[OpenAFS] Re: aklog claims it can't contact KDC, but KDC is issuing tickets

Adam Megacz megacz@cs.berkeley.edu
Mon, 06 Mar 2006 19:46:02 +0000

Marcus Watts <mdw@umich.edu> writes:
>> Is there any way to get aklog to be more specific than "Cannot contact
>> any KDC for requested realm"?  Like, can I get it to spit out a list
>> of what it believes are the KDCs for this realm?  Or be more specific
>> about which realm it means here (cross-realm is involved)?

> Looks like a nat problem.

Yeah, I suspect so as well.  It is pretty strange though that kinit
works yet aklog doesn't.  That has me sort of confused.  If the NAT's
UDP implementation is wonky, shouldn't I generally expect kinit to
fail first?

> aklog doesn't contain internal logic to go to the level you want.

Bummer.  This treads a bit close to complaining, but doesn't stuff
like this qualify as "providing useful error reporting"?  Maybe I'm
coddled by languages with exceptions.

> Fortunately, you don't need to instrument your kerberos application
> to figure out what's happening.  For problems like this, there are
> perfectly adequate system debugging tools that will suffice.

Unfortunately the NAT in question is at somebody's home -- I don't
have physical access to that location, nor does anybody who is
comfortable using these tools (in fact, I doubt that even tcpdump is
installed on any machine at that location).

Oh well.  Thanks for trying.  I'll see if I can find out what
brand/model the NAT is and try to buy one so I can reproduce this
situation myself -- at that point I can apply the excellent advice
you've supplied.

Thank you for taking so much time to spell it out for me!  Once the
OpenAFS wiki is back online your posting probably deserves to be
immortalized for future NAT-fighters ;)

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380