[OpenAFS] openssh, addressless tickets and AFS tokens

[Kevin Hill]

Hi,
This is more of a kerberos question, but thought someone here might have 
run into this before...

We are using an older version of openssh with Simon Wilkinson's gssapi 
patch, and a locally maintained version of mit kerberos. We have some 
linux systems behind a load balancer, which are having problems getting 
afs tickets.

The systems behind the load balancer are configured with the external ip 
address client machines think they are connected to bound to a loopback 
device. They have a host principal for this name installed. Clients can 
authenticate correctly, but if they log in with an addressless ticket 
they are ending up with a tgt with the ip they connected to in their 
cache, which seems to be preventing getting an afs token. When 
connecting with telnet they are getting an addressless tgt and can 
successfully get an afs token.

Anyone seen this situation come up before or have any suggestions?

thanks,
-kevin