The time of realms should be synchronized.
cd kerby-dist/kdc-dist sh bin/kadmin.sh [server-conf-dir] -k [keytab] // A.EXAMPLE.COM realm to access a service in the B.EXAMPLE.COM realm HadminLocalTool.local: addprinc -pw [same-password] krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM // Make sure that both principals have matching key version numbers and encryption types HadminLocalTool.local: getprinc krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM
config realms and domain_realms sections, make sure the realms are contained.
config capaths section, which contains the realm chain.
An example of krb5.conf:
[realms]
A.EXAMPLE.COM = {
kdc = A.EXAMPLE.COM
}
B.EXAMPLE.COM = {
kdc = B.EXAMPLE.COM
}
[domain_realm]
.A.EXAMPLE.COM = a.example.com
A.EXAMPLE.COM = a.example.com
.B.EXAMPLE.COM = b.example.com
B.EXAMPLE.COM = b.example.com
[capaths]
A.EXAMPLE.COM = {
B.EXAMPLE.COM = .
}
B.EXAMPLE.COM = {
A.EXAMPLE.COM = .
}
Make sure the FQDN match the realm name, e.g. if the FQDN is localhost.hadoop.com, the realm should be HADOOP.COM.
cd kerby-dist/tool-dist sh bin/kinit.sh -conf [client-conf-dir] -c [credential-cache-of-local-realm] -S [principal-name-of-remote-realm]