See below the KRB5_TRACE file (domains/realms cleaned up). It could well be DNS, but other programs (e.g. dig) respond correctly and recognize when the network comes back up.
Kai > [18010] 1497006307.510633: Getting initial credentials for host/jason@MY.REALM > [18010] 1497006307.510733: Setting initial creds service to krbtgt/MY.REALM@MY.REALM > [18010] 1497006307.510807: Looked up etypes in keytab: aes256-cts, rc4-hmac, des3-cbc-sha1, des-cbc-crc > [18010] 1497006307.510877: Sending request (193 bytes) to MY.REALM > [18010] 1497006307.510906: Resolving hostname my.kdc.fqdn > [18010] 1497006307.511120: Getting initial credentials for host/jason@MY.REALM > [18010] 1497006307.511154: Setting initial creds service to krbtgt/MY.REALM@MY.REALM > [18010] 1497006307.511199: Looked up etypes in keytab: aes256-cts, rc4-hmac, des3-cbc-sha1, des-cbc-crc > [18010] 1497006307.511225: Sending request (193 bytes) to MY.REALM > [18010] 1497006307.511236: Resolving hostname my.kdc.fqdn > [18010] 1497006308.512362: Getting initial credentials for host/jason@MY.REALM > [18010] 1497006308.512531: Setting initial creds service to krbtgt/MY.REALM@MY.REALM > [18010] 1497006308.512679: Looked up etypes in keytab: aes256-cts, rc4-hmac, des3-cbc-sha1, des-cbc-crc > [18010] 1497006308.512761: Sending request (193 bytes) to MY.REALM > [18010] 1497006308.512796: Resolving hostname my.kdc.fqdn > [18010] 1497006310.514982: Getting initial credentials for host/jason@MY.REALM > [18010] 1497006310.515150: Setting initial creds service to krbtgt/MY.REALM@MY.REALM > [18010] 1497006310.515300: Looked up etypes in keytab: aes256-cts, rc4-hmac, des3-cbc-sha1, des-cbc-crc > [18010] 1497006310.515378: Sending request (193 bytes) to MY.REALM > [18010] 1497006310.515412: Resolving hostname my.kdc.fqdn > [18010] 1497006314.516629: Getting initial credentials for host/jason@MY.REALM > [18010] 1497006314.516779: Setting initial creds service to krbtgt/MY.REALM@MY.REALM > [18010] 1497006314.516917: Looked up etypes in keytab: aes256-cts, rc4-hmac, des3-cbc-sha1, des-cbc-crc > [18010] 1497006314.516993: Sending request (193 bytes) to MY.REALM > [18010] 1497006314.517027: Resolving hostname my.kdc.fqdn > [18010] 1497006322.525217: Getting initial credentials for host/jason@MY.REALM > [18010] 1497006322.525387: Setting initial creds service to krbtgt/MY.REALM@MY.REALM > [18010] 1497006322.525529: Looked up etypes in keytab: aes256-cts, rc4-hmac, des3-cbc-sha1, des-cbc-crc > [18010] 1497006322.525612: Sending request (193 bytes) to MY.REALM > [18010] 1497006322.525647: Resolving hostname my.kdc.fqdn > [18010] 1497006338.541837: Getting initial credentials for host/jason@MY.REALM > [18010] 1497006338.542026: Setting initial creds service to krbtgt/MY.REALM@MY.REALM > [18010] 1497006338.542185: Looked up etypes in keytab: aes256-cts, rc4-hmac, des3-cbc-sha1, des-cbc-crc > [18010] 1497006338.542262: Sending request (193 bytes) to MY.REALM > [18010] 1497006338.542302: Resolving hostname my.kdc.fqdn On Fri, 9 Jun 2017 at 10:56 Sam Hartman <hartm...@debian.org> wrote: > I wonder if your nss stack is somehow caching something about the > network and the name servers and that kstart process is no longer able > to resolve KDCs. > It would be interesting to set KRB5_TRACE to a file, run kstart such > that it is failing and see what specifically is not working. > My bet is on DNS >
