The time of realms should be synchronized.
cd kerby-dist/kdc-dist sh bin/kadmin.sh [server-conf-dir] -k [keytab] // A.EXAMPLE.COM realm to access a service in the B.EXAMPLE.COM realm KadminTool.local: addprinc -pw [same-password] krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM // Make sure that both principals have matching key version numbers and encryption types KadminTool.local: getprinc krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM
Note that the same “krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM” principal (with the same password) must exist in both the A.EXAMPLE.COM and B.EXAMPLE.COM KDCs.
config realms and domain_realms sections, make sure the realms are contained.
config capaths section, which contains the realm chain.
An example of krb5.conf - this is required for both the A.EXAMPLE.COM and B.EXAMPLE.com KDCs, as well as for the Tool dist below:
[realms] A.EXAMPLE.COM = { kdc = A.EXAMPLE.COM } B.EXAMPLE.COM = { kdc = B.EXAMPLE.COM } [domain_realm] .A.EXAMPLE.COM = a.example.com A.EXAMPLE.COM = a.example.com .B.EXAMPLE.COM = b.example.com B.EXAMPLE.COM = b.example.com [capaths] A.EXAMPLE.COM = { B.EXAMPLE.COM = . } B.EXAMPLE.COM = { A.EXAMPLE.COM = . }
cd kerby-dist/tool-dist sh bin/kinit.sh -conf [client-conf-dir] -c [credential-cache-of-local-realm] -S [principal-name-of-remote-realm]
Example:
cd kerby-dist/tool-dist sh bin/kinit.sh -conf [client-conf-dir] alice@A.EXAMPLE.COM sh bin/kinit.sh -conf [client-conf-dir] -c /tmp/krb5cc_1000 -S service@B.EXAMPLE.COM