On Wed, 08 May 2013, Paul Robert Marino wrote:
the client picks Realm based on the domain name of the host.
you can control the behavior on the client via the KRB5.conf but the
assumption is you have 1 realm per domain or host.
From man krb5.conf
The [domain_realm] section provides a translation from a hostname to
the Kerberos realm name for the services provided by that host.
The tag name can be a hostname, or a domain name, where domain names
are indicated by a prefix of a period (â.â) character. The value
of the relation is the Kerberos realm name for that particular host
or domain. Host names and domain names should be in lower case.
If no translation entry applies, the hostâs realm is considered to
be the hostnameâs domain portion converted to upper case. For
example, the following [domain_realm] section:
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
dodo.mit.edu = SMS_TEST.MIT.EDU
.ucsc.edu = CATS.UCSC.EDU
maps dodo.mit.edu into the SMS_TEST.MIT.EDU realm, all other hosts
in the MIT.EDU domain to the ATHENA.MIT.EDU realm, and all hosts in
the UCSC.EDU domain into the CATS.UCSC.EDU realm.
ucbvax.berkeley.edu would be mapped by the default rules to the
while sage.lcs.mit.edu would be mapped to the LCS.MIT.EDU realm.
Also the question of trusts is really an issue with cpaths but there is
also a compatibility issue betwean the AD Kerberos server and MIT's. its
doable with Heimdal kerberos Servers but FreeIPA is not compatible with
This is not correct. Starting with FreeIPA 3.0 we do support
cross-forest trusts with Active Directory.
/ Alexander Bokovoy
Freeipa-users mailing list