kerberos question

I am new to kerberos and setting up kerberos servers.

What is the difference between realms and domain_realm?   Also, what is realm ?

        kdc =
        admin_server =
        default_domain =

[domain_realm] = MYSERVER.COM = MYSERVER.COM

From the client,  how do I check which is one is the kerberos server?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Abhi PappiTechnical Lead - Network SupportCommented:

A Kerberos realm is the domain over which a Kerberos authentication server has the authority to authenticate a user, host or service.

When a client attempts to access a service running on a particular server, it knows the name of the service (host) and the name of the server, but because more than one realm may be deployed on your network, it must guess at the name of the realm in which the service resides. By default, the name of the realm is taken to be the DNS domain name of the server, upper-cased.

In some configurations, this will be sufficient, but in others, the realm name which is derived will be the name of a non-existant realm. In these cases, the mapping from the server's DNS domain name to the name of its realm must be specified in the domain_realm section of the client system's krb5.conf. For example:

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

The above configuration specifies two mappings. The first mapping specifies that any system in the "" DNS domain belongs to the EXAMPLE.COM realm. The second specifies that a system with the exact name "" is also in the realm. (The distinction between a domain and a specific host is marked by the presence or lack of an initial ".".) The mapping can also be stored directly in DNS.

Reference from :-

Also refer:-


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mokkanAuthor Commented:
Than you very much.  Our Kerberos sever is in Linux,  how do we make AD users to authenticate through Kerberos server?
mokkanAuthor Commented:
From the client,  how do we check the master Kerberos server?  Basically I would like to find who is the Authentication Server  ?
Abhi PappiTechnical Lead - Network SupportCommented:

I have seen Linux servers join to windows domain, however in your case you may need to configure a cross-forest (realm) trust for Linux kerberos server to work with windows AD.

May be helpful. -- From Page 41:-  (

From a Windows client, you can get the server details using the commands :-

nltest /dsgetdc:DOMAINNAME /kdc

Sorry, I dont have working experience with Linux. So hope some linux experts would be able to assist you with precise commands for this.

Abhi PappiTechnical Lead - Network SupportCommented:
Since I have spend time to answer the kerberos and realm things, I hope I have the privilege to get some point. Since noone else answered on this thread, its shame to keep no points assigned. So I am assigning some points to me.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.