Resolve a KRB Error During SSO in a Disjoint Namespace

When you are working in a network with a disjoint namespace in which the Active Directory domain name is different from the DNS domain suffix for computers, you may need to modify the domain_realm section of /etc/krb5.conf on your target computer even though your DNS A and PTR records are correct for both DNS domains and can be found both ways.

The following error, in particular, indicates that you might have to modify your krb5.conf file before single sign-on (with SSH, for example) will work:

KRB ERROR BAD OPTION

Assume your computer's Active Directory domain is bluesky.example.com and your computer's FQDN is somehostname.green.example.com and you have already created the following entries in DNS:

_kerberos._tcp.green.example.com 0 100 389 ad2.bluesky.example.com
_kerberos._udp.green.example.com 0 100 389 ad2.bluesky.example.com

On the target computer, the [domain_realm] entry of your /etc/krb5.conf file looks like this:

[domain_realm]
.bluesky.example.com = BLUESKY.EXAMPLE.COM
bluesky.example.com = BLUESKY.EXAMPLE.COM

To resolve the error, add the following two lines to the [domain_realm] entry of your /etc/krb5.conf file:

.green.example.com = BLUESKY.EXAMPLE.COM
green.example.com = BLUESKY.EXAMPLE.COM

After adding the two lines above, the complete [domain_realm] entry now looks like this:

[domain_realm]
.bluesky.example.com = BLUESKY.EXAMPLE.COM
bluesky.example.com = BLUESKY.EXAMPLE.COM
.green.example.com = BLUESKY.EXAMPLE.COM
green.example.com = BLUESKY.EXAMPLE.COM

Finally, make sure that you have a correct k5login file and then try to log on again.

For more information, see Disjoint Namespace.