Troubleshooting Kerberos

When troubleshooting problems with Kerberos, you need a reference point to work from. For example, does the problem exist on the remote system or on the local system? However, the terms "local" and "remote" are limited in their description of complex communications, such as when a local system logs onto a remote system and then the remote system logs back onto the local system. At that point, which is the local system and which is the remote system?

A better solution is to use the terms "client" and "server." The term "client" refers to a process that is requesting a service from another process. The term "server" refers to a process or host that performs operations requested by local or remote hosts that are running client processes.

A typical network service consists of two co-operating programs. The client program runs on the requesting system. The server program runs on the system with which you want your system to communicate. The client program initiates requests to communicate. The server program accepts requests for communication. For example, the network service rlogin is the client program that requests a login to a remote HP-UX or UNIX system. When the request to log in is received on the remote host by inetd, inetd invokes the server program for rlogin (called rlogind) to handle the service request.

Error Messages

The error messages generated by a service as seen on the client can be generated by the client or the server. Error messages from the client occur before a connection is completely established. Error messages from the server occur after a connection is completely established.

Logging Capabilities

System logging is handled differently by the security server.

Unix Syslog File

Each security server daemon, kadmind, kpropd, and kdcd writes to the system log (syslog) file. However, you can also configure the daemons to write the system logs to any file specified by you.

However, principal database operations performed locally on the primary server using the Administrator are not recorded as these programs do not use syslog to audit their activities.

The syslog daemon (syslogd) is configured using the /etc/syslog.conf file, which controls where your log files are located. For example, syslog can be configured to send messages to /usr/adm/messages.

The security server daemons log an entry for each transaction and whether the transaction succeeded or failed. The number of transactions that are logged in your syslog file is determined by how you have configured the reporting levels.

The syslog reporting levels used by the security server are:

LOG_ERR - Prints out security server errors.
LOG_WARNING - Prints out security server warnings.
LOG_NOTICE - Prints out secured application server errors.

The Server logs information messages through syslog. The syslog file can grow large quickly if not maintained. The syslog file is specified in /etc/syslog.conf, which is typically /var/adm/messages.

Check the size of this file to make sure it does not use an overwhelming amount of system disk space. If the /var partition grows to hundred percent utilization, then syslog will stop writing log messages and may even shut down active processes, that is, the daemons.

Create a shell script to be executed daily or weekly by cron to check the syslog file size, partition utilization, or both, and detect any problems. Also, the syslog files should be archived regularly to a separate partition, drive, or server.

Services Checklist

Did you answer the questions in the troubleshooting checklist at the beginning of this chapter?
Run the service to your own node. To do this, your node name and internet address must be in the /etc/hosts file. If the server is successful, then the client and the server halves of the service operate correctly. This provides a starting point to determine where problems are occurring.

Troubleshooting Techniques

The following section describes various scenarios for potential problems. These debugs should help you troubleshoot and assist you in pinpointing a problem quickly.

Table 9-2 Table of Errors Messages

Error Message	Cause	Troubleshooting Tips
Permission denied while initializing krb5.	`/opt/krb5/krb.conf` set to read only by root.	reset the permissions to 644
Hostname cannot be canonicalized while selecting the best principal	If the hostname is longer than 8 characters. A' uname -n' returns the first 8 characters of the name.	Add the 8 character name to the /etc/hosts file (just tack it on to the end of the current IP address/hostname line).
ASN.1 failed call to system time library - while dispatching	This message is usually displayed when a client is requesting for a krbtgt with a bad lifetime value
Clock skew too great in KDC reply while getting initial credentials	This generally occurs because the system's clock deviates too much from the time on the authenticating KDC. You are, generally, allowed upto five minutes of clock skew.	You will need to run ntp, or a similar service to keep your system's clock synchronized with the world's atomic clock. If you do not know how to do this then you should contact your system administrator to resolve this.
Requesting host principal without fully-qualified domain name. Server not found in Kerberos database while getting the credentials from kdc Incorrect net address while getting credentials from kdc	The host uses `/etc/hosts` to resolve name lookups before dns. If the line for the host in `/etc/hosts` contains unqualified domain name before the fully-qualified domain name. This problem can also be caused if the `/etc/hosts` has a different IP address for a host from what the DNS server has.
/opt/krb5/krb.conf not found	The krb.conf file has not been created.	Copy the sample file, krb5.conf.sample, from `/opt/krb5/example` and edit accordingly.
Can't open/find Configuration file while initializing Kerberos code	When you try to create the database and krb.conf file is not found in the `/opt/krb5` directory the following error message occurs.	Copy the sample file, krb.conf.sample, from `/opt/krb5/example` and edit accordingly.
Required parameters in krb.realms missing while initializing the Kerberos context	Missing or incorrect parameters in the krb.realms file.	Ensure that the krb.realms file has the appropriate information present
Stored master key is corrupted while initializing kadminl interface	If the stash file is corrupted this message appears.
Cannot find/read stored master key while getting the master key.	Stash file missing
Can't open/find Kerberos configuration file while initializing krb5 library.	krb.conf not present
Client/server realm mismatch in initial ticket request while initializing kadmin interface.	You had an old credential cache file, which had the credentials for another realm	Use the kdestroy utility to destroy your old credential cache or use the kadmin -p <pname>
Cannot resolve network address for KDC in requested realm while getting initial credentials.	Check your resolv.conf file
Decrypt integrity check failed while verifying master key	passwords do not match
Decrypt integrity check failed while initializing kadminl interface.	passwords do not match
Cannot find/read stored master key while getting master key	Stash file not found	Provide the master key as a command line option. You can also create the stash file.
error verifying pre-authentication data type 2	Incorrect password	Key in the right password
Service key not available while getting initial credentials	If your principal has only 3DES key, but not DES key and the Kerberos Client does not support 3DES or vice versa.	Create identical key types

Troubleshooting Kerberos

Technical documentation

» Table of Contents

» Glossary

» Index

Error Messages

Logging Capabilities

Unix Syslog File

Services Checklist

Troubleshooting Techniques