kinit: Cannot contact any KDC for requested realm while getting initial credentials

Jeremy Thomas Hunt jeremyh at
Wed Mar 29 17:32:55 EST 2006

Celia Clark wrote:
> [safeTgram (optim1) receive status: NOT encrypted, NOT signed.]
> Hi,
> I am having problems with using kinit, with keytab and username/password.
> When issuing the kinit command I get the following error:
> kinit: Cannot contact any KDC for requested realm while getting initial
> credentials
> There is a firewall between the webservers where I issue the command from
> and the domain controller.
> The webservers are able to connect to the domain controller on port 88 over
> UDP.
> The webservers are able to resolve themselves and the domain controller,
> both forward and reverse lookup.
> Do any of you guys out there have an idea of what is going wrong?
> Many thanks,
> Celia
You do not say if this is a new or updated webserver, or one that has 
just stopped working. I assume the former.

Do the webservers work without the firewall? Can you test this by moving 
the webserver the other side of the firewall (where it is not exposed to 
the outside world)?

If so, when it is back in place do you have access to the logs of 
dropped packet? Generally a firewall administrator can monitor dropped 
packets while you do a kinit command.

If not, it is probably a configuration file issue. I suggest you check 
that your default realm is defined in the libdefaults section of your 
krb5.conf and that there is a matching realm section with a kdc defined, 
or that the kdc name as it appears in the krb5.conf  is resolvable from 
your DNS on the webserver. Otherwise, if you have a previously working 
webserver, check that all it's configuration files match those of  this 
new one.

I hope that helps,


More information about the Kerberos mailing list