Joining a multiple realm AD environment

Chris Penney penney at
Fri May 11 10:19:24 EDT 2007


At our site we have multiple AD realms (LOC1.DOM.COM, LOC2.DOM.COM,
etc.) that all trust each other.  There are users setup in each realm
that need to access the Linux systems I maintain.  Today, we have a
completely independent realm (with our own principle for each user)
that I want to do away with and just join the AD structure (ie. be
assimilated ;) ).

I have proven that with krb5-1.5.3 I can set my default realm to
LOC1.DOM.COM and effectively login (my account is in LOC1).  Users
from other realms cannot.  I'm curious what I need to do to make this
work.  We have SRV records setup for kdc lookup.  I have not yet
created a computer account for the system.  In /etc/krb5.conf I have:

    default_realm = LOC1.DOM.COM
    dns_lookup_kdc = true
    dns_lookup_realm = false
    forwardable = true

    LOC1.DOM.COM = {
        auth_to_local = RULE:[1:$1@$0](.*@LOC2\.DOM\.COM)s/@.*//
        auth_to_local = DEFAULT
    LOC2.DOM.COM = {
        auth_to_local = RULE:[1:$1@$0](.*@LOC1\.DOM\.COM)s/@.*//
        auth_to_local = DEFAULT

This doesn't seem to work.  Using 'tcpdump port kerberos' when a user
in LOC2 logs in I only see LOC1 being queried.  I'm curious if I'm
doing something wrong or if I simply need to get a computer account
created for the box before trusts work.  I was hopeing to not approach
the AD staff until I was more or less certain I knew what needed to be



More information about the Kerberos mailing list