Because mapping does not become an issue until the client computer tries to access a service, domain to REALM mapping problems do not affect initial ticket requests (TGTs).
When mapping problems exist, service ticket requests may fail or access to Kerberized services may fail.
With Active Directory, the REALM name is always the uppercase equivalent of the DNS domain name.
Look in your krb5file to see if the [realms] section and the [domain_realm] section are correct for your environment.
Investigate DNS issues if you are experiencing error messages similar to those listed as follows: See also Appendix E: “Relevant Windows and UNIX Tools” for more information.
The entries in the PAM configuration files can be a common source of problems.
Active Directory domain controllers, Windows clients, UNIX clients, and application servers must all have a shared understanding of the correct host names and IP addresses for each computer within the environment.
For example, issues that are the result of name resolution problems often appear with symptoms that seem to have no relation to name resolution.When you begin troubleshooting a Kerberos problem, there are a few common trouble-spots that you should check first: In some cases, it will be obvious when troubleshooting which of these, if any, is the cause of the problem.For instance, when there is a clock skew problem, you may see a clock skew error.Many UNIX implementations support the SHA1 encryption type, but Active Directory does not. Although these encryption types are not as secure as RC4-HMAC and SHA1, they have been selected for this document because of their universal support.In a Kerberos environment, both a client (a user) and a server (the server side component of an application) must have a key (a password).