From January 16th 2012, The CERN KDCs (afsdb1,afsdb2 and afsdb3) will no longer provide a Kerberos service, and if you have the CERN realm defined in the /etc/krb5.conf file on your Linux desktops, then you, or those responsible for your site’s Kerberos configuration (krb5.conf) should replace the afsdb KDCs with a single alias - cerndc.cern.ch.

Please note:
On Windows (MIT KFW users) the file may be found at C:/Windows/krb5.ini
On MacOS the file may instead be found at /Library/Preferences/edu.mit.Kerberos
 

This operation has already been carried out on CERN-IT managed Scientific Linux hosts, but those logging in with CERN accounts, or using Kerberos commands such as ‘kinit’ and ‘aklog’ on non CERN-IT managed Linux or Mac OS desktops should refer to the following instructions http://linux.web.cern.ch/linux/docs/kerberos-migrate.shtml.

From January 16th 2012, those with afsdb1, afsdb2 or afsdb3 defined as KDCs in their  /etc/krb5.conf configurations will experience authentication problems when connecting to CERN resources through ssh, or when using other resources such as SVN, CVS etc.

This Kerberos change was first reported at the IT Technical Users Meeting, October 6th 2010: http://indico.cern.ch/event/ITUM-2

A FAQ / Knowledge Base article titled "Problems using aklog, kinit, ssh and other programs when /etc/krbs5.conf contains deprecated KDCs" has been created in Service-Now and can be consulted at https://cern.service-now.com/service-portal/article.do?n=KB0000992

Please contact Kerberos-support@cern.ch for more information