Joining a multiple realm AD environment

Douglas E. Engert deengert at
Fri May 18 16:58:46 EDT 2007

Chris Penney wrote:
> On 5/17/07, Douglas E. Engert <deengert at> wrote:
>> Whoses pam_krb5?   Russ Allbery's has some extra options that might
>> try both realms.
> On 5/17/07, Markus Moeller <huaraz at> wrote:
>> You need entries like (assuming that users are uniq over both domains
>> and you have more users in LOC1.DOM.COM)
>> other auth sufficient  pam_krb5 REALM=LOC1.DOM.COM
>> other auth sufficient  pam_krb5 REALM=LOC2.DOM.COM

Note that the LOC1.DOM.COM AD logs may show a lot of failures
for missing users or bad passwords, and may lock a user account.

> Ah!  I see.  I used the pam_krb5 that Douglas noted and the pam config
> lines you noted and it works basically as intended.
> Do you still have to do this even if you add the system to AD via a
> "User" account?

Microsoft used a mis-leading term when they said to add the machine as
a "user".  You are adding a service principal for the machine into a
realm. With AD that also means it needs an account, which looks like
a "user" account, but in Kerberos terms has nothing to do with the user.

So each user must be registered with a principal and (AD account), and
each service must be registered with a principal and its own AD account).

If you have cross realm setup then each user only needs to be in one realm,
and each service only needs to be in one realm.

You did not indicate that you have cross realm set up. i.e. the ADs have
some cross domain trust.  But if it works as intended, then it must.
A klist would show an extra TGT like krbtgt/LOC1.DOM.COM at LOC2.DOM.COM

> Thanks!
>     Chris
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list