Troubleshooting Kerberos

When troubleshooting problems with Kerberos, you need a reference point from which to work. For example, is the problem on the remote system or on the local system? However, the terms “local” and “remote” are limited in their description of complex communications, such as when a local system logs on to a remote system and then the remote system logs back onto the local system. At that point, which is the local system and which is the remote system?

A better solution is to use the terms “client” and “server”. The term “client” refers to a process that requests a service from another process. The term “server” refers to a process or a host that performs operations requested by local or remote hosts that are running client processes.

A typical network service consists of two co-operating programs. The client program runs on the requesting system. The server program runs on the system with which you want your system to communicate. The client program initiates requests to communicate. The server program accepts requests for communication. For example, the network service rlogin is a client program that requests a log on to a remote HP-UX or UNIX system. When inetd receives the request to log on to the remote host, inetd invokes the server program for rlogin (called rlogind) to handle the service request.

Error Messages

The client or server can generate the error messages generated by a service as seen on the client. Error messages from the client occur before a connection is completely established. Error messages from the server occur after a connection is completely established.

Logging Capabilities

The security server handles the system logging differently.

UNIX Syslog File

The security server daemons, kadmind, kpropd, and kdcd, write error messages to the system log (/var/adm/syslog/syslog.log) file. You can also configure the daemons to log the messages in a different file. Use the following command while starting the daemon, to specify a different file name:

# kdcd -l <log file name>

# kadmind -l <log file name>

However, principal database operations performed locally on the primary security server using the HP Kerberos Administrator are not recorded because these programs do not use syslog to audit their activities.

The syslog daemon (syslogd) is configured using the /etc/syslog.conf file, which controls where your log files are located. For example, you can configure syslog to send messages to /usr/adm/messages.

The security server daemons log an entry for each transaction and whether the transaction succeeded or failed. The number of transactions that are logged in your syslog file is determined by how you have configured the reporting levels.

The security server uses the following syslog reporting levels:

LOG_ERR - Displays security server errors.
LOG_WARNING - Displays security server warnings.
LOG_NOTICE - Displays secured application server errors.

The server logs information messages through syslog. The syslog file can grow large if not maintained properly. The syslog file is specified in /etc/syslog.conf, which has a symbolic link to the /var/adm/messages directory.

Check the size of this file to make sure it does not use an overwhelming amount of system disk space. If the /var partition grows to 100 percent utilization, syslog stops writing log messages and may even shut down active processes, such as the daemons.

Create a shell script to be executed daily or weekly by cron to check the syslog file size, partition utilization, or both, and to detect any problems. In addition, you must archive the syslog files regularly to a separate partition, drive, or server.

Services Checklist

While troubleshooting ensure, that you have answered all the questions in the troubleshooting checklist in the section “Characterizing a Problem”. Ensure that your node name and the Internet address exists in the /etc/hosts file, and run the service on your own node. If the server is successful in authenticating, the client and the server side of the service operates correctly. This provides a starting point to determine where the problems are occurring.

Troubleshooting Techniques

Table 11-2 “Troubleshooting Scenarios” describes various troubleshooting scenarios and provides tips for solving potential problems. These tips help you troubleshoot and assist you in determining a problem quickly.

Table 11-2 Troubleshooting Scenarios

Scenario	Cause	Troubleshooting Tips
Permission denied while initializing krb5.	The `/opt/krb5/krb.conf` file is set to read-only by root.	Reset the permissions to 644.
Host name cannot be made canonical while selecting the best principal.	The hostname is longer than 8 characters. A `uname -n` returns the first 8 characters of the name.	Add the 8 character name to the `/etc/hosts` file (just tack it on to the end of the current IP address or host name entry).
ASN.1 failed call to system time library while dispatching.	This message is usually displayed when a client is requesting a `krbtgt` with a bad lifetime value.
Clock skew too great in KDC reply while getting initial credentials.	This problem generally occurs because the clock of the system deviates too much from the time on the authenticating KDC. A clock skew time of up to 5 minutes is allowed.	You must run NTP or a similar service to keep your system clock synchronize with the atomic clock of the world. If you do not know how to do this, contact your system administrator to resolve this problem.
Requesting host principal without fully qualified domain name. Server not found in the Kerberos database while getting the credentials from KDC. Incorrect network address while getting credentials from KDC.	The host uses the `/etc/hosts` file to resolve name lookups before using DNS. This problem occurs when the entry for the host in the `/etc/hosts` file contains unqualified domain name before the fully qualified domain name. This problem can also occur if the `/etc/hosts` file has a different IP address for a host from what the DNS server has.
The /opt/krb5/krb.conf file not found.	The krb.conf file has not been created.	Copy the sample file, krb.conf.sample, from `/opt/krb5/example` and edit accordingly.
Cannot open or find the configuration file while initializing the Kerberos code.	This problem occurs when you try to create the database and the krb.conf file is not found in the `/opt/krb5` directory.	Copy the sample file, krb.conf.sample, from `/opt/krb5/example` and edit accordingly.
Required parameters in krb.realms missing while initializing the Kerberos context.	This problem occurs when the parameters are missing or incorrect in the krb.realms file.	Ensure that the krb.realms file has the appropriate information.
Stored master key is corrupted while initializing kadminl interface.	This message appears if the stash file is corrupted.	Recreate the stash file.
Cannot find or read stored master key while getting the master key.	This problem occurs when the stash file is missing.	Create the stash file
Cannot open or find the Kerberos configuration file while initializing the krb5 library.	This problem occurs when the krb.conf file does not exist.
Client/server realm mismatch in initial ticket request while initializing the kadmin interface.	This problem occurs when you have an old credential cache file, which has credentials for another realm.	Use the kdestroy utility to destroy your old credential cache or use the kadmin -p <pname> name.
Cannot resolve network address for KDC in the requested realm while getting initial credentials.	Check your resolv.conf file.
Decrypt integrity check failed while verifying the master key.	This problem occurs when the passwords do not match.
Decrypt integrity check failed while initializing the kadminl interface.	This problem occurs when the passwords do not match.
Cannot find/read stored master key while getting master key.	This problem occurs when the stash file is not found.	Provide the master key as a command-line option. You can also create the stash file.
Error verifying pre-authentication data type 2.	This problem occurs due to an incorrect password.	Enter the correct password.
Service key not available while getting initial credentials.	This problem can occur if your principal has a 3DES key but not a DES key and the Kerberos client does not support 3DES, or vice versa.	Create identical key types.

Table 11-3 Troubleshooting Scenarios for your LDAP-based Kerberos server

Scenario	Cause	Troubleshooting Tips
LDAP entry type not supported	The Kerberos server does not support reference entries.	Remove the reference entries associated with the Kerberos attribute.
Incomplete Kerberos entry in LDAP	One or more Kerberos principal attributes are missing or corrupted in the Directory server.	Delete the Kerberos principal and recreate it. This could indicate a potential security problem.
Another Kerberos principal associated with this DN	The DN that you have specified for the Kerberos principal is already associated with another Kerberos principal.	Specify another DN as you can associate only one Kerberos principal with any DN.
Connection to the LDAP server was lost.	Connection to the LDAP server was lost.	Verify that the Directory server is accessible, else restart the Directory server. You can also restart the Kerberos server, if needed.
LDAP server timeout	The directory server timed out a request.	You may need to increase the time out on the Directory server.
LDAP server error when processing the request	The Directory server encountered an error while processing the request.	Look into the corresponding error on the Directory server for troubleshooting this. You may need to change the parameters like maximum number of entries returned on the Directory server.
Improper format of `/opt/krb5/krb5_ldap.conf`	The format of the configuration file `/opt/krb5/krb5_ldap.conf` is incorrect	Verify the contents of the entries present in the configuration file `/opt/krb5/krb5_ldap.conf`
LDAP authentication failed	The Kerberos server was unable to connect to the Directory server with the information provided in the `/opt/krb5/krb5_ldap.conf` configuration file.	Verify that the values of the `proxy_user` and `proxy_user_password` are correct. Ensure that you change the value of `proxy_user_password` when you change the either the password of the proxy user in the Directory server or change the master key.
LDAP initialization failed		Verify that the Directory server’s hostname and port number are valid
`ldap_clientauth_init` failed		Verify that the certificate present in the `certdbpath` is valid. Verify that the Directory server has to be properly configured to use SSL.
`ldap_init` failed		Verify that the certificate present in the `certdbpath` is valid. Verify that the Directory server has to be properly configured to use SSL.
LDAP database is read-only	An attempt to modify the Kerberos entry failed as the Directory server entry is read-only.	Edit the Kerberos configuration file, `krb5_ldap.conf`, to specify a directory server that can be updated and restart all Kerberos server applications
Insufficient access on LDAP	The proxy user does not have sufficient privileges to add, modify, delete, and search for entries on the Directory server.	Change the configuration on the Directory server to allow add, modify, delete, and search privileges under the `default_princ_subtree` and `base_dn_for_search`. When you add a Kerberos principal ensure that you specify it under the `base_dn_for_search`.
Incorrect LDAP DN	The DN specified is not valid.	Ensure that you add the DN under the `base_dn_for_search` in the Directory server.
Unavailable or invalid `libldap.so`		Verify that the LDAP-UX product is installed correctly on the Kerberos server.

Troubleshooting Kerberos

Technical documentation

» Table of Contents

» Glossary

» Index

Error Messages

Logging Capabilities

UNIX Syslog File

Services Checklist

Troubleshooting Techniques