Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Kerberos Server Version 3.12 Administrator's Guide: HP-UX 11i v3 > Chapter 11 Troubleshooting

General Errors
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Following are the general errors that you may encounter while setting up your Kerberos server:

  • Ensure that the Domain Name Server (DNS) is working properly. Several aspects of Kerberos rely on this name service. It is important that your DNS entries and your hosts have the correct information. The canonical name of each host must be a fully qualified host name, including the domain, and each IP address of the host must resolve to the respective canonical name.

  • Ensure that you remove all trailing spaces in the configuration files. Trailing spaces can cause problems with the server. If trailing spaces are present in the configuration file, the following error message appears:

    kdcd cannot start the database for the realm

  • The Kerberos daemons kdcd and kadmind, by default, do not dump core.

    If you, as the administrator, want the kadmind daemon to dump core, you need to create a DEBUG file in the directory /var/adm/krb5/kadmind/DEBUG, with setuid bit set.

    If you need the kdcd daemon to dump core, you must create a DEBUG file in the directory /var/adm/krb5/kdc/DEBUG with the setuid bit set.

Forgotten Passwords

If a user forgets the password, you must reset the password. To reset the password, you must have the following correct administrative permissions:

  • i for Inquire About Principals.

  • c for Change Principal Passwords.

Using the graphical user interface or the command-line administrator, change the password and inform the user of the new temporary password. By default, the user must change the password on the next logon.

Locking and Unlocking Accounts

If a user or a service principal exceeds the maximum number of failed authentication attempts allowed by the password policy file, the account is locked and the principal is not issued a ticket. Alternatively, a security administrator may have purposefully locked a principal account so that it cannot be used. In each case, the principal remains in the principal database but is unable to use the Kerberos services.

To unlock a principal account, use the graphical user interface or command-line administrator. In the HP Kerberos Administrator>Principal Information>Principals tab, clear the Lock Principal checkbox.

You must have the correct administrative permissions (i for Inquire About Principals and m for Modify Principals) to lock or unlock an account.

Invoke the command-line administrator, kadmin and use the mod [principal] attr {lock | unlock} command.

Clock Synchronization

While client clocks are not required to be closely synchronized with the security server or application server, HP recommends that you loosely synchronize all client clocks with the server.

If the client clock is outside the permitted clock skew of 5 minutes, the log file on the client system will contain the entries that indicate the condition.

To eliminate the warnings, synchronize the client clock with the server to within 5 minutes.

NOTE: You must closely synchronize all security server and application server clocks. HP recommends that you implement a secured time service to ensure that all clocks are synchronized.


Troubleshooting Kerberos
  		 


User Error Messages  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2007 Hewlett-Packard Development Company, L.P.