I know this question is already asked quite a lot of times but I would
like to verify.
Say we have a AD realm X.COM and a MIT realm Y.COM (not hierarchical
The users principals are defined in X.COM, the service principals in
Now since a user from X.COM wants to connect to a host in Y.COM, cross
realm authentication needs to be done, right?
Furthermore, since the realms aren't hierarchical related, a capaths
section is required in krb5.conf.
I have already made 2 cross realm principals on MIT (krbtgt/
X.COM@Y.COM and krbtgt/Y.COM@X.COM, both with password 'abc'). I have
also defined the realm trust in AD (also with password 'abc').
Now what am I still missing?
And finally, in the domain_realm section, does the y.com domain have
to be linked with the Y.COM realm (service principals are known here)
or with the X.COM realm (since I want cross realm authentication)?
This is a bit unclear for me.

Any help will be grately appreciated.