Kerberos Authentication errors: Cannot find KDC for realm while getting initial credentials | kinit: configuration file does not specify default realm

Here are some errors i ran into while trying to setup Ansible for the second time in my test laboratory

Solution: These two errors here are based on a lot of factors

- My domain setup was not resolving correctly, when this is done,
- Ensure to include the realm with the principal you are logging in as
And remember to set the default realm also in the krb5.config file.

Concept: Authentication Services relies on DNS (Domain Naming Service) to locate the Key Distributions Center (KDC) which in AD is a domain controller, so if your DNS is not properly configured for your domain it will fail. To test the name resolution for your domain controller, simply use nslookup commands, see

– Ensure the Ansible server is pointing to the DNS server Address or else this will not work correctly

Create an A record to ensure the domain name is resolvable via DNS.

nslookup techdirectarchive.local

Note: Alternatively, the name resolution requires the Ansible server to locate the domain controllers and can be manually added to the host file by including an entry in the /etc/hosts file for each domain controller, e.g techdirectarchive.local

Next, After the krb5 configuration file has been updated correctly, you should be able to successfully authenticate and get a valid token. The following steps show how to authenticate and get a token:
– You may get the error “kinit: configuration file does not specify default realm” if you try to use the “kinit” command only, use the command below

kinit username@TECHDIRECT.LOCAL

As you can see above, the kinit command did not work correctly initially.

default_realm Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as kinit.

Other Possible tips to note.
– Ensure that the “krb5.conf” is correctly configured.
– The kinit command is fail for user authentication because kerberos is case sensitive.Here is the right syntax “kinit username@TECHDIRECT.LOCAL“. Ensure the domain name is in all CAPS, or else you will get an error.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s