Joining a multiple realm AD environment

Douglas E. Engert deengert at
Sun May 20 20:59:07 EDT 2007

Chris Penney wrote:
> On 5/18/07, Douglas E. Engert <deengert at> wrote:
>> Chris Penney wrote:
>>> Ah!  I see.  I used the pam_krb5 that Douglas noted and the pam config
>>> lines you noted and it works basically as intended.
>>> Do you still have to do this even if you add the system to AD via a
>>> "User" account?
>> Microsoft used a mis-leading term when they said to add the machine as
>> a "user".  You are adding a service principal for the machine into a
>> realm. With AD that also means it needs an account, which looks like
>> a "user" account, but in Kerberos terms has nothing to do with the user.
>> So each user must be registered with a principal and (AD account), and
>> each service must be registered with a principal and its own AD account).
>> If you have cross realm setup then each user only needs to be in one realm,
>> and each service only needs to be in one realm.
>> You did not indicate that you have cross realm set up. i.e. the ADs have
>> some cross domain trust.  But if it works as intended, then it must.
>> A klist would show an extra TGT like krbtgt/LOC1.DOM.COM at LOC2.DOM.COM
> Yes, LOC1 and LOC2 trust each other, though I'm not clear that I'm
> leveraging that.  When I say working as intended it's probably
> incorrect.  I just mean that if I have an entry in the pam config file
> for each realm all users can login simply because pam trys user at LOC1
> then user at LOC2, etc.
> Is this a normal way of handing this? 

Don't know, depends on you site. But as I said, if it does try both
the frist AD might ge ta lot of error messages in its logs. Better talk
to your AD admins.

> Is setting up .k5login with
> user at LOCx the best way to avoid iterating through all the realms?

Read the PAM man pages. It may or may not look at the .k5login during
authentication. the .k5login is normally only used during authorization
after authentication succeeded.

Can you PAM accept user at realm? Can it prompt for a realm? or a user at realm
in addition to prompting for user and password?

>     Chris
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list