I have an existing pool of CentOS Stream 8 hosts running 8.8.13 successfully using:
  SEC_DEFAULT_AUTHENTICATION_METHODS = FS, KERBEROS
  SCHEDD.SEC_DEFAULT_AUTHENTICATION_METHODS = FS, KERBEROS
  TOOL.SEC_DEFAULT_AUTHENTICATION_METHODS = FS, KERBEROS
  COLLECTOR.SEC_DEFAULT_AUTHENTICATION_METHODS = FS, KERBEROS
for authentication. When I try to use the same config for 9.0.4 it fails with
  AUTH_ERROR: Client not found in Kerberos database
We're using AD as our Kerberos server.
There are valid host/ entries in the /etc/krb5.keytab files.
I have another cluster in a different lab that is successfully running 9.0 against Kerberos. In both cases I've made no changes to /etc/condor/config.d/00-htcondor-9.0.config. Oddly enough, that cluster is running without the ALLOW_DAEMON = $(ALLOW_WRITE)
 setting, though I've added that to the cluster that's failing.
I'd prefer not to go through the bother of converting to the new tokens system as I don't really want to have to manually type a password on every host. (It wouldn't be so bad if I could just have puppet drop a common /etc/condor/tokens.d/condor@mypool
 file in place but that doesn't seem to be sufficient, instead emitting "TOKEN: No token found." error.)
Anyway, getting back on track, any pointers on where I should be looking to see why the kerberos config that works in 8.8.x doesn't work in 9?
I tried running condor_check_config but:
sudo condor_check_config
Traceback (most recent call last):
  File "/bin/condor_check_config", line 92, in <module>
    main()
  File "/bin/condor_check_config", line 84, in main
    message = check_dead_allow_write()
  File "/bin/condor_check_config", line 62, in check_dead_allow_write
    if len(allow_write) :
UnboundLocalError: local variable 'allow_write' referenced before assignment
thanks,
nomad