multi-realm auth failing in DMZ, works for any specified default_realm

Tue Mar 11 15:10:33 EDT 2014

I am trying to set up multi-realm authentication via SSH into an Ubuntu
box against a Windows 2008 AD forest with multiple AD domains/Kerberos
realms in it.

Inside our network this works as I would like, assuming users UIDs are
unique - usera at SITE.REALM.COM and userb at REALM.COM both can authenticate
(I am logging in with uid at server so not specifying a realm).

In our DMZ I can only log in via ssh if I am in the Kerberos realm
specified as the default_realm in krb5.conf.
kinit for NON default realms *works* as long as I specify the realm,
getent\ldapsearch pulls back the correct user information. No caching
(ccreds\nscd) is on the box. I can connect to the KDC's in question (as
long as I change the default realm I can log in with any user) so I
don't see anything being blocked but it seems like something must be.

I am not sure what the next step is to troubleshoot this issue, any
suggestions would be appreciated.

Using libpam-krb5 and libnss-ldap

    [libdefaults]
        default_realm = SITE.COMPANY.COM
        udp_preference_limit = 1
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

        v4_instance_resolve = false
        v4_name_convert = {
            host = {
                rcmd = host
                ftp = ftp
            }
            plain = {
                something = something-else
            }
        }
        fcc-mit-ticketflags = true

    [realms]
        SITE.COMPANY.COM = {
            kdc = site.company.com
            admin_server = site.company.com
        }
        COMPANY.COM =  {
            kdc = company.com:88
            admin_server = company.com
            default_domain = company.com
        }

    [domain_realm]
        .company.com = COMPANY.COM
        company.com = COMPANY.COM

    [logging]
        default = SYSLOG:LOG_DEBUG

    [login]
        krb4_convert = true
        krb4_get_tickets = false

Please be advised that this email may contain confidential 
information.  If you are not the intended recipient, please notify us 
by email by replying to the sender and delete this message.  The 
sender disclaims that the content of this email constitutes an offer 
to enter into, or the acceptance of, any agreement; provided that the 
foregoing does not invalidate the binding effect of any digital or 
other electronic reproduction of a manual signature that is included 
in any attachment.