Problem with KfW 2.1.1 at Lincoln Labs - getting K5, but not K4 ticket ???

[Jonathan McIndoe Hunt]

Hello,

We've encountered an interesting problem at Lincoln Labs after upgrading a 
Windows 2000 machine from Mink-10-18-99 (KfW 2.0) to KfW 2.1.1.  The 
machine gets a Kerb 5 ticket, but does not get a Kerb 4 ticket.  We have 
checked that mink is really gone, that there are not duplicate krb* files 
on the system, that the path is correct, that the krb.con and krbrealm.con 
files are correct.  My guess is that the problem is something to do with 
the configuration of the packet filter at Lincoln Labs.  What has me 
baffled is why is K5 working, but not K4.  We have verified that the K5 
ticket does actually work by connecting to SAP at MIT using it.

Attached is the debug log from acquiring a ticket.  It appears that the 
debug log only contains information related to K4 ticket acquisition.

What ports to which machines must be open in LL's firewall for K4 & K5 
ticket acquisition to work?   Why is K5 working and not K4?  Why does KfW 
2.0 work?

It may be that this is an isolated issue for just this machine, as this was 
the machine upgraded first (removing mink & installing KfW 2.1.1) to verify 
that it worked before applying the change to other machines.

Thanks,
Jon

lrealm is ATHENA.MIT.EDU
krb_udp_port is 88
Getting host entry for kerberos.mit.edu..
Didn't get it.
krb_udp_port is 88
Getting host entry for kerberos-1.mit.edu..
Didn't get it.
krb_udp_port is 88
Getting host entry for kerberos-2.mit.edu..
Didn't get it.
send_to_kdc: can't find any Kerberos host.