I have an environment with two AD domains (in one forest) and a kerberos realm, recently upgraded to a recent heimdal. As part of that migration, the trust between AD and the kerberos realm was redone. Previously, both the root domain and the domain that all the users/resources are in had trusts, but now only the root AD domain has a trust. The heimdal kdcs have [capaths] configured and properly give out realm referrals. The AD servers do not. Lets call the kerberos realm KERBEROS.EXAMPLE.COM, and the AD domains AD.EXAMPLE.COM and REALDOMAIN.AD.EXAMPLE.COM. These names _do_ reflect the domain hierarchy relationship correctly. I only changed the individual labels. After the change, mit krb5 1.9 (1.9.1ish on ubuntu 11.10), cannot get tickets on behalf of user@REALDOMAIN.AD.EXAMPLE.COM for services in KERBEROS.EXAMPLE.COM: % aklog -d kerberos.example.com Note: Operation is performed on cell REALDOMAIN.AD.EXAMPLE.COM Authenticating to cell kerberos.example.com (server XXXX.kerberos.example.com). Trying to authenticate to user's realm REALDOMAIN.AD.EXAMPLE.COM. Getting tickets: afs/kerberos.example.com@REALDOMAIN.AD.EXAMPLE.COM We've deduced that we need to authenticate to realm KERBEROS.EXAMPLE.COM. Getting tickets: afs/kerberos.example.com@KERBEROS.EXAMPLE.COM Getting tickets: afs/kerberos.example.com@KERBEROS.EXAMPLE.COM Kerberos error code returned by get_cred : -1765328316 That is KRB5KDC_ERR_WRONG_REALM Setting KRB5_TRACE reveals the following: [27580] 1339700735.363748: Requesting TGT krbtgt/KERBEROS.EXAMPLE.COM@REALDOMAIN.AD.EXAMPLE.COM using TGT krbtgt/AD.EXAMPLE.COM@REALDOMAIN.AD.EXAMPLE.COM [27580] 1339700735.363759: Generated subkey for TGS request: rc4-hmac/AB6E [27580] 1339700735.363772: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, des-cbc-crc, des, des-cbc-md4 [27580] 1339700735.363839: Sending request (1737 bytes) to AD.EXAMPLE.COM [27580] 1339700735.369349: Initiating TCP connection to stream 192.168.20.8:88 [27580] 1339700735.371149: Sending TCP request to stream 192.168.20.8:88 [27580] 1339700735.372676: Received answer from stream 192.168.20.8:88 [27580] 1339700735.374530: Response was not from master KDC [27580] 1339700735.374547: TGS request result: -1765328316/Realm not local to KDC The library seems to be mixing up the realms, asking for an @REALDOMAIN.AD.EXAMPLE.COM ticket from the @AD.EXAMPLE.COM kdc. If I add some capaths to the client's krb5.conf, the problem does not occur, but I'd really rather not have to do that everywhere. an mit krb5 1.6 client (RHEL5) works without the capaths. [capaths] REALDOMAIN.AD.EXAMPLE.COM = { KERBEROS.EXAMPLE.COM = AD.EXAMPLE.COM AD.EXAMPLE.COM = . }