Problem with krb524d/aklog and shared hostname keytabs...
nneul at umr.edu
Mon Mar 10 14:10:36 EST 2003
We have a set of machines gpunix1.cc.umr.edu, gpunix2.cc.umr.edu and
gpunix.umr.edu. gpunix is a multi-a record dns registration with
addresses of gpunix1 and gpunix2.
I have been unable to reliably used tickets forwarded when I connect to
test.umr.edu, it gets this error:
Authenticating to cell umr.edu (server afsdb2.umr.edu).
We've deduced that we need to authenticate to realm UMR.EDU.
Getting tickets: afs/@UMR.EDU
Kerberos error code returned by get_cred: -1750206207
aklog: Couldn't get umr.edu AFS tickets:
aklog: Cannot convert V5 address information while getting AFS tickets
It seems like the krb524d is unable to deal with the fact the addresses
being possibly mismatched when forwarded.
Interestingly, I'm always able to authenticate and forward tickets AGAIN
to another host, and have it work.
For example, telnet gpunix.umr.edu from another machine
telnet some.other.machine from gpunix.umr.edu
it now works.
It's running a 04/2002 build of krb524d from krb5-current or something
When it fails, krb524 gets this error in logs:
Mar 10 13:02:15 afsdb2 krb524d: Unknown code k524 1 - handling
I've tried this with a current build of krb524d with the same result.
Is there any way to easily do this without changing the reverse lookup
for the cluster member ip addrs? (I'd rather have those point back to
the specific machines in the cluster.) Or do you have any other
recommendation or how to get this set up? I know it works with changing
the reverse lookup, but I'd rather avoid that cause it causes a whole
lot of other issues doing that.
Nathan Neulinger EMail: nneul at umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216
More information about the krbdev