15

I am setting up a testbed environment where Linux (Ubuntu 10.04) clients will authenticate to a Windows Server 2008 R2 Domain Server.

I am following the official Ubuntu guide to set up a Kerberos client here: https://help.ubuntu.com/community/Samba/Kerberos, but I have encountered a problem when running the kinit command to connect to the domain server.

The command I am running is: kinit Administrator@DS.DOMAIN.COM. This command returns the following error:

Realm not local to KDC while getting initial credentials. Unfortunately, I cannot find any one else via Google searches that have experienced this exact error, so I have no idea what it means.

The client is able to ping the server's hostname, so the DNS server is pointing to the domain server.

Below is my krb5.conf file:

[libdefaults]
default = DS.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc true

[realms]
    DS.DOMAIN.COM = {
        kdc = ds.domain.com:88
        admin_server = ds.domain.com
        default_domain = domain.com
    }

[domain_realm]
    .domain.com = DS.DOMAIN.COM
    domain.com = DS.DOMAIN.COM

How can I correct these errors? I would greatly appreciate all help I can get!

Phanto
  • 851
  • 5
  • 16
  • 24

9 Answers9

13

Is your domain name DS.DOMAIN.COM or just DOMAIN.COM ?

In your realms you need to have them match, so assuming that DS.DOMAIN.COM is your domain you need to change: 

[domain_realm]
    .domain.com = DS.DOMAIN.COM
    domain.com = DS.DOMAIN.COM

to

[domain_realm]
    .ds.domain.com = DS.DOMAIN.COM
    ds.domain.com = DS.DOMAIN.COM

However, if you domain is really DOMAIN.COM you would need to change your krb5.conf to look like: 

[libdefaults]
default = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
    DOMAIN.COM = {
        kdc = ds.domain.com:88
        #You can have more than one kds, just keep adding more kdc =
        #entries
        #kdc = dsN.domain.com:88
        #Uncomment if you have a krb admin server
        #admin_server = ds.domain.com:749
        default_domain = domain.com
    }

[domain_realm]
    .domain.com = DOMAIN.COM
    domain.com = DOMAIN.COM

And then you would kinit like so: kinit Administrator@DOMAIN.COM

lilalinux
  • 103
  • 4
Zypher
  • 36,995
  • 5
  • 52
  • 95
  • *headdesk* There it was, staring at me like an obvious thing. Of COURSE ad.domain.com = AD.DOMAIN.COM should be in there. Gaah. – sysadmin1138 Aug 03 '10 at 19:57
  • @sysadmin: No worries ... i just happen to actively be building an AD integrated SMB server and have been staring at my krb5.conf trying to figure out an issue that ended up being a bug in Samba 3.0. :-D – Zypher Aug 03 '10 at 20:00
  • I will need to try this. However, the domain name: DS.DOMAIN.COM is my `Windows Server's Hostname` + `DOMAIN.COM` – Phanto Aug 03 '10 at 20:00
  • @Phanto then you need to use my lower suggestion. you are specifying a host name as a domain which is what is giving you your errors. the kdc and/or admin server is where you would put the host name. – Zypher Aug 03 '10 at 20:03
3

Peaking into the source code, it looks like that error is thrown when the negotiation process receives a referral to another domain and that domain is not 'local', or in your krb5.conf config. 

00219     /*
00220      * If the backend returned a principal that is not in the local
00221      * realm, then we need to refer the client to that realm.
00222      */
00223     if (!is_local_principal(client.princ)) {
00224       /* Entry is a referral to another realm */
00225       status = "REFERRAL";
00226       errcode = KRB5KDC_ERR_WRONG_REALM;
00227       goto errout;
00228     }

What that could be, I couldn't tell you. That probably depends on your Active Directory environment, and whether or not there are multiple domains in the tree. You probably need more domain_realm aliases, but exactly what that is we can't tell from here.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
2

I had the same message using the same krb5.conf as provided by Zypher:

[libdefaults]
   default = MYDOMAIN.COM
   dns_lookup_realm = true
   dns_lookup_kdc = true
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true

[realms]
MYDOMAIN.COM = {
   kdc = mydc.mydomain.com:88
   admin_server = mydc.mydomain.com:749
   default_domain = mydomain.com
}

[domain_realm]
   .mydomain.com = MYDOMAIN.COM
   mydomain.com = MYDOMAIN.COM

(sorry it seems I can't get proper formatting :/ )

In my case, I needed to kinit to MYDOMAIN.LOCAL rather than MYDOMAIN.COM. Not sure if this is due to an authentication setting in AD in general or just for my AD domain. My domain has 2 DCs, one is W2k3 R2 and the other (the one specified as mydc.mydomain.com in krb5.conf) is W2k8 R2. But this is another possible cause for the "Realm not local to KDC while getting initial credentials" message

zsispeo
  • 21
  • 3
2

I had this very same and found the answer was so simple after fixing my config I still had this. Thanks to logicalfuzz at linuxqustions.org.

kinit -V myname@domain.net
kinit: KDC reply did not match expectations while getting initial credentials

kinit -V myname@DOMAIN.NET
Authenticated to Kerberos v5

The capitals make all the difference here. I know this is shown in examples but I wanted to stress it.

techraf
  • 4,163
  • 8
  • 27
  • 44
user375207
  • 21
  • 1
0

The configurations from this article worked for me.

Contents of rightly configured krb5.conf file with realm name, as an example:

[root@HOST]# cat $INFA_HOME/services/shared/security/krb5.conf
[libdefaults]
#specifies the default realm that needs to be picked up for authentication
default_realm = INFA.COM
dns_lookup_realm = true
dns_lookup_kdc = true

#this is a mandatory flag as we need to obtain forwardable tickets from the KDC
forward = true
forwardable = true

[realms]
#Realm configuration with different possible way to be resolved
INFA.COM = {
admin_server = WINDOWSHOST.INFA.COM
kdc = ​WINDOWSHOST.INFA.COM
}

[domain_realm]
infa.com = INFA.COM
.infa.com = INFA.COM​
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
user655415
  • 1
  • 1
0

I got this error while trying with connecting that machine from one domain to different domain. Editing /etc/krb5.conf also didn't work. Then I tried the following command to reconfigure stuffs for different domain

# sudo dpkg-reconfigure -plow krb5-config

with desired options and settings which stopped giving the above error in kinit command. Resolved.

vallabh
  • 1
0

ill add this just because i just ended here for the same error but found another fix for yet another problem ... make sure that the domain is in ALL CAPS : my.user@DOMAIN.LOCAL and not my.user@domain.local... i just lost 2 hours of my life because of this one...

boiss007
  • 1
0

I know this is an old question, but I do want to add for future troubleshooters that my resolution to this issue was a combination of all of the suggested answers, as well as adding my primary domain controller to my /etc/hosts

Norr
  • 115
  • 1
  • 4
-1
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
ticket_lifetime = 24h
#default_keytab_name = /etc/squid3/PROXY.keytab

; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
DOMAIN.LOCAL = {
kdc = dc.domain.local
admin_server = dc.domain.local
default_domain = domain.local
kpasswd_server = dc.domain.local
}

[domain_realm]
.DOMAIN.LOCAL = DOMAIN.LOCAL
DOMAIN.LOCAL = DOMAIN.LOCAL

keep a register

Alex Real
  • 54
  • 3