krb5 vs Windows trust relationships in AD

Garth T Kidd garthk at
Tue Nov 15 23:21:05 EST 2005

Interesting: if I change [libdefaults] default_realm = DOMAIN.COM,
then kinit -V user or kinit -V user at DOMAIN.COM causes Kerberos 5
traffic to the KDC. My new error message is:

    kinit(v5): KDC reply did not match expectations while getting
initial credentials

... which I suspect is due to the lack of a machine account.

Now, how do I fire this via the trusting domain?

On 16/11/05, Garth T Kidd <garthk at> wrote:
> G'day, everyone.
> I have a Fedora Core Linux box running kernel 2.6.11-1.1369_FC4smp,
> and I'm having trouble authenticating against my Windows domain.
>     kinit -V user at DOMAIN.COM
> yields:
>     kinit(v5): Cannot find KDC for requested realm while getting
> initial credentials
> ... which I've Googled a lot without much success. There are a lot of
> people asking questions, but not too many answers out there. Some
> bloke on the #samba channel suggested I try this list instead.
> When I run kinit I can see my box look up the SRV records for
> _kerberos._udp.DOMAIN.COM and _kerberos._tcp.DOMAIN.COM, but then it
> bombs. No other traffic heads out, in particular none to the hosts
> nominated under kdc and admin_server in the realm's entry in the
> [realms] section of /etc/krb5.conf.
> Setting dns_lookup_realm = false and dns_lookup_kdc = false doesn't
> seem to help.
> Any ideas?
> Where trust comes in: I can successfully authenticate against
> OTHERDOMAIN.AU which trusts DOMAIN.COM, but haven't been able to
> configure krb5 to authenticate DOMAIN.COM via OTHERDOMAIN.AU. If I
> could do so, that'd save me having to get a machine account in
> Regards,
> Garth.

More information about the krbdev mailing list