When a user attempts to gain access

When a user attempts to gain access to a resource in another domain, the
Kerberos V5 protocol must determine whether the trusting domain, which is the
domain containing the resource to which the user is trying to gain access, has a
trust relationship with the trusted domain, which is the domain to which the
user is logging on. To determine this relationship, the Kerberos V5 security
protocol travels the trust path between the domain controller in the trusting
domain to the domain controller in the trusted domain.

When a user in the trusted domain attempts to gain access to a resource in
another domain, the user’s computer first contacts the domain controller in its
domain to get authentication to the resource. If the resource is not in the user’s
domain, the domain controller uses the trust relationship with its parent and
refers the user’s computer to a domain controller in its parent domain. This
attempt for locating a resource continues up the trust hierarchy, possibly to the
forest root domain, and down the trust hierarchy until contacting a domain
controller in the domain where the resource is located. The path that is taken
from domain to domain is the trust path. The path that is taken is the shortest
path following the trust hierarchy.

Following shows the default forest trust, and how the auth process uses the trust path: