multi domain

[Jeffrey Altman]

If you only have one realm then you will only have principals in that
one realm.   What the domain_realm section is telling the client is
that each of your domains belongs to the same realm.  Principals belong
to the realm and not the domain.

   user at A.COMPANY.COM
   host/machine.a.company.com at A.COMPANY.COM
   host/machine.b.company.com at A.COMPANY.COM

Jeffrey Altman


Alex wrote:
> Hi all,
> I have some problem in setting up krb5.conf for client authentication.
> I'm working on a multi domain scenario with several domain like
> A.COMPANY.COM, B.COMPANY.COM, ... and one kdc server (Active Directory)
> that belongs to A.COMPANY.COM domain.
> So I setup a krb5.conf as follows
> 
> [libdefaults]
>         default_realm = A.COMPANY.COM
> 
> [realms]
>         A.COMPANY.COM = {
>             kdc = kdcserver:88
>         }
> 
> [domain_realm]
>         .a.company.com = A.COMPANY.COM
>         .b.company.com = A.COMPANY.COM
>         a.company.com = A.COMPANY.COM
> 
> Principals that belongs to A.COMPANY.COM are authenticated (kinit
> works), others not.
> For those who are not authenticated kinit returns "Client not found in
> Kerberos database" error message but user exist in AD.
> Any suggestions or how I can get more information would be appreciated.
> 
> Thanks, 
> Alex
>