The time of realms should be synchronized.
cd kerby-dist/kdc-dist sh bin/kadmin.sh [server-conf-dir] -k [keytab] // A.EXAMPLE.COM realm to access a service in the B.EXAMPLE.COM realm HadminLocalTool.local: addprinc -pw [same-password] krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM // Make sure that both principals have matching key version numbers and encryption types HadminLocalTool.local: getprinc krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM
config realms and domain_realms sections, make sure the realms are contained.
config capaths section, which contains the realm chain.
An example of krb5.conf:
[realms] A.EXAMPLE.COM = { kdc = A.EXAMPLE.COM } B.EXAMPLE.COM = { kdc = B.EXAMPLE.COM } [domain_realm] .A.EXAMPLE.COM = a.example.com A.EXAMPLE.COM = a.example.com .B.EXAMPLE.COM = b.example.com B.EXAMPLE.COM = b.example.com [capaths] A.EXAMPLE.COM = { B.EXAMPLE.COM = . } B.EXAMPLE.COM = { A.EXAMPLE.COM = . }
Make sure the FQDN match the realm name, e.g. if the FQDN is localhost.hadoop.com, the realm should be HADOOP.COM.
cd kerby-dist/tool-dist sh bin/kinit.sh -conf [client-conf-dir] -c [credential-cache-of-local-realm] -S [principal-name-of-remote-realm]