Kerberos cross-realm with AD

Brian Candler B.Candler at pobox.com
Tue Feb 8 05:08:31 EST 2011


On Tue, Feb 08, 2011 at 04:49:06PM +1100, Jean-Yves Avenard wrote:
> [realms]
>  M.DOMAIN.COM = {
>   kdc = m.domain.com
>   admin_server = m.domain.com
>   default_domain = m.domain.com
>  }
> 
>  MEL.DOMAIN.COM = {
>   kdc = ad.domain.com
>   admin_server = ad.domain.com
>   default_domain = ad.domain.com
>   auth_to_local = RULE:[1:$1@$0](.*@.*DOMAIN\.COM$)s/@.*//
>  }
> 
> from what I could read in the documentation, but this still doesn't work.

As I understand it, you need the auth_to_local rule(s) under M.DOMAIN.COM
(the server's realm), not the client realm.



More information about the Kerberos mailing list