Is there a way to query the realm of a kdc?

Question

I've been trying to configure kinit to authenticate against a Windows Active Directory PDC. But keep getting the result:

kinit: Realm not local to KDC while getting initial credentials

My krb5.conf has:

[libdefaults]
  clockskew = 300
  default_realm = XXX.COM

[realms]
XXX.COM = {
  kdc = pdc01.aaa.bbb.xxx.com
  default_domain = XXX.COM
  kpasswd_server = pdc01.aaa.bbb.xxx.com
}

[domain_realm]
  server01.www.yyy.xxx.com = XXX.COM
  .yyy.xxx.com = XXX.COM
  .xxx.com = XXX.COM
  xxx.com = XXX.COM

server01.www.yyy.xxx.com is a redhat server i am running kinit from.

I have no control of the PDC. But have admin access on the redhat server.

I am really unsure as to whether this is a workable setup, and my understanding of kerberos is limited. I'd appreciate any guidance.

score 3 · Accepted Answer · answered Jun 12 '17 at 14:26

3

Unless your Active Directory is setup in an uncommon configuration, the Kerberos realm you're using looks wrong. If the DC's FQDN is pdc01.aaa.bbb.xxx.com, the Kerberos realm will almost always be AAA.BBB.XXX.COM (not just XXX.COM).

Depending on your version of RHEL, you might also look into the realmd package to make setting up AD integration easier.

answered Jun 12 '17 at 14:26

Ryan Bolger

16,472
3
40
59

So i probably need to change my hostname to be server01.aaa.bbb.xxx.com? – user55570 Jun 12 '17 at 20:00
It's not an absolute requirement, but it tends to make things easier. – Ryan Bolger Jun 13 '17 at 05:48

score 0 · Answer 2 · answered Jun 13 '17 at 10:26

0

I found a simple solution that worked for me. This is just to change the realm to: AAA.BBB.XXX.COM in krb5.conf.

That actually worked and I don't get KDC not local to realm error.

answered Jun 13 '17 at 10:26

user55570

448
6
17

Is there a way to query the realm of a kdc?

2 Answers2