[OpenAFS] AFS client behind NAT

Georg Troska georg.troska@uni-dortmund.de
Mon, 14 Jan 2008 09:18:54 +0100 

Hi,
I'm new here and I hope you can help me.

I have 2 AFS Servers, already working for a while, they manage two  
different cells. We call them Server A and B

These two servers are are in two different class-c nets and my  
university manages routing between them.
The computer of Server A is simultaniusly a router to a thrid subnet,  
which is a private net and has nothing to do with the other router.

I have one kerberos-Server based in the b-net. LDAP is there also.

My problem comes along while I was changing my homedirectory from one  
cell to the other.
In former times I had my homedir in the AFS directory of server B.  
Getting tickets and tokens was no problem. GSSAPI, that means  
passwordless ssh-logins through keytabs over kerberos worked fine

Now I changed my homedirectory to AFS-Server B.
Logins do work! But not SSH!

Login from C to A: works

Login from B to C: Could no chdir to home directory [...] Permission  
denied
klist says that I have a ticket, but aklog says: Incorrect net  
address while getting AFS tickets
-> I need to redo kinit and aklog to get access to my homedir

Login from C to C: Could no chdir to home directory [...] Permission  
denied
But different than before can I do aklog!
When I try to access my homedir: Connection timed out

Login from C to B: works

Login from B to C: works

I cannot login from B to A as there is no route

I'm not sure if it is a problem with pam or with kerberos

When Login from B to C there comes a error message in auth.log on  
kerberos-server:

Jan 14 08:15:05 server3 krb5kdc[1386]: TGS_REQ (1 etypes {1})  
129.217.160.210: PROCESS_TGS: authtime 0,  <unknown client> for afs/ 
e4.physik.uni-dortmund.d
e@E4.PHYSIK.UNI-DORTMUND.DE, Incorrect net address
Jan 14 08:15:05 server3 krb5kdc[1386]: TGS_REQ (1 etypes {1})  
129.217.160.210: PROCESS_TGS: authtime 0,  <unknown client> for afs/ 
e4.physik.uni-dortmund.d
e@E4.PHYSIK.UNI-DORTMUND.DE, Incorrect net address
Jan 14 08:15:05 server3 krb5kdc[1386]: TGS_REQ (1 etypes {1})  
129.217.160.210: PROCESS_TGS: authtime 0,  <unknown client> for afs/ 
atlas.udo.edu@E4.PHYSIK.
UNI-DORTMUND.DE, Incorrect net address
Jan 14 08:15:05 server3 krb5kdc[1386]: TGS_REQ (1 etypes {1})  
129.217.160.210: PROCESS_TGS: authtime 0,  <unknown client> for afs/ 
atlas.udo.edu@E4.PHYSIK.
UNI-DORTMUND.DE, Incorrect net address

but not when I login from C to C


If you have any idea, what to do so please let me know. I despair of it

Georg