Hi Jakub,

On Jul 30, 2013, at 07:28 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:

On Tue, Jul 30, 2013 at 11:41:41AM +0000, Bryan Harris wrote
When I run kinit -k host/server.ad.domain.com@AD.DOMAIN.COM I get the following message:
kinit: Cannot find KDC for requested realm while getting initial credentials


There is no KDC explicitly defined so you rely on DNS lookups for
locating the KDC. Can you check if the other servers that work use the
same DNS servers in resolv.conf?
 
I'm sorry but I saw Sumit's email first.  Also in my other email I tried to explain the weird Smart Card PIN behavior.

Our resolv.conf is pointing to our BIND servers, which have the following in the zone the linux servers will search using the domain sub.domain.com in /etc/resolv.conf.  It seems to work okay but please feel free to let me know if it's not right.  I honestly don't remember if I found this information on the sssd fedorahosted.org pages, but it seemed to work thus far.  We do realize that if we ever make changes to our environment's addressing we will need to change the zone in the BIND servers as well.

_ldap._tcp              1D IN SRV 0 100 389 dc01
_ldap._tcp              1D IN SRV 0 100 389 dc02
_kerberos._tcp          1D IN SRV 0 100 88 dc01
_kerberos._tcp          1D IN SRV 0 100 88 dc02
_kpasswd._tcp           1D IN SRV 0 100 464 dc01
_kpasswd._tcp           1D IN SRV 0 100 464 dc02

_kerberos._udp          1D IN SRV 0 100 88 dc01
_kerberos._udp          1D IN SRV 0 100 88 dc02
_kpasswd._udp           1D IN SRV 0 100 464 dc01
_kpasswd._udp           1D IN SRV 0 100 464 dc02
Bryan