Kerberos realm vs NT domain

[WAGHORN, Jason (NHS BORDERS)]

Hello all, apologies for this - I'm having an issue where I have a single Kerberos realm (published as the RADIUS realm) but multiple AD containers behind that, within which the users sit. The RADIUS/Kerberos server is joined to the domain and authentication via ntlm_auth works for both containers (if one specifies the container explicitly)

# ntlm_auth --username=testusera --domain=a.example.com
Password:
NT_STATUS_OK: The operation completed successfully. (0x0)
# ntlm_auth --username=testuserb --domain=b.example.com
Password:
NT_STATUS_OK: The operation completed successfully. (0x0)
#

So: Kerberos/RADIUS realm = example.com; users are in containers a.example.com & b.example.com

Can I use the krb5.conf to handle the users as "user at example.com" and automatically have it try both containers (i.e. a.example.com & b.example.com)?

I'm surmising that I need to do this in the realms and/or domain_realm sections - but the documentation isn't making a whole lot of sense to me at this stage (could be related to a caffeine deficit)

Thanks in advance

Jason


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail