[Samba] Kerberos authentication for multiple upstream domains

[Nico Kadel-Garcia]

I've got some Samba 4, and AD, servers running in the same networks.
Their domains and local VLAN's are distinct, but clients can reach
either through the local switches. So far, so good.

The issue is that I've got systems using local accounts, with Kerberos
based authentication, on RHEL 6 clients. There are a stack of reasons
not to use the LDAP account or tie the AD or Samba servers more
directly together, but I'd love for users to be able to authenticate
against one or the other Kerberos service, as needed, based on
whichever AD or Samba server they happen to have an account on.

Has anyone gotten Kerberos authentication working on Linux for an
arbitrary set of upstream Kerberos servers, including Samba domain
controllers or AD servers? I can pick an arbitrary single realm quite
easily with the "authfonfig --krb5realm" command, but I'd like to
permit multiple Kerberos realms.