Apache Kerberos Authentication

Purpose

To allow users to authenticate using seamless SSO via kerberos.^[1]

MultiRealm Authentication

In this case I want to authenticate more than one realm (two domains). After following the common instructions online I was unable to log in using the second realm. The first realm logged in without issue.

NOTE 1 : This is a messy post as I have worked on this for several days and am trying to record what I did before I forget.
NOTE 2 : I am not sure if all of this is necessary, but I wanted to track everything I did regardless

Environment

• Domains

Domain1.tld
Domain2.tld

• web server

intranet.tld

krb5.conf

The server I am using was enrolled in domain1 using sssd and the "realm join" command many a year ago. We will be editing the krb5.conf file that was created during this process.

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = DOMAIN1.TLD
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

 DOMAIN1.TLD = {
kdc = domain1.tld
admin_server = domain1.tld

 }

 DOIMAIN2.TLD = {
kdc = domain2.tld
admin_server = domain2.tld

 }


[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 domain1.tld = DOMAIN1.TLD
 .domain1.tld = DOMAIN1.TLD
 domain2.tld = DOMAIN2.TLD
 .domain2.tld = DOMAIN2.TLD

[capaths]
	DOMAIN1.TLD = {
		DOMAIN2.TLD = .
	}
	DOMAIN2.TLD = {
		DOMAIN1.TLD = .
	}