[OpenAFS] Re: aklog claims it can't contact KDC, but KDC is issuing
tickets
Douglas E. Engert
deengert@anl.gov
Tue, 07 Mar 2006 13:36:17 -0600
Adam Megacz wrote:
> Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>
>>Also, didn't you say cross-realm was involved? It could be possible that
>>there is a firewall blocking access to your KDC (well, more likely blocking
>>the replies).
>
>
> Yeah, in theory this would be caused by the NAT blocking RESEARCH.CS's
> KDC but not EECS.CS's KDC. In practice I'm really skeptical about
> this (they're on the same class B, in the same building on campus, and
> the user is at home)
Does one realm support TCP to the KDC, but the other does not?
Thus the kinit works using TCP. But the UDP for the cross realm
does not.
But I think krb524d only supports UDP, so aklog might still eventually
fail if it is a NAT/firewall UDP problem.
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444