Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

A.2. Investigating kinit Authentication Failures

General Troubleshooting

  1. On the IdM client, display the debug messages from the kinit process: 
    $ KRB5_TRACE=/dev/stdout kinit admin
    Copy to Clipboard Toggle word wrap
  2. Verify that:
    • The client forward record is correct both on the server and on the affected client: 
      # host client_fully_qualified_domain_name
      Copy to Clipboard Toggle word wrap
    • The server forward record is correct both on the server and on the affected client: 
      # host server_fully_qualified_domain_name
      Copy to Clipboard Toggle word wrap 
      # host server_IP_address
      Copy to Clipboard Toggle word wrap
      The host server_IP_address command must return a fully qualified host name with a trailing dot at the end, such as: 
      server.example.com.
      Copy to Clipboard Toggle word wrap
  3. Review the /etc/hosts file on the client, and make sure that:
    • All server entries in the file are correct
    • In all server entries, the first name is a fully qualified domain name
    See also the section called “The /etc/hosts File”.
  4. Make sure you meet the other conditions in Section 2.1.5, “Host Name and DNS Configuration”.
  5. On the IdM server, make sure that the krb5kdc and dirsrv services are running: 
    # systemctl status krb5kdc
# systemctl status dirsrv.target
    Copy to Clipboard Toggle word wrap
  6. Review the Kerberos key distribution center (KDC) log: /var/log/krb5kdc.log.
  7. If the KDCs are hard-coded in the /etc/krb5.conf file (the file explicitly sets KDC directives and uses the dns_lookup_kdc = false setting), use the ipactl status command on each master server. Check the status of the IdM services on each server listed as KDC by the command: 
    # ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
    Copy to Clipboard Toggle word wrap

Troubleshooting Errors Cannot find KDC for realm

If kinit authentication fails with an error that says Cannot find KDC for realm "EXAMPLE.COM" while getting initial credentials, it indicates that KDC is not running on the server or that the client has misconfigured DNS. In this situation, try these steps:
  1. If the DNS discovery is enabled in the /etc/krb5.conf file (the dns_lookup_kdc = true setting), use the dig utility to check whether the following records are resolvable: 
    $ dig -t TXT _kerberos.ipa.example.com
$ dig -t SRV _kerberos._udp.ipa.example.com
$ dig -t SRV _kerberos._tcp.ipa.example.com
    Copy to Clipboard Toggle word wrap
    In the following example, one of the dig commands above failed with this output: 
    ; <<>> DiG 9.11.0-P2-RedHat-9.11.0-6.P2.fc25 <<>> -t SRV _kerberos._tcp.ipa.server.example
;; global options: +cmd
;; connection timed out; no servers could be reached
    Copy to Clipboard Toggle word wrap
    The output indicated that the named service was not running on the master server.
  2. If DNS lookup fails, continue with the steps in Section A.6, “Troubleshooting DNS”.

Related Information

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat