Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing, Configuring and Administering the Kerberos Server on HP-UX 11i: HP 9000 Networking > Chapter 5 Troubleshooting

Troubleshooting Kerberos
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

When troubleshooting problems with Kerberos, you need a reference point to work from. For example, does the problem exist on the remote system or on the local system? However, the terms "local" and "remote" are limited in their description of complex communications, such as when a local system logs onto a remote system and then the remote system logs back onto the local system. At that point, which is the local system and which is the remote system?

A better solution is to use the terms "client" and "server." The term "client" refers to a process that is requesting a service from another process. The term "server" refers to a process or host that performs operations requested by local or remote hosts that are running client processes.

A typical network service consists of two co-operating programs. The client program runs on the requesting system. The server program runs on the system with which you want your system to communicate. The client program initiates requests to communicate. The server program accepts requests for communication. For example, the network service rlogin is the client program that requests a login to a remote HP-UX or UNIX system. When the request to log in is received on the remote host by inetd, inetd invokes the server program for rlogin (called rlogind) to handle the service request.

Error Messages

The error messages generated by a service as seen on the client can be generated by the client or the server. Error messages from the client occur before a connection is completely established. Error messages from the server occur after a connection is completely established.

Services Checklist

  • Did you answer the questions in the troubleshooting checklist at the beginning of this chapter?

  • Run the service to your own node. To do this, your node name and internet address must be in the /etc/hosts file. If the server is successful, then the client and the server halves of the service operate correctly. This provides a starting point to determine where problems are occurring.

Troubleshooting Techniques

The following section describes various scenarios for potential problems. These debugs should help you troubleshoot and assist you in pinpointing a problem quickly.

Table 5-2 Table of Errors Messages

Error Message

Cause

Troubleshooting Tips

Permission denied while initializing krb5.

/etc/krb5.conf set to read only by root.

reset the permissions to 644

No such file or directory while verifying ticket for server

When the host's keytab file, /etc/krb5.keytab,is not found.

Ensure that the location of the host's keytab file is its appropriate location

Hostname cannot be canonicalized while selecting the best principal

If the hostname is longer than 8 characters. A' uname -n' returns the first 8 characters of the name.

Add the 8 character name to the /etc/hosts file (just tack it on to the end of the current IP address/hostname line).

Pre-authentication failed while getting initial credentials

This occurs when your principal has the "requires_preauth" flag set and either one of three instances occur:

  1. You have entered your password incorrectly.

  2. Have only an AFS salted key in the KDC database. This will cause a "file not found" error in the KDC logs.

  3. The clock skew on the system. This will be indicated in the KDC logs.

Internal file credentials cache error while initializing cache

This message is usually displayed when the Kerberos credentials file was owned by someone other than the current user.

ASN.1 failed call to system time library - while dispatching

This message is usually displayed when a client is requesting for a krbtgt with a bad lifetime value

Clock skew too great in KDC reply while getting initial credentials

This generally occurs because the system's clock deviates too much from the time on the authenticating KDC. You are, generally, allowed upto five minutes of clock skew.

You will need to run ntp, or a similar service to keep your system's clock synchronized with the world's atomic clock. If you do not know how to do this then you should contact your system administrator to resolve this.

Requesting host principal without fully-qualified domain name.

Server not found in Kerberos database while getting the credentials from kdc

Incorrect net address while getting credentials from kdc

The host uses /etc/hosts to resolve name lookups before dns. If the line for the host in /etc/hosts contains unqualified domain name before the fully-qualified domain name.

This problem can also be caused if the /etc/hosts has a different IP address for a host from what the DNS server has.

/etc/krb5.conf not found

The krb5.conf file has not been created.

Copy the sample file, krb5.conf.sample, from /var/adm/krb5/krb5kdc and edit accordingly.

Can't open/find Configuration file while initializing Kerberos code

When you try to create the database and krb5.conf file is not found in the /var/adm/krb5/krb5kdc directory the following error message occurs.

Copy the sample file, krb5.conf.sample, from /var/adm/krb5/krb5kdc and edit accordingly.

Required parameters in kdc.conf missing while initializing the Kerberos context

Missing or incorrect parameters in the kdc.conf file.

Ensure that the kdc.conf file has the appropriate information present

Stored master key is corrupted while initializing kadmin.local interface

If the stash file is corrupted this message appears.

Cannot find/read stored master key while initializing kadmin.local interface.

When the stash file looks for the same values as entered in the kdc.conf file

Can't open/find Kerberos configuration file while initializing krb5 library.

krb5.conf not present

Client/server realm mismatch in initial ticket request while initializing kadmin interface.

You had an old credential cache file, which had the credentials for another realm

Use the kdestroy utility to destroy your old credential cache or use the kadmin -p <pname>

Cannot resolve network address for KDC in requested realm while getting initial credentials.

Check your resolv.conf file

Decrypt integrity check failed while verifying master key

passwords do not match

Decrypt integrity check failed while initializing kadmin.local interface.

passwords do not match

KADM5_RPC_ERROR:

Communication failure with Server

This error occurs if RPC timeouts when kadmin is communicating with kadmind.This error can be avoided if the environment variable KADMIN_TIMEOUT, which specifies the timeout value for kadmin is set to a value between 45 and 1200 seconds. By default, this variable is set to 45 seconds.

 

General Errors

  • Ensure that the clock on the router is set to the same time as the UNIX host running the KDC server. Hosts are configured to reject responses from any KDC whose clock is not within the specified maximum clock skew, as specified in the krb5.conf file. The default value for the maximum clock skew is five minutes (300 seconds). Kerberos is set up to reject ticket requests from any host whose clock is not within the specified maximum clock skew of the KDC. This has been done in order to prevent intruders from resetting their system clocks in order to continue to use expired tickets.

  • Ensure that the Domain Name Server (DNS) is working properly. Several aspects of Kerberos rely on this name service. It is important that your DNS entries and your hosts have the correct information. Each host's canonical name must be a fully-qualified host name, including the domain, and each host's IP address must reverse-resolve the canonical name.

  • Ensure that you remove all trailing spaces in the configuration files. Trailing spaces can cause problems with the krb5kdc server. Else, a message will appear stating, " krb5kdc cannot start the database for the realm."

  • The kerberos daemons krb5kdc and kadmind, by default, does not dump core.

    If you, as the administrator, want the kadmind daemon to dump core, you would need to create a file DEBUG in the directory, /var/adm/krb5/kadmind, with setuid bit set.

    If you need the krb5kdc daemon to dump core, you would need to create a file DEBUG in the directory, /var/adm/krb5/kdc/kadmind, with setuid bit set.



Diagnostic Tools Summary
  		 


Reporting Problems to Your Hewlett-Packard Support Contact  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001 Hewlett-Packard Development Company, L.P.