[OpenAFS] aklog claims it can't contact KDC, but KDC is issuing tickets
Ken Hornstein
kenh@cmf.nrl.navy.mil
Mon, 06 Mar 2006 10:37:09 -0500
>Is there any way to get aklog to be more specific than "Cannot contact
>any KDC for requested realm"? Like, can I get it to spit out a list
>of what it believes are the KDCs for this realm? Or be more specific
>about which realm it means here (cross-realm is involved)?
>
>If it is relevant, the user is behind a NAT (which supports UDP -- he
>can kinit properly). I'm not running krb524d and krb5kdc is running
>with "-4none".
In addition to everything Marcus said, here are some additional things
to try:
- What happens when you run:
kvno afs/research.cs.berkeley.edu@RESEARCH.CS.BERKELEY.EDU
(I suspect you'll get the same error as you did from aklog; if you
didn't, that would be interesting).
- What's the output of "klist" after you run aklog? That could tell you
where the problem is.
The fact that you're getting repeated requests on the KDC suggest to me
that the replies from the KDC aren't getting back to the client
system. Dunno what's causing that; it could be a flaky NAT, but plenty
of other things could cause it.
--Ken