Cross-Realm Auth Requirements for two ADs and one Linux-Kerberos

Tobias Hadem info at
Sat Nov 9 19:47:48 EST 2013


i am having a hard time trying to get a Cross-Realm-Auth between two
Active-Directories working and using that on another Linux-based
Webserver via mod_auth_kerb.

I only have direct access to the Webserver, so i am not 100% sure
everything is setup correctly on the two ADs. AFAIK there is a one-way
non transitive trust between the two ADs and according to the AD-Admins
that should be enough to get Kerberos-Tickets for the other Domain.

Is that right?

I configured mod_auth_kerb like i did for a single-Domain-AD, just
configured all the needed KrbAuthRealms in the config-file.

In my mind that is all i need, as the request gets picked up by my KDC
and then gets forwarded to the corresponding KDC in the other realm
which responds to the ticket-request.

For now the Kerberos-Auth for my main Domain, where my KDC sits, is
working without any problem. When connecting from a client in the
"opposite" domain i only have a /user/password mismatch" in my
I know thats very vague and hard to debug, as i only have control over
one piece of the puzzle. Sorry for that ;-)

Any hints or pointer where to look? Or maybe a best-practise-config,
perhaps somebody did exactly that before.

I only have experience with single-Domain ADs, so i am hoping to get some
first hand expertise in here ;-)

Best Regards,


More information about the Kerberos mailing list