Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i: HP 9000 Networking > Chapter 9 Troubleshooting

General Errors
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

  • Ensure that the Domain Name Server (DNS) is working properly. Several aspects of Kerberos rely on this name service. It is important that your DNS entries and your hosts have the correct information. Each host's canonical name must be a fully-qualified host name, including the domain, and each host's IP address must reverse-resolve the canonical name.

  • Ensure that you remove all trailing spaces in the configuration files. Trailing spaces can cause problems with the Server. Else, a message will appear stating, " kdcd cannot start the database for the realm."

  • The kerberos daemons kdcd and kadmind, by default, does not dump core.

    If you, as the administrator, want the kadmind daemon to dump core, you would need to create a file DEBUG in the directory, /var/adm/krb5/kadmind/DEBUG, with setuid bit set.

    If you need the kdcd daemon to dump core, you would need to create a file DEBUG in the directory, /var/adm/krb5/kdc/DEBUG, with setuid bit set.

Forgotten Passwords

If an application user forgets the password, you need to reset the password. To do this, you must have the correct administrative permissions: i for Inquire About Principals and c for Change Principal Passwords.

Using either Administrator or Command-Line-Administrator, change the password and inform the user of the new temporary password. By default, the user will be required to change the password on the next logon.

Locking and Unlocking Accounts

If a user or a service principal exceeds the maximum number of failed authentication attempts allowed by the password policy file, the account is locked and the principal will not be issued a ticket. Alternatively, a security administrator may have purposefully locked a principal account so it could temporarily not be used. In each case, the principal remains in the principal database, but is unable to use Kerberos services.

To unlock a principal account, use either the Administrator or Command-Line-Administrator.

Using the Administrator:

  1. go to the Principal information window - Principals tab.

  2. Select the Attributes tab

  3. Clear the Lock Principal box

You must have the correct administrative permissions, i for Inquire About Principals and m for Modify Principals, to lock or unlock an account.

Using the Command-Line-Administrator:

  1. invoke the tool by type the kadmin at the command line prompt

  2. use the mod [principal] attr {lock | unlock} command

Clock Synchronization

While client clocks are not required to be closely synchronized with the security server or application server, we recommend that you do loosely synchronize all client clocks with the server.

In the event that the client clock is outside the permitted clock skew of five minutes, you will see entries in the client systems log file that indicate the condition.

To eliminate the warnings, synchronize the client clock with the server to within five minutes.

NOTE: You must closely synchronize all security server and application server clocks. We recommend that you implement a secured time service to ensure that all clocks are synchronized.


Troubleshooting Kerberos
  		 


Typical User Error Messages  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2002 Hewlett-Packard Development Company, L.P.