Resolve a KRB Error During SSO in a Disjoint Namespace
When you are working in a network with a disjoint namespace in which the Active Directory domain name is different from the DNS domain suffix for computers, you may need to modify the domain_realm section of /etc/krb5.conf on your target computer even though your DNS A and PTR records are correct for both DNS domains and can be found both ways.
The following error, in particular, indicates that you might have to modify your krb5.conf file before single sign-on (with SSH, for example) will work:
KRB ERROR BAD OPTION
Assume your computer's Active Directory domain is bluesky.example.com and your computer's FQDN is somehostname.green.example.com and you have already created the following entries in DNS:
_kerberos._tcp.green.example.com 0 100 389 ad2.bluesky.example.com _kerberos._udp.green.example.com 0 100 389 ad2.bluesky.example.com
On the target computer, the [domain_realm] entry of your /etc/krb5.conf file looks like this:
[domain_realm] .bluesky.example.com = BLUESKY.EXAMPLE.COM bluesky.example.com = BLUESKY.EXAMPLE.COM
To resolve the error, add the following two lines to the [domain_realm] entry of your /etc/krb5.conf file:
.green.example.com = BLUESKY.EXAMPLE.COM green.example.com = BLUESKY.EXAMPLE.COM
After adding the two lines above, the complete [domain_realm] entry now looks like this:
[domain_realm] .bluesky.example.com = BLUESKY.EXAMPLE.COM bluesky.example.com = BLUESKY.EXAMPLE.COM .green.example.com = BLUESKY.EXAMPLE.COM green.example.com = BLUESKY.EXAMPLE.COM
Finally, make sure that you have a correct k5login file and then try to log on again.
For more information, see Disjoint Namespace.