|
||||||
|
||||||
User Information Home
 NCSA's Help Desk is available 24 hours a day, seven days a week, 365 days a year: NCSA Kerberos Troubleshooting for UnixSee the Windows troubleshooting page for Windows information.Problems seen by users
Problems seen by administrators
telnet issuesThis error can be caused when you have a different login name on the local machine as compared to the machine you are loging into. To log in in these situation you need to specify your login name on the target machine with the -l option, for example: telnet -l myncsausername modi4.ncsa.uiuc.eduI have also seen this problem occur when a user creates a .k5login file in his home directory and does not add his own principal in the file. Just add the users principal to his .k5login if this is the case.
Kadminkadmin: Added user's don't have V4 salt When you add a user using the 'addprinc' command in kadmin, normally two keys are created, a no salt key (kerberos 5) and a V4 salt key (for kerberos 4). It appears however that the KDC can get into a state where it doesn't create the V4 salted key. I believe this is a bug under Solaris 2.4. For example, normally after creating a user and and then examing the principal with 'getprinc' you will see: <...stuff deleted...> Number of keys: 2 Key: vno 4, DES cbc mode with CRC-32, no salt Key: vno 4, DES cbc mode with CRC-32, Version 4 <...stuff deleted> However, when things are broken and you create a user you will see: Number of keys: 1 Key: vno 4, DES cbc mode with CRC-32, no salt To fix this kill the KDC processes (krb5kdc, kadmind, krb524d) and restart them.
kadmin: Cannot resolve KDC for requested realm while initializing kadmin interface This error usually occurs when setting up a RedHat Linux system that included the kerberos package during instalation. The default kerberos package includes a configuration file, /etc/krb5.conf, that doesn't include NCSA Realm or settings. To fix this simply move or remove the /etc/krb5.conf file and it should find the /usr/local/krb5/etc/krb5.conf file.
We've seen this occur when a server's hostname had changed. Try removing the old /etc/krb5.keytab file. General Errors(various clients): Permission denied while initializing krb5 I've seen this error caused by /etc/krb5.conf not being world-readable. It's permissions should be 644.
(various clients): Requesting host principal
without fully-qualified domain name
I've seen this caused because the host uses /etc/hosts to resolve name lookups before dns and the line for the host in /etc/hosts contains the un-fully qualified domain name before the fully-qualified one. For example /etc/hosts might contain: 141.142.1.1 trepid trepid.ncsa.uiuc.edu Change this to: 141.142.1.1 trepid.ncsa.uiuc.edu trepidI have also seen this problem caused by the /etc/hosts has a different IP address in it for a host from what the DNS server has (using an nslookup).
krlogind issuesI've seen this caused becuase inetd was started by root with KRBCCNAME set in it's environment. Kill inetd and restart it making sure that KRBCCNAME isn't set.
krlogind: No authentications systems were enabled I've seen this caused because klogind wasn't getting the '-k' argument when started up. Check /etc/inetd.conf
aklog issuesaklog: Couldn't get ncsa.uiuc.edu AFS tickets I've seen this caused becuase krb524d isn't running on the KDC. The full error message looks like: aklog: Couldn't get ncsa.uiuc.edu AFS tickets: aklog: Service not responding while getting AFS tickets aklog: Segfault / Segmentation Fault We've seen 'aklog' segfault when /etc/krb5.conf wasn't world readable.
ksu issuesksu: ksu: permission denied (shell) I've seen this caused by the target user's shell not being listed in /etc/shells.
ksu: Not owner while selecting the best principal ksu: Operation not permitted while selecting the best principal ksu will spit out error messages like these when it is not set-uid root.
ksu: Asks for password for root@NCSA.EDU Assuming you have created the .k5login file as specified (see the page on setting up ksu for details), the most common mistake made is people put .k5login in / when ~root (root's home directory) is actually somewhere else (e.g. /root).
ksu: No such file or directory while verifying ticket for server I've seen this caused by the host's keytab file (/etc/krb5.keytab) not being found. See the ksu setup directions for more details.
ksu: Bad file number while verifying ticket for server I've seen this caused by the host's key not being in the keytab file (/etc/krb5.keytab). This usually means the hostname has been changed, the key was added incorrectly to the file, or the host isn't using it's fully qualified domain name. ksu: Hostname cannot be canonicalized while selecting the best principal I have seen this error on HPUX machines where the hostname is longer than 8 characters. A 'uname -n' returns the first 8 characters of the name, where a 'hostname' will return the full hostname. What needs to be done is to add the 8 character name to the /etc/hosts file (just tack it on to the end of the current IP address/hostname line). Ie.: 1.2.3.4 lhostname.uiuc.edu lhostname lhostnam ksu: Bad format in credentials cache while opening ccache We've seen this error reported with the /tmp filesystem was full. kpasswd: Connection timed out changing password We've seen this error when a host was using a really old /etc/krb5.conf file that was pointing to an incorrect KDC. Make sure you have the most recent krb5.conf file available in AFS: /afs/ncsa/packages/kerberos/Common/krb5.conf/krb5.conf
kinit issueskinit: Internal file credentials cache error when initializing cache I've seen this caused because the Kerberos credentials file (as specified by the environment variable KRB5CCNAME) was owned by someone other than the current user. I think this happened because I su'ed then kinited, so it was owned by root, then I exited the root shell and tried to kinit.
kinit: Preauthentication failed while getting initial credentials This happens when a user's principal has the "requires_preauth" flag and either one of three things occurs:
kinit: Clock skew too great in KDC reply while getting initial credentials This basically means the clock on you system is too far off from the correct time. Your machine needs to be within 5 minutes of the Kerberos servers in order to get any tickets. You will need to run ntp, or a similar service to keep your clock within the five minute window. If you do not know how to do this then you should contact your system administrator to resolve this. If it is not possible then you can use ssh instead of Kerberos. kinit: password prompt states "Password for myloginname@example.com:", how do I get the NCSA realm? This error usually occurs when setting up a RedHat Linux system that included the kerberos package during instalation. The default kerberos package includes a configuration file, /etc/krb5.conf, that has EXAMPLE.COM as the default realm and doesn't include NCSA Realm or settings. To fix this simply move or remove the /etc/krb5.conf file and it should find the /usr/local/krb5/etc/krb5.conf file. kinit: Key table entry not found while getting initial credentialsI have seen this happen when users try to kinit with a keytab file "kinit -k -t keytabfile.keytab". What usually needs to be done is to add the principal name (username) who you are trying to authenticate as at the end of the command "kinit -k -t keytabfile.keytab principal", otherwise it assumes you are trying to authenticate as your username. kinit: Credentials cache I/O operation failed XXX when initializing cacheklist: No credentials cache found Both of these errors are common when the /tmp filesystem is full.
rlogin issuesrlogin: Bad sendauth version was sent I've seen this cause by krlogind not getting the '-k' argument.
SGI issuesSGI: Kerberos daemons not responding inetd on SGIs won't service connections if the binary for the service is unavailble when inetd starts up. This happens with Kerberos daemons if they are coming out of AFS, because inetd starts before AFS by default on SGIs. The short term solution is to SIGHUP inetd when this happens. A long term solution is still being investigated.
KDC issuesKRB5KDC: ASN.1 failed calll to system time library - while dispatching I've seen this error caused because a client was requesting a krbtgt with a bad lifetime value. It results in an unknown RPC error on the client.
ftpd issuesftpd: ftpd dies with SIGBUS with -d flag under Solaris 2.4 with GSSAPI authentication is done It dies somewhere around parsing the ADAT data. According to gdb it dies in syslog(), but I can get any further than that.
ftp issuesftp: UNKNOWN_SERVER ftp/<hostname> Messages about a an unknown server ftp/<hostname> are normal and may be ignored. They occur because the RFC on secure ftp says ftp should try ftp/<hostname> before host/<hostname> and I made the decision not to make any ftp/<hostname> principals. ftp: GSSAPI error minor: Server not found in Kerberos database The full error you're probably seeing looks something like this:220 UNIX Archive FTP server ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: Server not found in Kerberos database GSSAPI error: initializing context GSSAPI authentication failed 504 Unknown authentication type: KERBEROS_V4 KERBEROS_V4 rejected as an authentication typeWe've seen this caused by the FTP server's IP being listed in /etc/hosts on the client without the fully qualified domain name being listed first. It's really an extension of the other server not found errors. Essentially, the client ends up trying to get a ticket for "ftp/server@NCSA.EDU" instead of "ftp/server.ncsa.uiuc.edu@NCSA.EDU", because it looks up the IP in /etc/hosts rather than using DNS. ftp: file transfers are hanging We have seen this when the client system is behind a firewall. Try typing 'passive' at the ftp prompt before transfering files.
Please send questions or comments about this page to kerberos@ncsa.uiuc.edu
|
||||||
|
|
||||||
