[OpenAFS] aklog claims it can't contact KDC, but KDC is issuing tickets
Adam Megacz
megacz@cs.berkeley.edu
Mon, 06 Mar 2006 04:48:08 +0000
It gets stranger and stranger. Here's what the user types on the
console:
$ kinit *****@EECS.BERKELEY.EDU && aklog -d -c research.cs.berkeley.edu
Please enter the password for *****@EECS.BERKELEY.EDU:
Authenticating to cell research.cs.berkeley.edu (server afs.research.CS.Berkeley.EDU).
We've deduced that we need to authenticate to realm RESEARCH.CS.BERKELEY.EDU.
Getting tickets: afs/research.cs.berkeley.edu@RESEARCH.CS.BERKELEY.EDU
Kerberos error code returned by get_cred: -1765328228
aklog: Couldn't get research.cs.berkeley.edu AFS tickets:
aklog: Cannot contact any KDC for requested realm while getting AFS tickets
So you'd suspect that the RESEARCH.CS.BERKELEY.EDU KDC hasn't been
contacted, right? But this is what I get in the KDC logs (times have
been correlated -- this is in response to the cut-and-paste above):
Mar 05 19:38:40 research.cs.berkeley.edu krb5kdc[1626](info):
TGS_REQ (1 etypes {1}) *.*.*.*: ISSUE: authtime 1141616344,
etypes {rep=1 tkt=1 ses=1}, *****@EECS.BERKELEY.EDU for
afs/research.cs.berkeley.edu@RESEARCH.CS.BERKELEY.EDU
Mar 05 19:38:43 research.cs.berkeley.edu krb5kdc[1626](info):
DISPATCH: repeated (retransmitted?) request from
*.*.*.*, resending previous response
Mar 05 19:39:08 research.cs.berkeley.edu krb5kdc[1626](info):
DISPATCH: repeated (retransmitted?) request from
*.*.*.*, resending previous response
Is there any way to get aklog to be more specific than "Cannot contact
any KDC for requested realm"? Like, can I get it to spit out a list
of what it believes are the KDCs for this realm? Or be more specific
about which realm it means here (cross-realm is involved)?
If it is relevant, the user is behind a NAT (which supports UDP -- he
can kinit properly). I'm not running krb524d and krb5kdc is running
with "-4none".
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380