Problem with krb524d/aklog and shared hostname keytabs...

Neulinger, Nathan nneul at
Mon Mar 10 14:10:36 EST 2003

We have a set of machines, and gpunix is a multi-a record dns registration with
addresses of gpunix1 and gpunix2.

I have been unable to reliably used tickets forwarded when I connect to, it gets this error:

Authenticating to cell (server
We've deduced that we need to authenticate to realm UMR.EDU.
Getting tickets: afs/@UMR.EDU
Kerberos error code returned by get_cred: -1750206207
aklog: Couldn't get AFS tickets:
aklog: Cannot convert V5 address information while getting AFS tickets

It seems like the krb524d is unable to deal with the fact the addresses
being possibly mismatched when forwarded.

Interestingly, I'm always able to authenticate and forward tickets AGAIN
to another host, and have it work.

For example, telnet from another machine
	fails aklog
	telnet some.other.machine from
	it now works.

It's running a 04/2002 build of krb524d from krb5-current or something
near there. 

When it fails, krb524 gets this error in logs:

Mar 10 13:02:15 afsdb2 krb524d[701]: Unknown code k524 1 - handling

I've tried this with a current build of krb524d with the same result.

Is there any way to easily do this without changing the reverse lookup
for the cluster member ip addrs? (I'd rather have those point back to
the specific machines in the cluster.) Or do you have any other
recommendation or how to get this set up? I know it works with changing
the reverse lookup, but I'd rather avoid that cause it causes a whole
lot of other issues doing that.

-- Nathan

Nathan Neulinger                       EMail:  nneul at
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216

More information about the krbdev mailing list