Kinit Won't Connect to a Domain Server : Realm not local to KDC while getting initial credentials
I am setting up a testbed environment where Linux (Ubuntu 10.04) clients will authenticate to a Windows Server 2008 R2 Domain Server.
I am following the official Ubuntu guide to set up a Kerberos client here: https://help.ubuntu.com/community/Samba/Kerberos, but I have encountered a problem when running the kinit
command to connect to the domain server.
The command I am running is: kinit [email protected]
. This command returns the following error:
Realm not local to KDC while getting initial credentials
. Unfortunately, I cannot find any one else via Google searches that have experienced this exact error, so I have no idea what it means.
The client is able to ping the server's hostname, so the DNS server is pointing to the domain server.
Below is my krb5.conf file:
[libdefaults]
default = DS.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc true
[realms]
DS.DOMAIN.COM = {
kdc = ds.domain.com:88
admin_server = ds.domain.com
default_domain = domain.com
}
[domain_realm]
.domain.com = DS.DOMAIN.COM
domain.com = DS.DOMAIN.COM
How can I correct these errors? I would greatly appreciate all help I can get!
Is your domain name DS.DOMAIN.COM
or just DOMAIN.COM
?
In your realms you need to have them match, so assuming that DS.DOMAIN.COM is your domain you need to change:
[domain_realm]
.domain.com = DS.DOMAIN.COM
domain.com = DS.DOMAIN.COM
to
[domain_realm]
.ds.domain.com = DS.DOMAIN.COM
ds.domain.com = DS.DOMAIN.COM
However, if you domain is really DOMAIN.COM
you would need to change your krb5.conf to look like:
[libdefaults]
default = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN.COM = {
kdc = ds.domain.com:88
#You can have more than one kds, just keep adding more kdc =
#entries
#kdc = dsN.domain.com:88
#Uncomment if you have a krb admin server
#admin_server = ds.domain.com:749
default_domain = domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
And then you would kinit
like so: kinit [email protected]
Peaking into the source code, it looks like that error is thrown when the negotiation process receives a referral to another domain and that domain is not 'local', or in your krb5.conf config.
00219 /* 00220 * If the backend returned a principal that is not in the local 00221 * realm, then we need to refer the client to that realm. 00222 */ 00223 if (!is_local_principal(client.princ)) { 00224 /* Entry is a referral to another realm */ 00225 status = "REFERRAL"; 00226 errcode = KRB5KDC_ERR_WRONG_REALM; 00227 goto errout; 00228 }
What that could be, I couldn't tell you. That probably depends on your Active Directory environment, and whether or not there are multiple domains in the tree. You probably need more domain_realm aliases, but exactly what that is we can't tell from here.
I had the same message using the same krb5.conf as provided by Zypher:
[libdefaults]
default = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYDOMAIN.COM = {
kdc = mydc.mydomain.com:88
admin_server = mydc.mydomain.com:749
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
(sorry it seems I can't get proper formatting :/ )
In my case, I needed to kinit to MYDOMAIN.LOCAL rather than MYDOMAIN.COM. Not sure if this is due to an authentication setting in AD in general or just for my AD domain. My domain has 2 DCs, one is W2k3 R2 and the other (the one specified as mydc.mydomain.com in krb5.conf) is W2k8 R2. But this is another possible cause for the "Realm not local to KDC while getting initial credentials" message
I had this very same and found the answer was so simple after fixing my config I still had this. Thanks to logicalfuzz at linuxqustions.org.
kinit -V [email protected]
kinit: KDC reply did not match expectations while getting initial credentials
kinit -V [email protected]
Authenticated to Kerberos v5
The capitals make all the difference here. I know this is shown in examples but I wanted to stress it.