It gets stranger and stranger. Here's what the user types on the
console:
$ kinit [EMAIL PROTECTED] && aklog -d -c research.cs.berkeley.edu
Please enter the password for [EMAIL PROTECTED]:
Authenticating to cell research.cs.berkeley.edu (server
afs.research.CS.Berkeley.EDU).
We've deduced that we need to authenticate to realm RESEARCH.CS.BERKELEY.EDU.
Getting tickets: afs/[EMAIL PROTECTED]
Kerberos error code returned by get_cred: -1765328228
aklog: Couldn't get research.cs.berkeley.edu AFS tickets:
aklog: Cannot contact any KDC for requested realm while getting AFS tickets
So you'd suspect that the RESEARCH.CS.BERKELEY.EDU KDC hasn't been
contacted, right? But this is what I get in the KDC logs (times have
been correlated -- this is in response to the cut-and-paste above):
Mar 05 19:38:40 research.cs.berkeley.edu krb5kdc[1626](info):
TGS_REQ (1 etypes {1}) *.*.*.*: ISSUE: authtime 1141616344,
etypes {rep=1 tkt=1 ses=1}, [EMAIL PROTECTED] for
afs/[EMAIL PROTECTED]
Mar 05 19:38:43 research.cs.berkeley.edu krb5kdc[1626](info):
DISPATCH: repeated (retransmitted?) request from
*.*.*.*, resending previous response
Mar 05 19:39:08 research.cs.berkeley.edu krb5kdc[1626](info):
DISPATCH: repeated (retransmitted?) request from
*.*.*.*, resending previous response
Is there any way to get aklog to be more specific than "Cannot contact
any KDC for requested realm"? Like, can I get it to spit out a list
of what it believes are the KDCs for this realm? Or be more specific
about which realm it means here (cross-realm is involved)?
If it is relevant, the user is behind a NAT (which supports UDP -- he
can kinit properly). I'm not running krb524d and krb5kdc is running
with "-4none".
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
