On July 10, 2017 8:16:05 AM EDT, Andreas Haupt <andreas.ha...@desy.de> wrote: >... it "succeeds" in the CERN.CH case: > >Jul 10 13:27:36 fred-vm1 kdc[12044]: TGS-REQ aha...@ifh.de from >IPv4:141.34.15.17 for host/lxplus040.cern...@ifh.de [canonicalize, >renewable, forwardable] >Jul 10 13:27:36 fred-vm1 kdc[12044]: Searching referral for >lxplus040.cern.ch >Jul 10 13:27:36 fred-vm1 kdc[12044]: Server not found in database: >krbtgt/cern...@ifh.de: Success > >"Server not found" == "Success"? Is this really the expected answer? I >would >guess, no - but not really sure ...
This is a bug in the kdc, or possibly two bugs. First, the database lookup failed and no entry was returned, but the error code was not set and so remained zero, which com_err translates as "Success". Second, the kdc is not sending any response at all. That causes the client to eventually time out and try another kdc. When it runs out of kdcs, it reports an error (unable to contact any kdc in realm). you can confirm this by watching traffic between your client and kdc on port 88, using your favorite packet-capture tool. -- Jeff
