The remainder of this document assumes you have already established your own Kerberos realm and that you have configured your KDC to use your LDAP server. These services will be used by the NFSv4 server for user authentication and authorization.

It is also assumed that your Kerberos KDC has a cross-realm trust with the UW Kerberos realm. Contact UW Technology for more information regarding UW authentication services.

Since the Fedora™ Authentication Configuration applet does not provide an interface to configure multiple Kerberos realms, you will need to edit your /etc/krb5.conf by hand.

Here is an example:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = u.washington.edu
 dns_lookup_realm = false
 dns_lookup_kdc = false
 clockskew = 120

[realms]
 MYDEPT.EXAMPLE.COM = {
  kdc = mykdc1.mydept.example.com:88
  kdc = mykdc2.mydept.example.com:88
  admin_server = myadminserver.mydept.example.com:749
  default_domain = MYDEPT.EXAMPLE.COM 
 }
 u.washington.edu = {
  kdc = k5-kdc1.u.washington.edu
  kdc = k5-kdc2.u.washington.edu
  admin_server = k5-admin.u.washington.edu
  kpasswd_server = k5-admin.u.washington.edu
  default_domain = u.washington.edu
 }

[domain_realm]
 .mydept.example.com = MYDEPT.EXAMPLE.COM
 mydept.example.com = MYDEPT.EXAMPLE.COM
 .u.washington.edu = u.washington.edu
 u.washington.edu = u.washington.edu

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
   kdc_timeout = 1
   max_retries = 1
}

... where mydept.myexample.com would be replaced with your departmental subdomain.