When integrating Linux clients with a Windows Server 2008 R2 domain, the kinit command often becomes the first stumbling block. The error message "Realm not local to KDC while getting initial credentials" typically indicates a mismatch between the configured realm and what the KDC expects.
The /etc/krb5.conf file is crucial for proper Kerberos authentication. Let's examine a working configuration:
[libdefaults]
default_realm = DS.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DS.DOMAIN.COM = {
kdc = dc1.ds.domain.com:88
kdc = dc2.ds.domain.com:88
admin_server = dc1.ds.domain.com
default_domain = ds.domain.com
}
[domain_realm]
.ds.domain.com = DS.DOMAIN.COM
ds.domain.com = DS.DOMAIN.COM
Case Sensitivity Matters: Kerberos realms are typically uppercase (DS.DOMAIN.COM) while DNS names are lowercase (ds.domain.com). Ensure your configuration reflects this.
DNS Configuration Check: Verify your DNS settings with:
nslookup ds.domain.com
dig -t SRV _kerberos._tcp.ds.domain.com
dig -t SRV _ldap._tcp.ds.domain.com
If basic configuration doesn't resolve the issue, try these diagnostic commands:
# Check Kerberos ticket granting
kvno Administrator@DS.DOMAIN.COM
# Verbose kinit attempt
KRB5_TRACE=/dev/stdout kinit Administrator@DS.DOMAIN.COM
# Verify time synchronization (critical for Kerberos)
ntpdate -u dc1.ds.domain.com
On your Windows Server 2008 R2 domain controller:
- Ensure the SPN (Service Principal Name) is properly registered
- Verify cross-realm trust settings if applicable
- Check event logs for Kerberos-related errors
Before attempting kinit again, validate your configuration with:
klist
kdestroy -A
kinit -V Administrator@DS.DOMAIN.COM
Remember that changes to krb5.conf don't require a service restart, but DNS caching might require flushing.
When integrating Ubuntu clients with a Windows Server 2008 R2 domain controller, the Kerberos authentication process must be properly configured. The specific error Realm not local to KDC while getting initial credentials typically indicates a mismatch between the configured realms and the actual KDC (Key Distribution Center) setup.
Your current configuration shows several potential issues that need addressing:
[libdefaults]
default_realm = DS.DOMAIN.COM # Fixed parameter name
dns_lookup_realm = true
dns_lookup_kdc = true # Added missing equals sign
[realms]
DS.DOMAIN.COM = {
kdc = ds.domain.com:88
admin_server = ds.domain.com
default_domain = domain.com
}
[domain_realm]
.domain.com = DS.DOMAIN.COM
domain.com = DS.DOMAIN.COM
Here are the critical corrections needed:
- The parameter should be
default_realmnot justdefault - Missing equals sign in
dns_lookup_kdc = true - Ensure the realm name matches exactly (case-sensitive) between configuration and Active Directory
After making these changes, perform the following checks:
# Verify DNS resolution
host ds.domain.com
# Check Kerberos configuration
klist -e
# Test authentication (interactive mode)
kinit Administrator@DS.DOMAIN.COM
If the issue persists:
- Verify time synchronization between client and domain controller
- Check firewall settings for UDP port 88 (Kerberos)
- Examine the Windows event logs on the domain controller
- Test with FQDN instead of short hostname
Here's a verified configuration that works with Windows Server 2008 R2:
[libdefaults]
default_realm = DS.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
DS.DOMAIN.COM = {
kdc = dc1.ds.domain.com:88
kdc = dc2.ds.domain.com:88
admin_server = dc1.ds.domain.com:749
default_domain = domain.com
}
[domain_realm]
.domain.com = DS.DOMAIN.COM
domain.com = DS.DOMAIN.COM
.ds.domain.com = DS.DOMAIN.COM
ds.domain.com = DS.DOMAIN.COM