I currently try so setup the kerberos auth on a server living in a sub domain "sub.example.com". The KDC manages EXAMPLE.COM together with a dns server which manages 'example.com'. Due to organizational reasons we have a subdomain 'sub.example.com' for some servers (server1.sub.example.com). This subdomain is managed by a separate DNS server. There, the Kerberos login via pam works fine on this server using the following /etc/krb5.conf file:
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
clockskew = 300
ticket_lifetime = 2days
renew_lifetime = 365days
renewable = true
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
}
If I now connect with enabled Kerberos using kerberized ssh, I get
$ssh -vvv server1.sub.example.com
...
debug1: Unspecified GSS failure. Minor code may provide more information
Server krbtgt/SUB.EXAMPLE.COM@EXAMPLE.COM not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
Server krbtgt/SUB.EXAMPLE.COM@EXAMPLE.COM not found in Kerberos database
debug1: Unspecified GSS failure. Minor code may provide more information
debug3: send packet: type 50
...
and return to password login. How can I convince kerberos/ssh to use krbtgt/EXAMPLE.COM@EXAMPLE.COM instead of krbtgt/SUB.EXAMPLE.COM@EXAMPLE.COM for the servers inside the subdomain.
