Initial Auth Realm Fall-back

Shawn M Emery shawn.emery at
Mon Aug 19 02:39:47 EDT 2013

Wanting to get feed-back on a proposal for initial authentication 
through multiple realms when the user may not know which realm or domain 
that they reside.  This is key, given that client referrals do not work 
unless a UPN suffix is provided.  Currently this configuration is 
augmented with the use of the realm option for pam_krb5, which is not 
optimal given that pam_krb5 should not entail Kerberos configuration and 
this solution does not support kinit/gic applications.

The proposed solution would be a white-list set of the possible realms 
used on the authenticating system.  For example:

$ cat /etc/krb5/krb5.conf

         default_realm = DEV.EXAMPLE.COM
         fallback_realms = CORP.EXAMPLE.COM ACCT.EXAMPLE.COM

where user foo resides in the ACCT realm and the system has service keys 
in the DEV realm.  With this configuration when user foo authenticates 
to the system the default realm DEV is tried.  When DEV returns 
KDC_ERR_C_PRINCIPAL_UNKNOWN, the new algorithm tries and fails with the 
CORP realm request, and succeeds on the third request to the ACCT realm.


More information about the krbdev mailing list