Recipe 2.18 Creating a Trust to a Kerberos Realm

2.18.1 Problem

You want to create a trust to a Kerberos realm.

2.18.2 Solution Using a graphical user interface
  1. Open the Active Directory Domains and Trusts snap-in.

  2. In the left pane, right-click the domain you want to add a trust for and select Properties.

  3. Click on the Trusts tab.

  4. Click the New Trust button.

  5. After the New Trust Wizard opens, click Next.

  6. Type the name of the Kerberos realm.

  7. Select the radio button beside Realm Trust and click Next.

  8. Select either Transitive or Nontransitive and click Next.

  9. Select Two-way, One-way incoming, or One-way outgoing and click Next.

  10. Enter and retype the trust password and click Next.

  11. Click Next and click Finish. Using a command-line interface
> netdom trust <ADDomainDNSName> /Domain:<KerberosRealmDNSName>[RETURN]
         /Realm /ADD /PasswordT:<TrustPassword>[RETURN]
         [/UserO:<ADDomainAdminUser> /PasswordO:*]

The <TrustPassword> has to match what was set on the Kerberos side. To create a realm trust from the domain to the Kerberos realm called, use the following command:

> netdom trust /[RETURN]
         /Realm /ADD /PasswordT:MyKerbRealmPassword[RETURN]
         / /PasswordO:*

2.18.3 Discussion

You can create a Kerberos realm trust between an Active Directory domain and a non-Windows Kerberos v5 realm. A realm trust can be used to allow clients from the non-Windows Kerberos realm to access resources in Active Directory, and vice versa. See Recipe 18.7 for more information on MIT Kerberos interoperability with Active Directory.

2.18.4 See Also

MS KB 260123 (Information on the Transitivity of a Kerberos Realm Trust) and MS KB 266080 (Answers to Frequently Asked Kerberos Questions)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List