Joining a multiple realm AD environment

Douglas E. Engert deengert at
Thu May 17 13:46:53 EDT 2007

Chris Penney wrote:
> On 5/11/07, Chris Penney <penney at> wrote:
>> Hello,
>> At our site we have multiple AD realms (LOC1.DOM.COM, LOC2.DOM.COM,
>> etc.) that all trust each other.  There are users setup in each realm
>> that need to access the Linux systems I maintain.  Today, we have a
>> completely independent realm (with our own principle for each user)
>> that I want to do away with and just join the AD structure (ie. be
>> assimilated ;) ).
>> I have proven that with krb5-1.5.3 I can set my default realm to
>> LOC1.DOM.COM and effectively login (my account is in LOC1).  Users
>> from other realms cannot.  I'm curious what I need to do to make this
>> work.  We have SRV records setup for kdc lookup.  I have not yet
>> created a computer account for the system.  In /etc/krb5.conf I have:
>> [libdefaults]
>>     default_realm = LOC1.DOM.COM
>>     dns_lookup_kdc = true
>>     dns_lookup_realm = false
>>     forwardable = true
>> [realms]
>>     LOC1.DOM.COM = {
>>         auth_to_local = RULE:[1:$1@$0](.*@LOC2\.DOM\.COM)s/@.*//
>>         auth_to_local = DEFAULT
>>     }
>>     LOC2.DOM.COM = {
>>         auth_to_local = RULE:[1:$1@$0](.*@LOC1\.DOM\.COM)s/@.*//
>>         auth_to_local = DEFAULT
>>     }
>> This doesn't seem to work.  Using 'tcpdump port kerberos' when a user
>> in LOC2 logs in I only see LOC1 being queried.  I'm curious if I'm
>> doing something wrong or if I simply need to get a computer account
>> created for the box before trusts work.  I was hopeing to not approach
>> the AD staff until I was more or less certain I knew what needed to be
>> done.
> Any comments on this or would anyone have any idea where I can go to
> perhaps find a solution to this?

When you say "login" what do you mean?

Does the user give the full principal name?
Without the @realm, the Krb5 lib will assume the user is in the
default_realm which looks like what you are seeing.

Is pam_krb5 involved?  Can you add the debug option to pam_krb5
lines in pam.conf?

Whoses pam_krb5?   Russ Allbery's has some extra options that might
try both realms.

The computer is normally only in one realm. If the user is in one realm,
and the computer in another, then the two realms have to have
cross realm setup. Are you two AD's setup with a trust relationship?

> Thanks!
>    Chris
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list