Incorrect Domain mapped when Kerberos Authentication is used for LDAP users causing users to not be Authenticated

• Users do not get authenticated using Kerberos authentication in conjunction with LDAP server profile.
• Authd.logs (less mp-log authd.log) indicate the users coming from incorrect domain (accad). The actual domain is accad.local

pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: btest
pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','AuthProfile-LDAP','btest'>
panauth:user <accad\\btest,AuthProfile-LDAP,vsys1> is not allowed
pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: accad\\btest authresult not auth'ed
pan_authd_process_authresult(pan_authd.c:1271): Alarm generation set to: False.
User 'accad\\btest' failed authentication. Reason: User is not in allowlist From: 173.182.189.230.

• Palo Alto Firewalls
• Supported PAN-OS
• Kerberos Authentication
• LDAP

1. Domain should be the same as the realm in Kerberos Server Profile.
2. LDAP server profile used for user-group mappings requires Kerberos to use a fully qualified DOMAIN. If LDAP was not used, domain = aacad would have sufficed.

Note: Make sure that an appropriate group is included in the ALLOW LIST of Kerberos Authentication Profile.

3. The authd logs after making the change:
    

pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: btest
pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','kerberos','btest'>
pan_authd_common_authenticate(pan_authd.c:1543): Authenticating user using service /etc/pam.d/pan_krb5_vsys1_kerberos,username accad.local\\btest
pan_authd_authenticate_service(pan_authd.c:652): authentication succeeded (0)
pan_authd_authenticate_service(pan_authd.c:658): account is valid
authentication succeeded for user <vsys1,kerberos,accad.local\\btest>
pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: accad.local\\btest authresult auth'ed