When a client attempts to access a service running on a particular
server, it knows the name of the service (host) and the name of the
server (foo.example.com), but because more than one realm may be
deployed on your network, it must guess at the name of the realm in which the
service resides. By
default, the name of the realm is taken to be the DNS domain name of the
server, upper-cased.
foo.example.org → EXAMPLE.ORG
foo.example.com → EXAMPLE.COM
foo.hq.example.com → HQ.EXAMPLE.COM
foo.example.com → EXAMPLE.COM
foo.hq.example.com → HQ.EXAMPLE.COM
In some configurations, this will be sufficient, but in others,
the realm name which is derived will be the name of a non-existant realm. In
these cases, the mapping from the server's DNS domain name to the name of its
realm must be specified in the domain_realm section of the client
system's krb5.conf. For example:
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
The above configuration specifies two mappings. The first mapping
specifies that any system in the "example.com" DNS domain belongs to
the EXAMPLE.COM realm. The second specifies that a system with the exact
name "example.com" is also in the realm. (The distinction between a
domain and a specific host is marked by the presence or lack of an initial
".".) The mapping can also be stored directly in DNS.