Hi Don,

On Tue, Jan 19, 2010 at 01:10:16PM -0800, root wrote:
> [root_at_sandbox3 ~]# clog \
>  -method kerberos5 coda_admin_user_at_coda.realm \
>  -tokenserver sandbox2.host.domain 370 \
>  -krealm KERBEROS.REALM \
>  -kdc sandbox2.host.domain \
>  -servprinc coda/sandbox2.host.domain 

Given that the Coda server is configured to use the principal
 coda/sandbox2.host.domain
and given that there is a Coda user named
 coda_admin_user
this should work.

> I attempted the password three times for each clog command above -- twice 
> with password correct, and once with password incorrect.  When password was 
> correct, I got the following: 
> 
> Password for coda_admin_user/default_at_coda.domain:
> Invalid login (RPC2_NOTAUTHENTICATED (F)). 

This may mean that the coda_admin_user is missing (?)
in Coda realm (what says pdbtool about this user?)

> When password was incorrect, I got the following: 
> 
> krb5secret: Password incorrect
> clog: failed to login to Kerberos 

Quite right.

> So, we know that clog is connecting to the auth2 daemon.  I don't really 
> know how the auth2 daemon is connecting to kerberos, but I suspect that may 
> be the segment which is failing.  I simply don't know if it is failing 
> because of:

It seems that clog gets a Kerberos ticket all right but that the
authentication server does not like what it gets - either it is configured
for a different service principal or is missing the corresponding keytab
entry or there is no such user in Coda.

Regards,
Rune