Kerberos KDCs

[chrisgrange]

We've setup the appropriate ports on our firewall so that our clients can get kerberos tickets off-site - the plan was to authenticate to our VPN this way.

We have 2 kdcs (kdc1 and kdc2) and I've made kdc1 externally accessible. Everything worked well when I tested yesterday afternoon, I could get a ticket and authenticate to the VPN. However when I tried again later I got the error message:-

Kerberos Login Failed: Cannot contact any KDC for requested realm

From watching TCP Dump it appears that it's now trying to talk to kdc2, perhaps as a result of being connected to the VPN and pulling down some prefs.

I've tried specifying the kdc in edu.mit.Kerberos like so:-

[realms]
DOMAIN.NET = {
kdc = "kdc1.domain.net:88"
}

but it still appears to be trying to talk to kdc2. Running

sudo tcpdump -v -i en1 dst kdc2.domain.net

reports kerberos traffic whilst running

sudo tcpdump -v -i en1 dst kdc1.domain.net

reports 0 packets. So why is the machine ignoring the kdc specified in the pref file. Is there another way to force a specific kdc or am I going to have to make kdc2 externally accessible as well?

 

[chrisgrange]

I've investigated further. The test machine is bound into our AD/OD cylinder. If I create an edu.mit.Kerberos file on a machine which is not bound it works fine so I'm guessing the AD plugin is somehow overriding my Kerberos settings. Any ideas on how I can stop this?