Joining a multiple realm AD environment

Chris Penney penney at
Wed May 16 22:28:55 EDT 2007

On 5/11/07, Chris Penney <penney at> wrote:
> Hello,
> At our site we have multiple AD realms (LOC1.DOM.COM, LOC2.DOM.COM,
> etc.) that all trust each other.  There are users setup in each realm
> that need to access the Linux systems I maintain.  Today, we have a
> completely independent realm (with our own principle for each user)
> that I want to do away with and just join the AD structure (ie. be
> assimilated ;) ).
> I have proven that with krb5-1.5.3 I can set my default realm to
> LOC1.DOM.COM and effectively login (my account is in LOC1).  Users
> from other realms cannot.  I'm curious what I need to do to make this
> work.  We have SRV records setup for kdc lookup.  I have not yet
> created a computer account for the system.  In /etc/krb5.conf I have:
> [libdefaults]
>     default_realm = LOC1.DOM.COM
>     dns_lookup_kdc = true
>     dns_lookup_realm = false
>     forwardable = true
> [realms]
>     LOC1.DOM.COM = {
>         auth_to_local = RULE:[1:$1@$0](.*@LOC2\.DOM\.COM)s/@.*//
>         auth_to_local = DEFAULT
>     }
>     LOC2.DOM.COM = {
>         auth_to_local = RULE:[1:$1@$0](.*@LOC1\.DOM\.COM)s/@.*//
>         auth_to_local = DEFAULT
>     }
> This doesn't seem to work.  Using 'tcpdump port kerberos' when a user
> in LOC2 logs in I only see LOC1 being queried.  I'm curious if I'm
> doing something wrong or if I simply need to get a computer account
> created for the box before trusts work.  I was hopeing to not approach
> the AD staff until I was more or less certain I knew what needed to be
> done.

Any comments on this or would anyone have any idea where I can go to
perhaps find a solution to this?



More information about the Kerberos mailing list