Open Stack

For Kerberos, I would suggest the following:

1.  Run Keystone in Apache HTTP with mod_auth_kerberos.  It can fall 
back to userID/password.
2.  Modify the authentication mechanisms so that it checks REMOTE_USER 
the same way it currently checks USERID/password when providing a token

Cross realm trust is a nice-to-have,  but I suspect that it is not up to 
Keystone to implement, but rather something that needs to be set up 
correctly Kerberos wise.  Once Kerberos Auth works, cross realm should 
work, too.