Kinit Won't Connect to a Domain Server : Realm not local to KDC while getting initial credentials

Is your domain name DS.DOMAIN.COM or just DOMAIN.COM ?

In your realms you need to have them match, so assuming that DS.DOMAIN.COM is your domain you need to change:

[domain_realm]
    .domain.com = DS.DOMAIN.COM
    domain.com = DS.DOMAIN.COM

to

[domain_realm]
    .ds.domain.com = DS.DOMAIN.COM
    ds.domain.com = DS.DOMAIN.COM

However, if you domain is really DOMAIN.COM you would need to change your krb5.conf to look like:

[libdefaults]
default = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
    DOMAIN.COM = {
        kdc = ds.domain.com:88
        #You can have more than one kds, just keep adding more kdc =
        #entries
        #kdc = dsN.domain.com:88
        #Uncomment if you have a krb admin server
        #admin_server = ds.domain.com:749
        default_domain = domain.com
    }

[domain_realm]
    .domain.com = DOMAIN.COM
    domain.com = DOMAIN.COM

And then you would kinit like so: kinit [email protected]

Peaking into the source code, it looks like that error is thrown when the negotiation process receives a referral to another domain and that domain is not 'local', or in your krb5.conf config.

00219     /*
00220      * If the backend returned a principal that is not in the local
00221      * realm, then we need to refer the client to that realm.
00222      */
00223     if (!is_local_principal(client.princ)) {
00224       /* Entry is a referral to another realm */
00225       status = "REFERRAL";
00226       errcode = KRB5KDC_ERR_WRONG_REALM;
00227       goto errout;
00228     }

What that could be, I couldn't tell you. That probably depends on your Active Directory environment, and whether or not there are multiple domains in the tree. You probably need more domain_realm aliases, but exactly what that is we can't tell from here.

I had the same message using the same krb5.conf as provided by Zypher:

[libdefaults]
   default = MYDOMAIN.COM
   dns_lookup_realm = true
   dns_lookup_kdc = true
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true

[realms]
MYDOMAIN.COM = {
   kdc = mydc.mydomain.com:88
   admin_server = mydc.mydomain.com:749
   default_domain = mydomain.com
}

[domain_realm]
   .mydomain.com = MYDOMAIN.COM
   mydomain.com = MYDOMAIN.COM

(sorry it seems I can't get proper formatting :/ )

In my case, I needed to kinit to MYDOMAIN.LOCAL rather than MYDOMAIN.COM. Not sure if this is due to an authentication setting in AD in general or just for my AD domain. My domain has 2 DCs, one is W2k3 R2 and the other (the one specified as mydc.mydomain.com in krb5.conf) is W2k8 R2. But this is another possible cause for the "Realm not local to KDC while getting initial credentials" message

I had this very same and found the answer was so simple after fixing my config I still had this. Thanks to logicalfuzz at linuxqustions.org.

kinit -V [email protected]
kinit: KDC reply did not match expectations while getting initial credentials

kinit -V [email protected]
Authenticated to Kerberos v5

The capitals make all the difference here. I know this is shown in examples but I wanted to stress it.

I got this error while trying with connecting that machine from one domain to different domain. Editing /etc/krb5.conf also didn't work. Then I tried the following command to reconfigure stuffs for different domain

# sudo dpkg-reconfigure -plow krb5-config

with desired options and settings which stopped giving the above error in kinit command. Resolved.

ill add this just because i just ended here for the same error but found another fix for yet another problem ... make sure that the domain is in ALL CAPS : [email protected] and not [email protected]... i just lost 2 hours of my life because of this one...

I know this is an old question, but I do want to add for future troubleshooters that my resolution to this issue was a combination of all of the suggested answers, as well as adding my primary domain controller to my /etc/hosts

The configurations from this article worked for me.

Contents of rightly configured krb5.conf file with realm name, as an example:

[root@HOST]# cat $INFA_HOME/services/shared/security/krb5.conf
[libdefaults]
#specifies the default realm that needs to be picked up for authentication
default_realm = INFA.COM
dns_lookup_realm = true
dns_lookup_kdc = true

#this is a mandatory flag as we need to obtain forwardable tickets from the KDC
forward = true
forwardable = true

[realms]
#Realm configuration with different possible way to be resolved
INFA.COM = {
admin_server = WINDOWSHOST.INFA.COM
kdc = ​WINDOWSHOST.INFA.COM
}

[domain_realm]
infa.com = INFA.COM
.infa.com = INFA.COM​

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
ticket_lifetime = 24h
#default_keytab_name = /etc/squid3/PROXY.keytab

; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
DOMAIN.LOCAL = {
kdc = dc.domain.local
admin_server = dc.domain.local
default_domain = domain.local
kpasswd_server = dc.domain.local
}

[domain_realm]
.DOMAIN.LOCAL = DOMAIN.LOCAL
DOMAIN.LOCAL = DOMAIN.LOCAL

keep a register