The KDC will not resolve the fully qualified host name (FQDN) correctly (even though you specify it on the Configuration-By-Forms domain parameter (see domain Parameter--Specify Domain Name) unless it resolves the host name passed from the client as the FQDN.

The FQDN is picked up from your network configuration (rather than the config.dat setting) when the Kerberos driver calls gss.init.sec..context(). Often the unqualified host name is passed to the KDC, and gss.init.sec..context() fails.

In the Linux environment, edit the local host file with the FQDN and not the alias for your local host as the first entry. The file is /etc/hosts and often looks like this: