[OpenAFS] Re: aklog claims it can't contact KDC, but KDC is issuing tickets
Adam Megacz
megacz@cs.berkeley.edu
Tue, 07 Mar 2006 10:59:04 -0800
Jeffrey Altman <jaltman@secure-endpoints.com> writes:
> Diagnosis: Firewall configuration blocks in bound UDP traffic from
> YOUR-REALM KDC
I suspected this as well, but found it highly improbable that his NAT
would treat traffic from the two realms differently (they're both on
the same departmental network on campus).
> Now this could be a broken NAT. It would be a NAT that is incapable
> of opening a port to allow traffic from two source addresses at the
> same time.
Ah, now *that* makes sense!
> * kinit *****@EECS.BERKELEY.EDU
> * kvno krbtgt/RESEARCH.CS.BERKELEY.EDU@EECS.BERKELEY.EDU
> * aklog -d -c research.cs.berkeley.edu
> What this will do is force the acquisition of the cross-realm TGT to
> use a different port on the client machine than the one that is used
> for the afs service ticket request.
Hrm, okay. I certainly trust your word, but could you perhaps explain
to me how/why adding the "kvno" command to the usual authentication
sequence forces use of a different port?
Thanks again; this is the most promising lead yet.
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380