I'm having trouble logging in via the gui console to an Ubuntu 16 Desktop host that is affiliated with a FreeIPA server, which in turn is affiliated with an Active Directory server.

When I try to log in with debugging turned up on the SSSD I see an underlying error in the krb5_child log file: Cannot find KDC for realm "EXAMPLE.COM" while getting credentials for host/myhost.example.com@EXAMPLE.COM

Following an example from the freeipa-users mailing list, I am just working with kinit and kvno to identify the underlying problem. I get the same error, which I suppose is good. But I don't know how to resolve it from here. The transcript is below. On the first try at kvno, I get the same error. On the second try, it works. Any idea why? I suspect the failure on the first try is the real problem with authentication from the console.

Any hints what to try next?

Thanks

----- /etc/krb5.conf -----
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  EXAMPLE.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }


[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM



----- Transcript -----


$ kdestroy -A


$ kinit aduser@AD.EXAMPLE.COM
Password for aduser@AD.EXAMPLE.COM:


$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: aduser@AD.EXAMPLE.COM

Valid starting       Expires              Service principal
08/14/2017 09:59:22  08/14/2017 19:59:22  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
	renew until 08/15/2017 09:59:17


$ KRB5_TRACE=/dev/stdout kvno host/myhost.example.com@EXAMPLE.COM
[1994] 1502719211.714019: Getting credentials aduser@AD.EXAMPLE.COM -> host/myhost.example.com@EXAMPLE.COM using ccache KEYRING:persistent:1000:1000
[1994] 1502719211.714237: Retrieving aduser@AD.EXAMPLE.COM -> host/myhost.example.com@EXAMPLE.COM from KEYRING:persistent:1000:1000 with result: -1765328243/Matching credential not found
[1994] 1502719211.714318: Retrieving aduser@AD.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@EXAMPLE.COM from KEYRING:persistent:1000:1000 with result: -1765328243/Matching credential not found
[1994] 1502719211.714376: Retrieving aduser@AD.EXAMPLE.COM -> krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM from KEYRING:persistent:1000:1000 with result: 0/Success
[1994] 1502719211.714395: Starting with TGT for client realm: aduser@AD.EXAMPLE.COM -> krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
[1994] 1502719211.714439: Retrieving aduser@AD.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@EXAMPLE.COM from KEYRING:persistent:1000:1000 with result: -1765328243/Matching credential not found
[1994] 1502719211.714456: Requesting TGT krbtgt/EXAMPLE.COM@AD.EXAMPLE.COM using TGT krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
[1994] 1502719211.714486: Generated subkey for TGS request: aes256-cts/020C
[1994] 1502719211.714525: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1994] 1502719211.714605: Encoding request body and padata into FAST request
[1994] 1502719211.714662: Sending request (1686 bytes) to AD.EXAMPLE.COM
[1994] 1502719211.717532: Resolving hostname ad-host.ad.example.com.
[1994] 1502719211.719053: Sending initial UDP request to dgram 192.168.1.2:88
[1994] 1502719211.742171: Received answer (309 bytes) from dgram 192.168.1.2:88
[1994] 1502719211.743066: Response was not from master KDC
[1994] 1502719211.743082: Decoding FAST response
[1994] 1502719211.743109: Request or response is too big for UDP; retrying with TCP
[1994] 1502719211.743113: Sending request (1686 bytes) to AD.EXAMPLE.COM (tcp only)
[1994] 1502719211.743971: Resolving hostname ad-host.ad.example.com.
[1994] 1502719211.744908: Initiating TCP connection to stream 192.168.1.2:88
[1994] 1502719211.764062: Sending TCP request to stream 192.168.1.2:88
[1994] 1502719211.805666: Received answer (1643 bytes) from stream 192.168.1.2:88
[1994] 1502719211.805678: Terminating TCP connection to stream 192.168.1.2:88
[1994] 1502719211.806709: Response was not from master KDC
[1994] 1502719211.806735: Decoding FAST response
[1994] 1502719211.806789: FAST reply key: aes256-cts/820C
[1994] 1502719211.806808: TGS reply is for aduser@AD.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@AD.EXAMPLE.COM with session key aes256-cts/B56C
[1994] 1502719211.806822: TGS request result: 0/Success
[1994] 1502719211.806826: Storing aduser@AD.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@AD.EXAMPLE.COM in KEYRING:persistent:1000:1000
[1994] 1502719211.806912: Received TGT for service realm: krbtgt/EXAMPLE.COM@AD.EXAMPLE.COM
[1994] 1502719211.806915: Requesting tickets for host/myhost.example.com@EXAMPLE.COM, referrals on
[1994] 1502719211.806924: Generated subkey for TGS request: aes256-cts/D365
[1994] 1502719211.806940: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1994] 1502719211.806968: Encoding request body and padata into FAST request
[1994] 1502719211.806994: Sending request (1676 bytes) to EXAMPLE.COM (tcp only)
kvno: Cannot find KDC for realm "EXAMPLE.COM" while getting credentials for host/myhost.example.com@EXAMPLE.COM


$ KRB5_TRACE=/dev/stdout kvno host/myhost.example.com@EXAMPLE.COM
[1995] 1502719219.601419: Getting credentials aduser@AD.EXAMPLE.COM -> host/myhost.example.com@EXAMPLE.COM using ccache KEYRING:persistent:1000:1000
[1995] 1502719219.601516: Retrieving aduser@AD.EXAMPLE.COM -> host/myhost.example.com@EXAMPLE.COM from KEYRING:persistent:1000:1000 with result: -1765328243/Matching credential not found
[1995] 1502719219.601556: Retrieving aduser@AD.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@EXAMPLE.COM from KEYRING:persistent:1000:1000 with result: 0/Success
[1995] 1502719219.601559: Found cached TGT for service realm: aduser@AD.EXAMPLE.COM -> krbtgt/EXAMPLE.COM@AD.EXAMPLE.COM
[1995] 1502719219.601561: Requesting tickets for host/myhost.example.com@EXAMPLE.COM, referrals on
[1995] 1502719219.601573: Generated subkey for TGS request: aes256-cts/5EC1
[1995] 1502719219.601592: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1995] 1502719219.601639: Encoding request body and padata into FAST request
[1995] 1502719219.601666: Sending request (1676 bytes) to EXAMPLE.COM
[1995] 1502719219.603587: Resolving hostname idsg-test16.example.com.
[1995] 1502719219.604856: Sending initial UDP request to dgram 192.168.1.1:88
[1995] 1502719219.621855: Received answer (1680 bytes) from dgram 192.168.1.1:88
[1995] 1502719219.622767: Response was not from master KDC
[1995] 1502719219.622783: Decoding FAST response
[1995] 1502719219.622834: FAST reply key: aes256-cts/14A3
[1995] 1502719219.622852: TGS reply is for aduser@AD.EXAMPLE.COM -> host/myhost.example.com@EXAMPLE.COM with session key aes256-cts/B41C
[1995] 1502719219.622866: TGS request result: 0/Success
[1995] 1502719219.622868: Received creds for desired service host/myhost.example.com@EXAMPLE.COM
[1995] 1502719219.622871: Storing aduser@AD.EXAMPLE.COM -> host/myhost.example.com@EXAMPLE.COM in KEYRING:persistent:1000:1000
host/myhost.example.com@EXAMPLE.COM: kvno = 7