[OpenAFS] Re: aklog claims it can't contact KDC, but KDC is issuing tickets

[Ken Hornstein]

>Just got some results back.  Most importantly, I got the ktrace.out
>(MacOS equivalent of truss/strace dump) from the user.  I'm going to
>analyze it this afternoon.  Getting a traceroute packet dump is going
>to be more of a challenge since MacOS doesn't ship with traceroute
>(argh!).

Do you really want a traceroute packet dump, or a tcpdump packet dump?
In my experience, the system call tracer won't be very much help; I am
sure all it will tell you was that it sent packets to your KDC, but it
never saw any replies.  You already know that.

BTW, on my OS X box:

% which traceroute
/usr/sbin/traceroute
% which tcpdump
/usr/sbin/tcpdump

These were both part of the base OS; I certainly didn't install them
as part of another package.

>Valid Starting     Expires            Service Principal
>03/07/06 07:35:59  03/07/06 17:35:59  krbtgt/EECS.BERKELEY.EDU@EECS.BERKELEY.EDU
>         renew until 03/14/06 07:35:59
>03/07/06 07:35:59  03/07/06 17:35:59  krbtgt/RESEARCH.CS.BERKELEY.EDU@EECS.BERKELEY.EDU
>         renew until 03/14/06 07:35:59

So, this tells me that you couldn't contact the RESEARCH.CS.BERKELEY.EDU
KDC (you get the cross-realm TGT from your local realm, then use it to
get service tickets in the foreign realm).

One other thing that occurs to me: the user might have a firewall that
they forgot that they configured a long time ago.  They might have opened
it to EECS.BERKELEY.EDU KDCs, but not to RESEARCH.CS.BERKELEY.EDU KDCs.
Well, judging from the log files the problem is the replies from the KDC,
which are going to ephemeral ports which people like to block, for some
strange reason.

--Ken