When joining a domain and "kerberos method" is set to "secrets and keytab" a keytab is auto-generated. The entries are generated in the following order: $ klist -ek Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/hostname.sub.company.net@SUB.COMPANY.NET (DES cbc mode with CRC-32) 2 host/hostname.sub.company.net@SUB.COMPANY.NET (DES cbc mode with RSA-MD5) 2 host/hostname.sub.company.net@SUB.COMPANY.NET (ArcFour with HMAC/md5) 2 host/hostname@SUB.COMPANY.NET (DES cbc mode with CRC-32) 2 host/hostname@SUB.COMPANY.NET (DES cbc mode with RSA-MD5) 2 host/hostname@SUB.COMPANY.NET (ArcFour with HMAC/md5) 2 cifs/hostname.sub.company.net@SUB.COMPANY.NET (DES cbc mode with CRC-32) 2 cifs/hostname.sub.company.net@SUB.COMPANY.NET (DES cbc mode with RSA-MD5) 2 cifs/hostname.sub.company.net@SUB.COMPANY.NET (ArcFour with HMAC/md5) 2 cifs/hostname@SUB.COMPANY.NET (DES cbc mode with CRC-32) 2 cifs/hostname@SUB.COMPANY.NET (DES cbc mode with RSA-MD5) 2 cifs/hostname@SUB.COMPANY.NET (ArcFour with HMAC/md5) 2 HOSTNAME$@SUB.COMPANY.NET (DES cbc mode with CRC-32) 2 HOSTNAME$@SUB.COMPANY.NET (DES cbc mode with RSA-MD5) 2 HOSTNAME$@SUB.COMPANY.NET (ArcFour with HMAC/md5) The machine's UPN is the last entry. This makes it impossible to issue a 'kinit -k'. It fails with: kinit(v5): Client not found in Kerberos database while getting initial credentials The machine's UPN (HOSTNAME$@SUB.COMPANY.NET) should always be on top followed by the host service and any other service added by default or 'net ads keytab'.