Kerberos authentication using mod_auth_kerb against ActiveDirectory and multiple Realms

Our environment looks like this:

• we've got a forest of ActiveDirectory servers that trust each other.
• we've got a Linux Apache with mod_auth_kerb that authenticates against the "main" AD server.

For some combinations of clients & domains, we get the following error message:

krb5_get_init_creds_password() failed: KRB5 error code 68

Googling says this error:

is being returned by Active Directory because your users are
atte开发者_开发百科mpting to obtain a Kerberos TGT for a realm that
is not hosted on the server to which they are authenticating.

Is there a way to work around this?

You missed to add all necessary Realms/KDCs into your krb5.conf. GSSAPI cannot obtain a ticket for an unknown realm. The above examplee works perfectly with gssapi in our forest env.

To ease the configuration work, you may configure your krb5.conf to query DNS to lookup the KDCs. This is what Windows does.