odd behaviour
Love
lha at stacken.kth.se
Mon Jun 12 17:09:34 CEST 2000
"P.Dixon" <P.Dixon at qmw.ac.uk> writes:
> Hello,
Hi
> Has anyone had trouble (or even tried) klogging to DESY (desy.de) with
> arla? I can klog to SLAC (slac.stanford.edu) and RAL (rl.ac.uk) OK but not
> DESY. The transarc client on our Solaris box is fine in this regard. The
> message I get from DESY is "klog: Unable to authenticate to Kerberos:
> Retry count exceeded (send_to_kdc)".
[....]
> klog: Unable to authenticate to Kerberos: Retry count exceeded
> (send_to_kdc)
16:52:23.366699 dyna225-094.nada.kth.se.59124 > shiva.desy.de.kerberos4: v4 be KDC_REQUEST: foo. at DESY.DE 600min krbtgt.DESY.DE
16:52:23.417744 KR-Desy.desy.de > dyna225-094.nada.kth.se: icmp: host shiva.desy.de unreachable - admin prohibited filter
Seems like they have filters in their router/firewall (KR-Desy.desy.de)
that rejects kerberos requests. Since arla uses kth-krb and (we havn't
bothered writing a ka-client) you can't get any tickets that way.
You should try to get DESY to open up port 750 and 88 to their ka-servers,
then you'll be able to authenticate. As an alternative you can try use the
klog that you get with the transarc describution.
As a sidenote, we have found out that Transarc NT client talks kerberos too
(not ka as one would expect from Transarc). So if they think that opening
up their router/firewall is a bad idea , you can tell them that you are
running NT with a Transarc client :)
Love
More information about the Arla-drinkers
mailing list