diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index e888be3554b..f0be45c91c0 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -318,6 +318,9 @@ Release 2.5.0 - UNRELEASED
     HADOOP-10378. Typo in help printed by hdfs dfs -help.
     (Mit Desai via suresh)
 
+    HADOOP-10418. SaslRpcClient should not assume that remote principals are in
+    the default_realm. (atm)
+
 Release 2.4.0 - UNRELEASED
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
index 92a62203f0d..dfb0898a449 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
@@ -300,7 +300,9 @@ public class SaslRpcClient {
     }
     // construct server advertised principal for comparision
     String serverPrincipal = new KerberosPrincipal(
-        authType.getProtocol() + "/" + authType.getServerId()).getName();
+        authType.getProtocol() + "/" + authType.getServerId(),
+        KerberosPrincipal.KRB_NT_SRV_HST).getName();
+
     boolean isPrincipalValid = false;
 
     // use the pattern if defined