Kinit Won't Connect to a Domain Server : Realm not local to KDC while getting initial credentials

I am setting up a testbed environment where Linux (Ubuntu 10.04) clients will authenticate to a Windows Server 2008 R2 Domain Server.

I am following the official Ubuntu guide to set up a Kerberos client here: https://help.ubuntu.com/community/Samba/Kerberos, but I have encountered a problem when running the kinit command to connect to the domain server.

The command I am running is: kinit [email protected]. This command returns the following error:

Realm not local to KDC while getting initial credentials. Unfortunately, I cannot find any one else via Google searches that have experienced this exact error, so I have no idea what it means.

The client is able to ping the server's hostname, so the DNS server is pointing to the domain server.

Below is my krb5.conf file:

[libdefaults]
default = DS.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc true

[realms]
    DS.DOMAIN.COM = {
        kdc = ds.domain.com:88
        admin_server = ds.domain.com
        default_domain = domain.com
    }

[domain_realm]
    .domain.com = DS.DOMAIN.COM
    domain.com = DS.DOMAIN.COM

How can I correct these errors? I would greatly appreciate all help I can get!


Is your domain name DS.DOMAIN.COM or just DOMAIN.COM ?

In your realms you need to have them match, so assuming that DS.DOMAIN.COM is your domain you need to change:

[domain_realm]
    .domain.com = DS.DOMAIN.COM
    domain.com = DS.DOMAIN.COM

to

[domain_realm]
    .ds.domain.com = DS.DOMAIN.COM
    ds.domain.com = DS.DOMAIN.COM

However, if you domain is really DOMAIN.COM you would need to change your krb5.conf to look like:

[libdefaults]
default = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
    DOMAIN.COM = {
        kdc = ds.domain.com:88
        #You can have more than one kds, just keep adding more kdc =
        #entries
        #kdc = dsN.domain.com:88
        #Uncomment if you have a krb admin server
        #admin_server = ds.domain.com:749
        default_domain = domain.com
    }

[domain_realm]
    .domain.com = DOMAIN.COM
    domain.com = DOMAIN.COM

And then you would kinit like so: kinit [email protected]


Peaking into the source code, it looks like that error is thrown when the negotiation process receives a referral to another domain and that domain is not 'local', or in your krb5.conf config.

00219     /*
00220      * If the backend returned a principal that is not in the local
00221      * realm, then we need to refer the client to that realm.
00222      */
00223     if (!is_local_principal(client.princ)) {
00224       /* Entry is a referral to another realm */
00225       status = "REFERRAL";
00226       errcode = KRB5KDC_ERR_WRONG_REALM;
00227       goto errout;
00228     }

What that could be, I couldn't tell you. That probably depends on your Active Directory environment, and whether or not there are multiple domains in the tree. You probably need more domain_realm aliases, but exactly what that is we can't tell from here.


I had the same message using the same krb5.conf as provided by Zypher:

[libdefaults]
   default = MYDOMAIN.COM
   dns_lookup_realm = true
   dns_lookup_kdc = true
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true

[realms]
MYDOMAIN.COM = {
   kdc = mydc.mydomain.com:88
   admin_server = mydc.mydomain.com:749
   default_domain = mydomain.com
}

[domain_realm]
   .mydomain.com = MYDOMAIN.COM
   mydomain.com = MYDOMAIN.COM

(sorry it seems I can't get proper formatting :/ )

In my case, I needed to kinit to MYDOMAIN.LOCAL rather than MYDOMAIN.COM. Not sure if this is due to an authentication setting in AD in general or just for my AD domain. My domain has 2 DCs, one is W2k3 R2 and the other (the one specified as mydc.mydomain.com in krb5.conf) is W2k8 R2. But this is another possible cause for the "Realm not local to KDC while getting initial credentials" message


I had this very same and found the answer was so simple after fixing my config I still had this. Thanks to logicalfuzz at linuxqustions.org.

kinit -V [email protected]
kinit: KDC reply did not match expectations while getting initial credentials

kinit -V [email protected]
Authenticated to Kerberos v5

The capitals make all the difference here. I know this is shown in examples but I wanted to stress it.