KDC certificate

Best I can gather, this is due to a missing certificate. http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html

The client KDC certificate must have an "EKU". If you have a system administrator, tell them you need a new kerberos client certificate. If you are running a server yourself, follow the instructions, more or less, using the Certificate Assistant in Keychain Access on your server to generate a fresh certificate and export it to the clients.

I'm off to try this myself. Wish me luck. Generally speaking, half the problems I've had with my OS X Server 2.2 are due to certificate issues.

Follow up: I was able to solve this without a new certificate. I found the primary CA certificate for the machine and edited the trust settings to Always Trust for Kerberos client and server. No more errors in the log.

Open Utilities: Keychain Access

Select the System keychain, select Category Certificates.

Here you need to identify the Certificate Authority that best applies to your computer. If you don't know, you'll need to ask. Do a File->Get Info on the CA. Open the trust settings by clicking the triangle next to Trust. Scroll down until you see Kerberos Server and Kerberos Client. Change the trust settings from the pop-up menus to Always Trust.

That's it. If that is the relevant CA, the KDC error messages will go away.

Since the com.apple.kerberos.kdc certificate is the one indicated in your error message, this is the one you want to change. Make sure you select the Certificate and not the keys.

FYI: This won't actually give you safe Kerberos exchanges, since this is a local, self-signed certificate. If you are in an enterprise or somewhere that requires good security, talk to a sys admin and get a signed certificate!

If you are home user with no serious security issues to worry about, Trusting this certificate should be just fine, and will initiate Kerberos for you locally.

Cheers.