Just reading thru the deployingradius.com pages.... On page: http://deployingradius.com/documents/configuration/active_directory.html You reference the krb5.conf file like this: [realms] ... realm.company.com = { kdc = nt-server-hostname.company.com } ... However, someone on the list once pointed out that this is a more robust approach (assuming your DNS infrastructure is solid). The objective is to have the server lookup the realms via DNS as opposed to having a statically linked server (that could be taken offline for maintenance) # more krb5.conf [libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = on [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM # And like wise, the smb.conf file would changed as well. # Change this for the workgroup/NT-domain name your Samba server will part of workgroup = EXAMPLE #Domain ShortName if different realm = EXAMPLE.COM #Server string is the equivalent of the NT Description field server string = %h server (Samba %v) security = ADS encrypt passwords = true password server = * Granted, the above configs are for a single domain authentication source. (utilizing the default realm, I believe, instead of a named realm) But the concept of DNS resolving the password-server should apply.