and I'd like to extend that
ease of use to my Apache based lab control system.

In krb5.conf I've set entries in [realms] keyed by the lowercase
version of the domain, each with kdc= and admin_server= the
(resolvable) name of the primary KDC. I've also added [domain_realm]
entries for both.

Without a machine account, kinit -V username at LAB.AU works on lab.au
whether [libdefaults] default_realm = LAB.AU or USERS.COM. Watching
the network, I see it resolve _kerberos._udp.LAB.AU and
_kerberos._tcp.LAB.AU, then resolve the server nominated as the kdc in
krb5.conf and, finally, talk to it.

kinit -V username at USERS.COM, however, fails with: "kinit(v5): Cannot
resolve network address for KDC in requested realm while getting
initial credentials". The server looks up the SRV records for
_kerberos._udp.USERS.COM and _kerberos._tcp.USERS.COM, both of which
return ~30 records in nslookup, but doesn't then look up the kdc let
alone talk to it.

I'd like to be able to authenticate username at USERS.COM either directly
or via LAB.AU thanks to the trust relationship. Any ideas?

Regards,
Garth.