Multiple realms in one krb5.conf

Douglas E. Engert deengert at
Mon Dec 15 11:52:29 EST 2008

James Chavez wrote:
> Hello list,
> I have a question that I need assistance with.
> I have a Windows 2003 AD setup.
> The forest consists of 3 domains. 
> So the we will say the name is 
> and there are 3 domains.
> Is it possible to configure the krb5.conf on a station so that kerberos
> can service login requests for each of the 3 domains?

Maybe, but it is not clear what you mean.

> Is this as simple as adding an entry for each realm in the realms
> section of the krb5.conf file.

That is part of it, although DNS could be used to find the realms.

You say logins, so I as assuming that the station is Unix based.
Login would use PAM with a pam_krb5, and the station above will
need to have a principal in one of the realms and a keytab
to match.

But if a user is in one AD doamin and the server is in a different
AD domain, this would be cross realm and the pam_krb5 would have
to so some additional checks.

Kerberos only does authentication you still need to authorize
the user to login.

Start here, as this gives the basic concepts:

> Thank you
> James
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited.  If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list